Security best practices
This guide describes security best practices for deploying the Virtana Platform on Kubernetes clusters. Follow these recommendations to reduce the attack surface, protect your data, and limit access to authorized users and applications. The practices are grouped into four areas: infrastructure hardening, access and isolation, data protection, and communication and networking.
Infrastructure hardening
Infrastructure hardening reduces the attack surface of the nodes, cluster components, and storage that the Virtana Platform runs on. Apply the following practices to the underlying infrastructure:
Security practice | Recommended action | Impact |
|---|---|---|
Operating system hardening | Harden the operating system on all Kubernetes nodes by following the Center for Internet Security (CIS) benchmarks. Disable unnecessary services, apply security patches, and configure firewall rules. | Reduces the attack surface of each node. |
Cluster hardening | Secure the Kubernetes API server, etcd, kubelet, and other components by following CIS benchmarks. | Prevents unauthorized access and protects cluster integrity. |
Node port restriction | Open only the ports that each Kubernetes node needs for cluster operation and management. Keep all other ports closed. | Minimizes the entry points available to attackers. |
Storage hardening | Apply security best practices to the underlying storage system, including access controls, encryption, and monitoring. | Protects sensitive data at the storage layer. |
Access and isolation
Access and isolation controls ensure that only authorized users and applications can interact with Virtana Platform resources. Apply the following practices to limit access and keep components separate:
Security practice | Recommended action | Impact |
|---|---|---|
User management and role-based access control (RBAC) | Define distinct roles and permissions for each user, following the principle of least privilege. Unless a user explicitly needs them, don't grant permissions to read secrets, delete resources, run commands inside pods ( | Prevents unintended or malicious actions. |
Application isolation | Deploy Virtana Platform components in their own dedicated namespaces. Don't deploy external applications in those namespaces. | Reduces the risk of unauthorized access and data breaches. |
Security contexts | Define a security context for every pod and container. Virtana Platform containers already run as a non-root user; for further hardening, drop any Linux capabilities the containers don't need. | Prevents privilege escalation. |
Component reuse | Don't reuse Virtana Platform components, such as PostgreSQL, MinIO, and MongoDB, with other applications in the cluster. | Prevents data corruption, data exposure, and accidental data loss. |
Secrets management | Don't share secrets that the Virtana Platform creates with other applications or components in the cluster. | Protects sensitive credentials and configuration. |
Data protection
Data protection practices safeguard the integrity of Virtana Platform data and let you recover it after loss or corruption. Apply the following practices to protect stored data:
Security practice | Recommended action | Impact |
|---|---|---|
PVC backups | Back up all Persistent Volume Claims (PVCs) that Virtana Platform components use on a regular schedule. | Keeps data available if it's lost or corrupted. |
Storage class reclaim policy | Set the reclaim policy to | Prevents accidental data loss when a PVC is deleted, and enables recovery. |
Communication and networking
Communication and networking practices secure traffic between Virtana Platform components and external systems. Apply the following practices to control and encrypt network traffic:
Security practice | Recommended action | Impact |
|---|---|---|
TLS certificates | Use Transport Layer Security (TLS) certificates for all communication, both within the cluster and with external systems. | Encrypts data in transit. |
Network isolation | Use Kubernetes network policies to control traffic flow between components and namespaces. | Isolates sensitive components from unnecessary traffic. |
Service exposure | Create an Ingress only where a service explicitly requires one. Don't create Ingress, NodePort, or LoadBalancer services for internal components such as MinIO, Kafka, or PostgreSQL. | Prevents external exposure of internal services. |