herel/math-tables
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity
Files
f94dd12216cb40763b3852a3899a856eb15e45de
math-tables/deploy/SECURITY_CHECKLIST.md
Rene Luria f94dd12216 feat: Configure production deployment with math-tables namespace and ingress 
Changes made:

- Remove problematic configuration-snippet from base ingress

- Add namespace creation for math-tables

- Configure ingress with nginx class and letsencrypt-prod issuer

- Set production hostname to math-tables.cl1.parano.ch

- Reduce production replicas to 1

- Update copyright year in index.html
2025-09-03 22:06:32 +02:00

2.6 KiB
Raw Blame History

Kubernetes Security Checklist for Math Exercises Application

This document outlines the security measures implemented in the Kubernetes deployment for the Math Exercises application.

1. Pod Security

Container Security Context

  • Non-root user execution (runAsNonRoot: true, runAsUser: 1000)
  • Disabled privilege escalation (allowPrivilegeEscalation: false)
  • Read-only root filesystem (readOnlyRootFilesystem: true)
  • Minimal capabilities (dropped all, added only necessary ones)
  • Seccomp profile set to RuntimeDefault

Pod Security Context

  • Non-root user execution
  • Proper fsGroup setting
  • Seccomp profile enforcement

2. Network Security

Network Policies

  • Restricted ingress traffic (only from ingress controller)
  • Limited egress traffic (DNS and HTTPS only)
  • Port-specific rules

Service Configuration

  • Internal traffic policy set to Local
  • ClusterIP service type (no external exposure)

3. Application Security

Ingress Security

  • TLS enforced with redirect
  • HSTS enabled with preload
  • Security headers configured:
    • X-Frame-Options: DENY
    • X-Content-Type-Options: nosniff
    • X-XSS-Protection: 1; mode=block
    • Referrer-Policy: strict-origin-when-cross-origin
    • Permissions-Policy: Restricted APIs

Resource Management

  • CPU and memory limits set
  • CPU and memory requests defined
  • Quality of Service class guaranteed

4. Configuration Security

ConfigMap Usage

  • Separation of configuration from code
  • Centralized configuration management

Environment Variables

  • No hardcoded secrets
  • Secure configuration values

5. Operational Security

High Availability

  • PodDisruptionBudget configured
  • Multiple replicas in production

Image Management

  • Versioned images in production
  • Separate tags for dev/prod environments

6. Monitoring & Observability

Health Checks

  • Liveness probes configured
  • Readiness probes configured
  • Appropriate timeouts and thresholds

7. Additional Recommendations

Future Enhancements

  • Implement Kubernetes Secrets for sensitive data
  • Add RBAC policies for least privilege access
  • Enable audit logging
  • Implement runtime security monitoring
  • Add image vulnerability scanning
  • Consider Kyverno policies for admission control

8. Environment-Specific Security

Development

  • Reduced resource consumption
  • Standard security posture

Production

  • Enhanced security settings
  • High availability configuration
  • Dedicated security patches
Reference in New Issue View Git Blame Copy Permalink