herel
f94dd12216
Changes made: - Remove problematic configuration-snippet from base ingress - Add namespace creation for math-tables - Configure ingress with nginx class and letsencrypt-prod issuer - Set production hostname to math-tables.cl1.parano.ch - Reduce production replicas to 1 - Update copyright year in index.html
93 lines
2.6 KiB
Markdown
93 lines
2.6 KiB
Markdown
# Kubernetes Security Checklist for Math Exercises Application
|
|
|
|
This document outlines the security measures implemented in the Kubernetes deployment for the Math Exercises application.
|
|
|
|
## 1. Pod Security
|
|
|
|
### Container Security Context
|
|
- ✅ Non-root user execution (`runAsNonRoot: true`, `runAsUser: 1000`)
|
|
- ✅ Disabled privilege escalation (`allowPrivilegeEscalation: false`)
|
|
- ✅ Read-only root filesystem (`readOnlyRootFilesystem: true`)
|
|
- ✅ Minimal capabilities (dropped all, added only necessary ones)
|
|
- ✅ Seccomp profile set to RuntimeDefault
|
|
|
|
### Pod Security Context
|
|
- ✅ Non-root user execution
|
|
- ✅ Proper fsGroup setting
|
|
- ✅ Seccomp profile enforcement
|
|
|
|
## 2. Network Security
|
|
|
|
### Network Policies
|
|
- ✅ Restricted ingress traffic (only from ingress controller)
|
|
- ✅ Limited egress traffic (DNS and HTTPS only)
|
|
- ✅ Port-specific rules
|
|
|
|
### Service Configuration
|
|
- ✅ Internal traffic policy set to Local
|
|
- ✅ ClusterIP service type (no external exposure)
|
|
|
|
## 3. Application Security
|
|
|
|
### Ingress Security
|
|
- ✅ TLS enforced with redirect
|
|
- ✅ HSTS enabled with preload
|
|
- ✅ Security headers configured:
|
|
- X-Frame-Options: DENY
|
|
- X-Content-Type-Options: nosniff
|
|
- X-XSS-Protection: 1; mode=block
|
|
- Referrer-Policy: strict-origin-when-cross-origin
|
|
- Permissions-Policy: Restricted APIs
|
|
|
|
### Resource Management
|
|
- ✅ CPU and memory limits set
|
|
- ✅ CPU and memory requests defined
|
|
- ✅ Quality of Service class guaranteed
|
|
|
|
## 4. Configuration Security
|
|
|
|
### ConfigMap Usage
|
|
- ✅ Separation of configuration from code
|
|
- ✅ Centralized configuration management
|
|
|
|
### Environment Variables
|
|
- ✅ No hardcoded secrets
|
|
- ✅ Secure configuration values
|
|
|
|
## 5. Operational Security
|
|
|
|
### High Availability
|
|
- ✅ PodDisruptionBudget configured
|
|
- ✅ Multiple replicas in production
|
|
|
|
### Image Management
|
|
- ✅ Versioned images in production
|
|
- ✅ Separate tags for dev/prod environments
|
|
|
|
## 6. Monitoring & Observability
|
|
|
|
### Health Checks
|
|
- ✅ Liveness probes configured
|
|
- ✅ Readiness probes configured
|
|
- ✅ Appropriate timeouts and thresholds
|
|
|
|
## 7. Additional Recommendations
|
|
|
|
### Future Enhancements
|
|
- [ ] Implement Kubernetes Secrets for sensitive data
|
|
- [ ] Add RBAC policies for least privilege access
|
|
- [ ] Enable audit logging
|
|
- [ ] Implement runtime security monitoring
|
|
- [ ] Add image vulnerability scanning
|
|
- [ ] Consider Kyverno policies for admission control
|
|
|
|
## 8. Environment-Specific Security
|
|
|
|
### Development
|
|
- ✅ Reduced resource consumption
|
|
- ✅ Standard security posture
|
|
|
|
### Production
|
|
- ✅ Enhanced security settings
|
|
- ✅ High availability configuration
|
|
- ✅ Dedicated security patches |