Isolation for shared mesosphere

sunhux
sunhux used Ask the Experts™
on
We have 2 systems of different security classifications :
an existing one is critical already in the container/mesosphere
 and another incoming one is low  security.

The mesosphere cluster itself is rather costly.  Can't afford
to set up another cluster just for the new low-security system
& at same time, concerned about co-mingling the 2 in the
same cluster.

We are considering an isolation technique instead of moving the
low-security system to cloud:
the critical system to only run in certain private node while the
low-security (& more medium-low security systems to come)
be run in other private nodes.  Is this isolation considered
secure or we'll need OS/container firewalls or any other mechanisms
to isolate the high-security system from the other systems?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Or I should treat it like a multi-tenancy in Mesos:
https://docs.mesosphere.com/1.12/deploying-services/multi-tenancy-primitives/

Thing is I've seen here that the healthcare industry wanted to have their
own private cloud, government another private cloud & the financial
industry is considering their own cloud (among the banks): so the idea
of co-mingling is far from realization.  Anyone, for my organization, it's
only 1 organization & the mesosphere is locally within our datacentre
(not in cloud)
Exec Consultant
Distinguished Expert 2018
Commented:
Only means is allow multi tenancy and adopt an identity based access control so that it runs on a zero trust principle. You have security zones and would do further segregation based on that including the use of subnet to segment the traffic flow. Ultimately they run in same underlying infrastructure and cluster is almost like VPC and most of the system goes into one but with multiple micro "zone" segregated by the firewall or security group and importantly designated with roles under IAM.

https://docs.mesosphere.com/1.11/security/ent/

Author

Commented:
is segregating by private nodes one of the measures?
btanExec Consultant
Distinguished Expert 2018
Commented:
Yes logically, as long as you define the separate subnet and role of authorised users.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial