nplus/samples/security/README.md

# Security

## All the standards

There are several features that will enhance the security of your system:

- all components are running rootless by default
- all components drop all privileges
- all components deny escalation
- all components have read only file systems
- Access is restricted by NetworkPolicies

## Additional: The backend Protocol

Additionally, you can increase security by encrypting communication in the backend. Depending on your network driver, this might already been done automatically beween the Kubernetes Nodes. But you can double that even within a single node by switching the backend Protocol to https:


```yaml
global:
  nappl:
    port: 8443
    ssl: true

# Web and PAM do not speak https by default yet, CRs have been filed.

nappl:
  ingress:
    backendProtocol: https
cmis:
  ingress:
    backendProtocol: https
ilm:
  ingress:
    backendProtocol: https
webdav:
  ingress:
    backendProtocol: https
rs:
  ingress:
    backendProtocol: https
mon:
  ingress:
    backendProtocol: https
administrator:
  ingress:
    backendProtocol: https
```

This will turn every communication to https, **but** leave the unencrypted ports (http) **open** for inter-pod communication.


## Zero Trust Mode

This will basically do the same as above, **but** also turn **off** any unencrypted port (like http) and also implement NetworkPolicies to drop unencrypted packages.

This will also affect the way how *probes* are checking the pods health: *nplus* will switch them to use https instead, so even the very internal Healtch Check infrastructure will be encrypted in *zero trust mode*:

```yaml
components:
  pam: false  #TODO: ITSMSD-8771: PAM does not yet support https backend.
global:
  security:
    zeroTrust: true
  nappl:
    port: 8443
    ssl: true
```
Public Information 2025-01-24 16:18:47 +01:00			`# Security`

			`## All the standards`

			`There are several features that will enhance the security of your system:`

			`- all components are running rootless by default`
			`- all components drop all privileges`
			`- all components deny escalation`
			`- all components have read only file systems`
			`- Access is restricted by NetworkPolicies`

			`## Additional: The backend Protocol`

			`Additionally, you can increase security by encrypting communication in the backend. Depending on your network driver, this might already been done automatically beween the Kubernetes Nodes. But you can double that even within a single node by switching the backend Protocol to https:`


			```yaml
			`global:`
			`nappl:`
			`port: 8443`
			`ssl: true`

			`# Web and PAM do not speak https by default yet, CRs have been filed.`

			`nappl:`
			`ingress:`
			`backendProtocol: https`
			`cmis:`
			`ingress:`
			`backendProtocol: https`
			`ilm:`
			`ingress:`
			`backendProtocol: https`
			`webdav:`
			`ingress:`
			`backendProtocol: https`
			`rs:`
			`ingress:`
			`backendProtocol: https`
			`mon:`
			`ingress:`
			`backendProtocol: https`
			`administrator:`
			`ingress:`
			`backendProtocol: https`
			```

			`This will turn every communication to https, but leave the unencrypted ports (http) open for inter-pod communication.`


			`## Zero Trust Mode`

			`This will basically do the same as above, but also turn off any unencrypted port (like http) and also implement NetworkPolicies to drop unencrypted packages.`

			`This will also affect the way how probes are checking the pods health: nplus will switch them to use https instead, so even the very internal Healtch Check infrastructure will be encrypted in zero trust mode:`

			```yaml
			`components:`
			`pam: false #TODO: ITSMSD-8771: PAM does not yet support https backend.`
			`global:`
			`security:`
			`zeroTrust: true`
			`nappl:`
			`port: 8443`
			`ssl: true`
			```