Security Configuration Reference
This document provides comprehensive security configuration options for KubeZero deployments.
Cluster Security
Pod Security Standards
Restricted Pod Security
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
Baseline Pod Security
apiVersion: v1
kind: Namespace
metadata:
name: development
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
Network Security
Network Policies
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Allow Specific Traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-to-backend
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
RBAC Configuration
Service Account Setup
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubezero-operator
namespace: kubezero-system
automountServiceAccountToken: true
ClusterRole Definition
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubezero-operator
rules:
- apiGroups: [""]
resources: ["pods", "services", "configmaps", "secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets", "daemonsets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["kubezero.io"]
resources: ["stacks", "modules"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
Role Binding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubezero-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubezero-operator
subjects:
- kind: ServiceAccount
name: kubezero-operator
namespace: kubezero-system
Secret Management
External Secrets Configuration
Vault Integration
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: vault-backend
namespace: kubezero-system
spec:
provider:
vault:
server: "https://vault.example.com"
path: "secret"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "kubezero-role"
serviceAccountRef:
name: "vault-auth"
External Secret Example
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: database-credentials
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: SecretStore
target:
name: db-credentials
creationPolicy: Owner
data:
- secretKey: username
remoteRef:
key: database/credentials
property: username
- secretKey: password
remoteRef:
key: database/credentials
property: password
AWS Secrets Manager
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: aws-secrets-manager
spec:
provider:
aws:
service: SecretsManager
region: us-west-2
auth:
serviceAccount:
name: external-secrets-sa
TLS Configuration
Certificate Management
Let's Encrypt Issuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
Private CA Issuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: ca-issuer
spec:
ca:
secretName: ca-key-pair
Certificate Resource
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kubezero-tls
namespace: kubezero-system
spec:
secretName: kubezero-tls-secret
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- kubezero.example.com
- api.kubezero.example.com
Image Security
Image Scanning
Trivy Scanner Configuration
apiVersion: v1
kind: ConfigMap
metadata:
name: trivy-config
data:
trivy.yaml: |
vulnerability:
type:
- os
- library
secret:
config: trivy-secret.yaml
format: json
output: /tmp/trivy-results.json
Admission Controllers
OPA Gatekeeper
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredsecuritycontext
spec:
crd:
spec:
names:
kind: K8sRequiredSecurityContext
validation:
type: object
properties:
runAsNonRoot:
type: boolean
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredsecuritycontext
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
not container.securityContext.runAsNonRoot
msg := "Container must run as non-root user"
}
Policy Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredSecurityContext
metadata:
name: must-run-as-nonroot
spec:
match:
kinds:
- apiGroups: ["apps"]
kinds: ["Deployment"]
parameters:
runAsNonRoot: true
Audit Configuration
Audit Policy
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
namespaces: ["kubezero-system"]
verbs: ["get", "list", "watch"]
- level: RequestResponse
namespaces: ["kubezero-system"]
verbs: ["create", "update", "patch", "delete"]
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
- level: None
users: ["system:unsecured"]
namespaces: ["kube-system"]
- level: None
resources:
- group: ""
resources: ["events"]
Falco Rules
customRules:
rules-kubezero.yaml: |-
- rule: Unauthorized Process in Container
desc: Detect unexpected process spawned in container
condition: >
spawned_process and container and
not proc.name in (nginx, java, python, node)
output: >
Unauthorized process spawned in container
(user=%user.name command=%proc.cmdline container=%container.name)
priority: WARNING
tags: [container, process]
Compliance Configuration
CIS Benchmark Compliance
Kube-bench Configuration
apiVersion: batch/v1
kind: Job
metadata:
name: kube-bench
spec:
template:
spec:
hostPID: true
containers:
- name: kube-bench
image: aquasec/kube-bench:latest
command: ["kube-bench"]
args: ["--version", "1.20"]
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
readOnly: true
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
volumes:
- name: var-lib-etcd
hostPath:
path: "/var/lib/etcd"
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
restartPolicy: Never
SOC 2 Compliance
Access Control Matrix
apiVersion: v1
kind: ConfigMap
metadata:
name: access-control-matrix
data:
matrix.yaml: |
roles:
- name: cluster-admin
permissions:
- "cluster/*"
users:
- [email protected]
- name: developer
permissions:
- "namespace/development/*"
- "namespace/staging/read"
users:
- [email protected]
Incident Response
Security Alerting
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: security-alerts
spec:
groups:
- name: security.rules
rules:
- alert: UnauthorizedAPIAccess
expr: increase(apiserver_audit_total{verb="create",objectRef_apiVersion="v1",objectRef_resource="pods"}[5m]) > 10
for: 1m
labels:
severity: warning
annotations:
summary: "Unusual pod creation activity detected"
Automated Response
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
name: security-incident-response
spec:
entrypoint: incident-response
templates:
- name: incident-response
steps:
- - name: isolate-pod
template: isolate
- - name: collect-evidence
template: evidence
- - name: notify-team
template: notify