feat: Configure production deployment with math-tables namespace and ingress
Changes made: - Remove problematic configuration-snippet from base ingress - Add namespace creation for math-tables - Configure ingress with nginx class and letsencrypt-prod issuer - Set production hostname to math-tables.cl1.parano.ch - Reduce production replicas to 1 - Update copyright year in index.html
This commit is contained in:
@@ -0,0 +1,93 @@
|
||||
# Kubernetes Security Checklist for Math Exercises Application
|
||||
|
||||
This document outlines the security measures implemented in the Kubernetes deployment for the Math Exercises application.
|
||||
|
||||
## 1. Pod Security
|
||||
|
||||
### Container Security Context
|
||||
- ✅ Non-root user execution (`runAsNonRoot: true`, `runAsUser: 1000`)
|
||||
- ✅ Disabled privilege escalation (`allowPrivilegeEscalation: false`)
|
||||
- ✅ Read-only root filesystem (`readOnlyRootFilesystem: true`)
|
||||
- ✅ Minimal capabilities (dropped all, added only necessary ones)
|
||||
- ✅ Seccomp profile set to RuntimeDefault
|
||||
|
||||
### Pod Security Context
|
||||
- ✅ Non-root user execution
|
||||
- ✅ Proper fsGroup setting
|
||||
- ✅ Seccomp profile enforcement
|
||||
|
||||
## 2. Network Security
|
||||
|
||||
### Network Policies
|
||||
- ✅ Restricted ingress traffic (only from ingress controller)
|
||||
- ✅ Limited egress traffic (DNS and HTTPS only)
|
||||
- ✅ Port-specific rules
|
||||
|
||||
### Service Configuration
|
||||
- ✅ Internal traffic policy set to Local
|
||||
- ✅ ClusterIP service type (no external exposure)
|
||||
|
||||
## 3. Application Security
|
||||
|
||||
### Ingress Security
|
||||
- ✅ TLS enforced with redirect
|
||||
- ✅ HSTS enabled with preload
|
||||
- ✅ Security headers configured:
|
||||
- X-Frame-Options: DENY
|
||||
- X-Content-Type-Options: nosniff
|
||||
- X-XSS-Protection: 1; mode=block
|
||||
- Referrer-Policy: strict-origin-when-cross-origin
|
||||
- Permissions-Policy: Restricted APIs
|
||||
|
||||
### Resource Management
|
||||
- ✅ CPU and memory limits set
|
||||
- ✅ CPU and memory requests defined
|
||||
- ✅ Quality of Service class guaranteed
|
||||
|
||||
## 4. Configuration Security
|
||||
|
||||
### ConfigMap Usage
|
||||
- ✅ Separation of configuration from code
|
||||
- ✅ Centralized configuration management
|
||||
|
||||
### Environment Variables
|
||||
- ✅ No hardcoded secrets
|
||||
- ✅ Secure configuration values
|
||||
|
||||
## 5. Operational Security
|
||||
|
||||
### High Availability
|
||||
- ✅ PodDisruptionBudget configured
|
||||
- ✅ Multiple replicas in production
|
||||
|
||||
### Image Management
|
||||
- ✅ Versioned images in production
|
||||
- ✅ Separate tags for dev/prod environments
|
||||
|
||||
## 6. Monitoring & Observability
|
||||
|
||||
### Health Checks
|
||||
- ✅ Liveness probes configured
|
||||
- ✅ Readiness probes configured
|
||||
- ✅ Appropriate timeouts and thresholds
|
||||
|
||||
## 7. Additional Recommendations
|
||||
|
||||
### Future Enhancements
|
||||
- [ ] Implement Kubernetes Secrets for sensitive data
|
||||
- [ ] Add RBAC policies for least privilege access
|
||||
- [ ] Enable audit logging
|
||||
- [ ] Implement runtime security monitoring
|
||||
- [ ] Add image vulnerability scanning
|
||||
- [ ] Consider Kyverno policies for admission control
|
||||
|
||||
## 8. Environment-Specific Security
|
||||
|
||||
### Development
|
||||
- ✅ Reduced resource consumption
|
||||
- ✅ Standard security posture
|
||||
|
||||
### Production
|
||||
- ✅ Enhanced security settings
|
||||
- ✅ High availability configuration
|
||||
- ✅ Dedicated security patches
|
||||
Reference in New Issue
Block a user