Advanced Secure setup

[mathieu-benoit]

Based on the default security features already in place:

• Autopilot
• Workload Identity
• Shielded Nodes
• Private Nodes + Cloud NAT
• Control plane authorized networks on Humanitec's IP addresses
• Dataplane V2
• Least privileges Google Service Account for the Nodes
• GKE Security Posture (Basic)

Here are the complementary security features added via this PR:

• Humanitec:
  • Deploy any Workload in the cluster via the Humanitec Agent
  • Deploy Terraform resources via a private Terraform runner (with Workload Identity)
  • Add PSS/PSA label on any Namespace created
  • securityContext for any Workload deployed
  • Use roles/container.developer instead of roles/container.admin for GKE access
  • 1 dedicated KSA per Workload
  • Read external sercrets from GSM via the Humanitec Operator
• Google Cloud:
  • Create a dedicated GAR
  • Enable containers scanning on GAR
  • GKE Security Posture (Advanced)
  • GKE Release channel to RAPID in order to get latest and greatest GKE/Kubernetes security features such as communication through PSC from private nodes to control plane (since 1.29.0-gke.1384000).
  • Restricted access to GKE control plane: only from the Agent (Cloud NAT) and the location where the Terraform scripts are executed (in order to deploy Helm/Kubernetes manifests from Terraform).
  • GKE Enterprise (Fleet/Anthos)
  • Anthos Service Mesh (Managed Control Plane + Istio proxy distroless + STRICT mTLS)

Futur Ideas/TODOs:

• Humanitec:
  • Cloud Account with WIF for GKE cluster access
• Google Cloud:
  • Cloud Armor