7 lines
2.5 KiB
JSON
7 lines
2.5 KiB
JSON
{"chapter": "Security settings", "level": 2, "text": "You can set the security options per *component*, per *instance* or per *environment*.\nThe priority is:\n1. component\n2. instance\n3. environment\nIt is recommended to set the security per environment to make sure you do not forget a component.\n"}
|
|
{"chapter": "Illumio", "level": 3, "text": "Example `environment` setting for Illumio:\n```\nglobal:\nenvironment:\nsecurity:\nillumio:\nenabled: true\nloc: \"mylocation\"\nsupplier: \"mysupplier\"\nplatform: \"myplatform\"\nreadinessGates:\n- conditionType: \"com.illumio.policy-ready\"\n```\n"}
|
|
{"chapter": "CNI, such as Calico or Cilium", "level": 3, "text": "Example `environment` setting for CNI:\n```\nglobal:\nenvironment:\nsecurity:\ncni:\ndefaultIngressPolicy: deny\ndefaultEgressPolicy: deny\ncreateNetworkPolicy: true\nexcludeUnusedPorts: false\n```\n**excludeUnusedPorts** can add a port config to your ingress rules. However, not every CNI is capable of all Attributes (like `EndPort` is currently not supported by cilium).\nSo you can switch this off, if your CNI does not support it.\n"}
|
|
{"chapter": "zeroTrust Policy", "level": 3, "text": "Some Tools like Cilium transparently encrypt the Node to Node traffic in a Cluster. If you, however, want to aditionally deny all http traffic within a node, you can\nenable `zeroTrust` by setting:\n```\nglobal:\nsecurity:\nzeroTrust: true\n```\nPlease make sure you also set all backendProtocols to https. For a complete example, please see the sample values file `zerotrust.yaml` in the samples directory.\n"}
|
|
{"chapter": "Encrypted backend", "level": 3, "text": "An optional approach to zeroTrust (see above) is to set the backenProtocol to http. This leaves the http ports available (zeroTrust would not),\nbut switches the component backend traffic to https (for ingress, probes, ...).\nIt is not as strict as zeroTrust and can be set per component like this:\n```\ningress:\nbackendProtocol: https\n```\nPlease see the example file `encrypt.yaml` in the samles directory for more information.\n"}
|
|
{"chapter": "Security Context", "level": 3, "text": "You can add a `containerSecurityContext` to the component by adding it in the values file:\n```\nsecurity:\ncontainerSecurityContext:\ncapabilities:\ndrop: [\"ALL\"]\n```\nAdditionally, add a `podSecurityContext` if desired:\n```\nsecurity:\npodSecurityContext:\nrunAsNonRoot: true\nrunAsUser: 1000\nrunAsGroup: 1000\n```\n> **Note**: This setting can not be set on instance or environment level.\n"}
|