Skip to main content

Least privilege, everywhere

The single most repeated decision in this lab: give each thing the narrowest access that lets it do its job.

  • Every app gets its own database, user, and password, scoped to just its data. No app ever connects as the database admin. A compromised app can hurt only itself.
  • Database admin accounts are local-only — reachable on the box, never over the network.
  • The Kubernetes control plane is tainted so ordinary workloads can't run there and starve it.
  • The container registry, the gateway admin API, internal services — all gated by auth and reachable only through controlled paths.
blast radius of a compromised app
   without least privilege:  the whole database server
   with it:                  one app's own database

The mindset: assume each component will, someday, be compromised or buggy — then design so that when it happens, the damage is contained. Least privilege isn't paranoia or paperwork; it's deciding the size of your worst day in advance. It costs almost nothing up front (three SQL statements, one taint, one firewall scope) and it's the cheapest insurance in the building.

No comments to display

Back to top