u/gringobrsa

Posted Part 1 last week around cluster hardening for a PCI-DSS setup on GKE.

Just finished Part 2 & 3 this time focusing on two areas that seem to break most “compliant” setups in practice:

• removing secrets from workloads entirely (workload identity instead of keys/env vars)
• locking down service-to-service communication (default deny + mTLS + identity-based access)

One thing that stood out while going deeper into this: a hardened cluster doesn’t really mean much if

• pods still carry credentials
• or everything inside the cluster can talk freely

That’s usually where the real risk is, not the perimeter.

Trying to map this more to how it would actually be implemented in a real fintech environment, not just audit checklists.

Part 2 & 3 here:
https://medium.com/@rasvihostings/building-a-pci-dss-compliant-gke-framework-for-financial-institutions-1d1f2c003622

Curious how others are approaching this in real setups:

• Do you enforce default-deny network policies cluster-wide?
• Anyone running strict mTLS everywhere, or is it usually partial?

Feels like this is where most setups drift away from what zero trust is supposed to be.

Posted Part 1 last week around cluster hardening for a PCI-DSS setup on GKE.

Just finished Part 2 & 3 this time focusing on two areas that seem to break most “compliant” setups in practice:

• removing secrets from workloads entirely (workload identity instead of keys/env vars)
• locking down service-to-service communication (default deny + mTLS + identity-based access)

One thing that stood out while going deeper into this: a hardened cluster doesn’t really mean much if

• pods still carry credentials
• or everything inside the cluster can talk freely

That’s usually where the real risk is, not the perimeter.

Trying to map this more to how it would actually be implemented in a real fintech environment, not just audit checklists.

Part 2 & 3 here:
https://medium.com/@rasvihostings/building-a-pci-dss-compliant-gke-framework-for-financial-institutions-1d1f2c003622

Curious how others are approaching this in real setups:

• Do you enforce default-deny network policies cluster-wide?
• Anyone running strict mTLS everywhere, or is it usually partial?

Feels like this is where most setups drift away from what zero trust is supposed to be.

I think basic DevOps work will become automated over time. Engineers who truly understand distributed systems and trade-offs will be much more valuable.

I also see many people exaggerating or faking their experience. But when you have real experience, you can easily tell the difference. Most of the time, experienced engineers stay quiet about it to avoid hurting others.

Sometimes you see someone who is 22 years old claiming 10 years of experience. Maybe they started coding very early, but often they just built a few simple apps (like PHP projects) and count that as “experience.” Then they call themselves staff engineers, which is misleading.

AI has created a lot of chaos in hiring. Recruiters and hiring managers are finding it harder to evaluate CVs. I’ve interviewed candidates for staff-level roles, and I see many 23, 24 year-olds applying.

I still give them a chance and start with basic questions, but many rely heavily on AI and lack deep understanding.

This is making hiring much harder. I know many good engineers who are struggling to get jobs because of this noise in the system.

In the end, being honest about your experience is important. Good managers can recognize authenticity and will take you more seriously.