Public Information

samples/security/README.md

@@ -0,0 +1,67 @@
+# Security
+
+## All the standards
+
+There are several features that will enhance the security of your system:
+
+- all components are running rootless by default
+- all components drop all privileges
+- all components deny escalation
+- all components have read only file systems
+- Access is restricted by NetworkPolicies
+
+## Additional: The backend Protocol
+
+Additionally, you can increase security by encrypting communication in the backend. Depending on your network driver, this might already been done automatically beween the Kubernetes Nodes. But you can double that even within a single node by switching the backend Protocol to https:
+
+
+```yaml
+global:
+  nappl:
+    port: 8443
+    ssl: true
+
+# Web and PAM do not speak https by default yet, CRs have been filed.
+
+nappl:
+  ingress:
+    backendProtocol: https
+cmis:
+  ingress:
+    backendProtocol: https
+ilm:
+  ingress:
+    backendProtocol: https
+webdav:
+  ingress:
+    backendProtocol: https
+rs:
+  ingress:
+    backendProtocol: https
+mon:
+  ingress:
+    backendProtocol: https
+administrator:
+  ingress:
+    backendProtocol: https
+```
+
+This will turn every communication to https, **but** leave the unencrypted ports (http) **open** for inter-pod communication.
+
+
+## Zero Trust Mode
+
+This will basically do the same as above, **but** also turn **off** any unencrypted port (like http) and also implement NetworkPolicies to drop unencrypted packages.
+
+This will also affect the way how *probes* are checking the pods health: *nplus* will switch them to use https instead, so even the very internal Healtch Check infrastructure will be encrypted in *zero trust mode*:
+
+```yaml
+components:
+  pam: false  #TODO: ITSMSD-8771: PAM does not yet support https backend.
+global:
+  security:
+    zeroTrust: true
+  nappl:
+    port: 8443
+    ssl: true
+```

samples/security/build.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+#
+# This sample script builds the example as described. It is also used to build the test environment in our lab,
+# so it should be well tested.
+#
+
+# Make sure it fails immediately, if anything goes wrong
+set -e
+
+# -- ENVironment variables:
+# CHARTS: The path to the source code
+# DEST: The path to the build destination
+# SAMPLE: The directory of the sample
+# NAME: The name of the sample, used as the .Release.Name
+# KUBE_CONTEXT: The name of the kube context, used to build this sample depending on where you run it against. You might have different Environments such as lab, dev, qa, prod, demo, local, ...
+
+# Check, if we have the source code available
+if [ ! -d "$CHARTS" ]; then
+    echo "ERROR Building $SAMPLE example: The Charts Sources folder is not set. Please make sure to run this script with the full Source Code available"
+    exit 1
+fi
+if [ ! -d "$DEST" ]; then
+    echo "ERROR Building $SAMPLE example: DEST folder not found."
+    exit 1
+fi
+if [ ! -d "$CHARTS/instance" ]; then
+    echo "ERROR Building $SAMPLE example: Chart Sources in $CHARTS/instance not found. Are you running this script as a subscriber?"
+    exit 1
+fi
+
+# Set the Variables
+SAMPLE="encrypt"
+NAME="sample-$SAMPLE"
+
+# Output what is happening
+echo "Building $NAME"
+
+# Create the manifest
+mkdir -p $DEST/instance
+helm template --debug \
+     --values $SAMPLES/security/encrypt.yaml \
+     --values $SAMPLES/application/empty.yaml \
+     --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \
+     --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \
+     $NAME $CHARTS/instance > $DEST/instance/$SAMPLE.yaml
+
+# creating the Argo manifest
+mkdir -p $DEST/instance-argo
+helm template --debug \
+     --values $SAMPLES/security/encrypt.yaml \
+     --values $SAMPLES/application/empty.yaml \
+     --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \
+     --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \
+     $NAME-argo $CHARTS/instance-argo > $DEST/instance-argo/$SAMPLE-argo.yaml
+
+
+
+
+# Set the Variables
+SAMPLE="zerotrust"
+NAME="sample-$SAMPLE"
+
+# Output what is happening
+echo "Building $NAME"
+
+# Create the manifest
+mkdir -p $DEST/instance
+helm template --debug \
+     --values $SAMPLES/ha/values.yaml \
+     --values $SAMPLES/security/zerotrust.yaml \
+     --values $SAMPLES/application/empty.yaml \
+     --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \
+     --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \
+     $NAME $CHARTS/instance > $DEST/instance/$SAMPLE.yaml
+
+# creating the Argo manifest
+mkdir -p $DEST/instance-argo
+helm template --debug \
+     --values $SAMPLES/ha/values.yaml \
+     --values $SAMPLES/security/zerotrust.yaml \
+     --values $SAMPLES/application/empty.yaml \
+     --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \
+     --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \
+     $NAME-argo $CHARTS/instance-argo > $DEST/instance-argo/$SAMPLE-argo.yaml
+

samples/security/encrypt.yaml

@@ -0,0 +1,28 @@
+global:
+  nappl:
+    port: 8443
+    ssl: true
+
+# Web and PAM do not speak https by default yet, CRs have been filed.
+
+nappl:
+  ingress:
+    backendProtocol: https
+cmis:
+  ingress:
+    backendProtocol: https
+ilm:
+  ingress:
+    backendProtocol: https
+webdav:
+  ingress:
+    backendProtocol: https
+rs:
+  ingress:
+    backendProtocol: https
+mon:
+  ingress:
+    backendProtocol: https
+administrator:
+  ingress:
+    backendProtocol: https

samples/security/zerotrust.yaml

@@ -0,0 +1,8 @@
+components:
+  pam: false  # #TODO: ITSMSD-8771: PAM does not yet support https backend.
+global:
+  security:
+    zeroTrust: true
+  nappl:
+    port: 8443
+    ssl: true