nplus/samples/security

Security

All the standards

There are several features that will enhance the security of your system:

• all components are running rootless by default
• all components drop all privileges
• all components deny escalation
• all components have read only file systems
• Access is restricted by NetworkPolicies

Additional: The backend Protocol

Additionally, you can increase security by encrypting communication in the backend. Depending on your network driver, this might already been done automatically beween the Kubernetes Nodes. But you can double that even within a single node by switching the backend Protocol to https:

global:
  nappl:
    port: 8443
    ssl: true

# Web and PAM do not speak https by default yet, CRs have been filed.

nappl:
  ingress:
    backendProtocol: https
cmis:
  ingress:
    backendProtocol: https
ilm:
  ingress:
    backendProtocol: https
webdav:
  ingress:
    backendProtocol: https
rs:
  ingress:
    backendProtocol: https
mon:
  ingress:
    backendProtocol: https
administrator:
  ingress:
    backendProtocol: https

This will turn every communication to https, but leave the unencrypted ports (http) open for inter-pod communication.

Zero Trust Mode

This will basically do the same as above, but also turn off any unencrypted port (like http) and also implement NetworkPolicies to drop unencrypted packages.

This will also affect the way how probes are checking the pods health: nplus will switch them to use https instead, so even the very internal Healtch Check infrastructure will be encrypted in zero trust mode:

components:
  pam: false  #TODO: ITSMSD-8771: PAM does not yet support https backend.
global:
  security:
    zeroTrust: true
  nappl:
    port: 8443
    ssl: true