Devops & Security
Last updated
Last updated
KGeN operates a robust, scalable, and secure cloud-native architecture designed to meet modern technological demands. By leveraging Amazon Web Services (AWS), Kubernetes, and open-source solutions, we ensure a high-performing infrastructure with cost-effective strategies. This document provides an in-depth overview of KGeN’s infrastructure and security measures, highlighting our commitment to operational excellence and data security.
Core Architecture Overview
Our cloud infrastructure is built on AWS Elastic Kubernetes Service (EKS) and integrated with a suite of AWS services, including DynamoDB, RDS, and ElastiCache, complemented by open-source tools like Istio and Karpenter for scalability, performance, and reliability.
Traffic Flow
Users: All incoming traffic flows through Cloudflare, which acts as a Content Delivery Network (CDN) and primary security layer.
Load Balancing: Cloudflare forwards requests to AWS Network Load Balancers (NLBs), which route traffic to the EKS-managed Kubernetes clusters.
Private Subnets: All Kubernetes workloads run within private subnets, secured from public internet exposure.
Internal Communication: Kubernetes services communicate internally using private DNS (svc.cluster.local), optimizing security and bandwidth by bypassing the NAT Gateway.
Cost Optimization
Spot Instances with Karpenter:
Deployed 100% spot instances using Karpenter for cost efficiency.
Achieved a 60% cost reduction by leveraging intelligent autoscaling and AWS spot pricing.
Tagging and Budget Control:
Resources are tagged for granular cost tracking.
Implemented AWS Budgets and daily cost alerts for proactive monitoring.
Network Security
Cloudflare Protection:
DDoS Protection with rate limiting.
Blocking malicious IPs, data center traffic, and implementing DNSSEC.
Internal Access:
VPN required for accessing private services within the network.
Geo-blocking and bot management planned for enhanced security.
Encryption:
Data in transit encrypted using TLS 1.2+.
S3 buckets secured with public access blocked by default.
Identity and Access Management (IAM)
Role-Based Access Control
Least privilege enforced across AWS services and Kubernetes.
Multi-Factor Authentication (MFA)
Mandatory MFA for all AWS users.
Secrets Management
Secrets stored securely in AWS Secrets Manager.
Secret rotation enforced every 6 months.
Application Security
API Protection
Enforced rate limiting per IP.
Regular penetration testing with tools like Burp Suite and OWASP ZAP.
Vulnerability Scanning
Static analysis with SonarQube.
Container scanning using Trivy and runtime monitoring with Falco.
JWT Tokens
Short-lived tokens with automatic invalidation of old tokens.
CloudWatch
Centralized logging and metric collection for AWS services.
Grafana
Real-time dashboards and alerts for CPU/memory usage and pod restarts.
Jaeger
Tracing for debugging latency and bottlenecks.
Uptime Kuma
API health monitoring with custom alert thresholds.
Databases
DynamoDB:
Scalable NoSQL database for high-traffic workloads.
Encryption at rest enabled with AWS-managed keys.
Amazon RDS:
Primary relational database with auto-scaling readers and RDS Proxy for efficient connection pooling.
Backup and encryption policies enforced for snapshots and at-rest data.
ElastiCache (Redis):
Caching layer for faster response times and reduced database load.
Data Protection
Classification: Data segmented into public, internal, confidential, and sensitive categories.
Anonymization: Sensitive data masked for non-production environments.
Retention Policies: Automated lifecycle rules in S3 for archiving or deletion of old data.
Deployment Workflow
CodeBuild: Automated builds and Docker image generation.
Elastic Container Registry (ECR): Repository for Docker images.
Helm Charts: Kubernetes deployments managed via Helm for consistency.
Security Integration
Static code analysis with SonarQube.
Docker image scanning with Trivy during CI/CD pipelines.
KGeN’s architecture combines cutting-edge cloud technologies with stringent security practices to deliver a scalable, cost-efficient, and resilient infrastructure. By leveraging AWS services, Kubernetes, and open-source solutions, we ensure high performance and reliability while prioritizing data protection and user trust. Our roadmap includes further enhancements in security and monitoring, reaffirming our commitment to operational excellence.
Simplified Payment Flow
KGeN rewards gamers for the gamer engagements in the KGeN platform. Following were the goals of the Simplified payment system that we created:
Overall TAT for gamer activity to payment should be as less as possible. We started with TAT of weeks but now we are in days.
The gamer activity validation should be automated as much as possible. We started with manual validation, but we are now able to validate the majority of our gamer engagement activities using either game APIs or social APIs.
The system should be scalable and be able to handle millions of transactions.
Payments must be disbursed in a semi-automated manner. We intentionally created an admin checker system so that the payments are validated before going out to the gamers.
Individual campaign owners must be able to balance the budget for their campaigns. We created a cost center based system to track budget per campaign and integrated that with simplified payment.
Payment validations must be done using transaction receipt from the block chain. We created a reconciliation system where we can reconcile the payments between the web2 and web3 side.
Architecture and Flow
Admin CMS
We have created an admin dashboard that our internal community team can use to manage the static and dynamic content in our website. In the backend, we have created a custom CMS to manage this. We evaluated off-the-shelf CMS systems like Strapi but they were not flexible for our needs. An example of static content is Website banner, header, footer etc. An example of dynamic content includes a list of K-Quest, K-Drop, Leaderboards etc.
