Hacker News new | ask | show | jobs
by EthanHeilman 1780 days ago
I would argue that if you have services then the right place to put encryption and authentication is at the service level. Building secure channels between IP addresses is all good, but do you really want to map roles/identities/privileges to specific IP addresses if those roles/identities/privileges really represent services?
1 comments
amarshall 1779 days ago
Why not? The IPs are cryptographically mapped to a specific client. Doesn’t stop one from using DNS to find the IP.

Like I said: differently complex but it’s a general solution to the problem and doesn’t require changing more “inner” things as much.

link
EthanHeilman 1779 days ago
What if you end up spinning more than one container for that service?

How are these containers getting the different secrets they need to identify themselves? Are you attaching IAM roles to them to get secrets from some secret store?

link
amarshall 1779 days ago
Said it twice before: differently complex. There are plenty of potential “solutions” to the specific scenario you’re describing, but my original comment was more “generally consider X instead of Y so you don’t have to care about Z” rather than “use X in this specific way and it will simply solve every problem with Y”.
link