Skip to main content

Security best practices

This guide describes security best practices for deploying the Virtana Platform on Kubernetes clusters. Follow these recommendations to reduce the attack surface, protect your data, and limit access to authorized users and applications. The practices are grouped into four areas: infrastructure hardening, access and isolation, data protection, and communication and networking.

Infrastructure hardening

Infrastructure hardening reduces the attack surface of the nodes, cluster components, and storage that the Virtana Platform runs on. Apply the following practices to the underlying infrastructure:

Table 133.

Security practice

Recommended action

Impact

Operating system hardening

Harden the operating system on all Kubernetes nodes by following the Center for Internet Security (CIS) benchmarks. Disable unnecessary services, apply security patches, and configure firewall rules.

Reduces the attack surface of each node.

Cluster hardening

Secure the Kubernetes API server, etcd, kubelet, and other components by following CIS benchmarks.

Prevents unauthorized access and protects cluster integrity.

Node port restriction

Open only the ports that each Kubernetes node needs for cluster operation and management. Keep all other ports closed.

Minimizes the entry points available to attackers.

Storage hardening

Apply security best practices to the underlying storage system, including access controls, encryption, and monitoring.

Protects sensitive data at the storage layer.



Access and isolation

Access and isolation controls ensure that only authorized users and applications can interact with Virtana Platform resources. Apply the following practices to limit access and keep components separate:

Table 134.

Security practice

Recommended action

Impact

User management and role-based access control (RBAC)

Define distinct roles and permissions for each user, following the principle of least privilege. Unless a user explicitly needs them, don't grant permissions to read secrets, delete resources, run commands inside pods (exec), or modify services and ingresses.

Prevents unintended or malicious actions.

Application isolation

Deploy Virtana Platform components in their own dedicated namespaces. Don't deploy external applications in those namespaces.

Reduces the risk of unauthorized access and data breaches.

Security contexts

Define a security context for every pod and container. Virtana Platform containers already run as a non-root user; for further hardening, drop any Linux capabilities the containers don't need.

Prevents privilege escalation.

Component reuse

Don't reuse Virtana Platform components, such as PostgreSQL, MinIO, and MongoDB, with other applications in the cluster.

Prevents data corruption, data exposure, and accidental data loss.

Secrets management

Don't share secrets that the Virtana Platform creates with other applications or components in the cluster.

Protects sensitive credentials and configuration.



Data protection

Data protection practices safeguard the integrity of Virtana Platform data and let you recover it after loss or corruption. Apply the following practices to protect stored data:

Table 135.

Security practice

Recommended action

Impact

PVC backups

Back up all Persistent Volume Claims (PVCs) that Virtana Platform components use on a regular schedule.

Keeps data available if it's lost or corrupted.

Storage class reclaim policy

Set the reclaim policy to Retain on the storage classes used by Virtana Platform PVCs.

Prevents accidental data loss when a PVC is deleted, and enables recovery.



Communication and networking

Communication and networking practices secure traffic between Virtana Platform components and external systems. Apply the following practices to control and encrypt network traffic:

Table 136.

Security practice

Recommended action

Impact

TLS certificates

Use Transport Layer Security (TLS) certificates for all communication, both within the cluster and with external systems.

Encrypts data in transit.

Network isolation

Use Kubernetes network policies to control traffic flow between components and namespaces.

Isolates sensitive components from unnecessary traffic.

Service exposure

Create an Ingress only where a service explicitly requires one. Don't create Ingress, NodePort, or LoadBalancer services for internal components such as MinIO, Kafka, or PostgreSQL.

Prevents external exposure of internal services.