1.8 KiB
Security
All the standards
There are several features that will enhance the security of your system:
- all components are running rootless by default
- all components drop all privileges
- all components deny escalation
- all components have read only file systems
- Access is restricted by NetworkPolicies
Additional: The backend Protocol
Additionally, you can increase security by encrypting communication in the backend. Depending on your network driver, this might already been done automatically beween the Kubernetes Nodes. But you can double that even within a single node by switching the backend Protocol to https:
global:
nappl:
port: 8443
ssl: true
# Web and PAM do not speak https by default yet, CRs have been filed.
nappl:
ingress:
backendProtocol: https
cmis:
ingress:
backendProtocol: https
ilm:
ingress:
backendProtocol: https
webdav:
ingress:
backendProtocol: https
rs:
ingress:
backendProtocol: https
mon:
ingress:
backendProtocol: https
administrator:
ingress:
backendProtocol: https
This will turn every communication to https, but leave the unencrypted ports (http) open for inter-pod communication.
Zero Trust Mode
This will basically do the same as above, but also turn off any unencrypted port (like http) and also implement NetworkPolicies to drop unencrypted packages.
This will also affect the way how probes are checking the pods health: nplus will switch them to use https instead, so even the very internal Healtch Check infrastructure will be encrypted in zero trust mode:
components:
pam: false #TODO: ITSMSD-8771: PAM does not yet support https backend.
global:
security:
zeroTrust: true
nappl:
port: 8443
ssl: true