-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal for security overview page #2188
base: main
Are you sure you want to change the base?
Changes from all commits
ebc34a0
9b6550d
b896109
de5d730
9cc4025
d5dd319
0bd3b4a
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,4 +10,10 @@ vCenter | |
ESXi | ||
kube-vip | ||
subnet | ||
vApp | ||
vApp | ||
API[s] | ||
Kyverno | ||
Trivy | ||
Sigstore | ||
Falco | ||
Grafana |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -6,7 +6,39 @@ | |||||
principal: | ||||||
parent: overview | ||||||
identifier: overview-security | ||||||
last_review_date: 2024-03-18 | ||||||
last_review_date: 2024-05-21 | ||||||
owner: | ||||||
- https://github.com/orgs/giantswarm/teams/sig-product | ||||||
- https://github.com/orgs/giantswarm/teams/team-shield | ||||||
--- | ||||||
|
||||||
Security is paramount for any organization, especially those running workloads in the fast-paced cloud-native space. As you will see, Giant Swarm prioritizes security at every platform layer. The security features ensure that your applications and data are protected against threats, comply with industry standards, and maintain integrity throughout their lifecycle. This overview will detail the capabilities of our security offerings and the cloud-native technologies that enable them. | ||||||
Check warning on line 14 in src/content/overview/security/_index.md GitHub Actions / vale
|
||||||
|
||||||
## Capabilities | ||||||
|
||||||
- **Policy enforcement**: Implement fine-grained security policies to control and restrict resource access. It includes Role-Based Access Control (RBAC), Network Policies, and Pod Security Standards (PSS) to ensure that only authorized users and approved applications can run on the platform. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
- Image scanning and provenance: Ensure the safety and integrity of container images by scanning them for vulnerabilities and verifying their provenance by checking their source and history before deployment. This helps to prevent the use of compromised or malicious images in your environment, thereby reducing the risk of security threats. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
- **Cloud security posture**: Maintain a strong security posture by continuously monitoring your cloud infrastructure for compliance with security best practices and standards. Identify and remediate wrong configurations and vulnerabilities to reduce the attack surface. | ||||||
|
||||||
- **Runtime anomalies**: Detect and respond to abnormal behavior during runtime, which refers to any action detected that deviates from the expected or normal operation of the system. This includes monitoring for unusual activity, such as unexpected process executions, file system changes, and network connections, which could indicate a security breach or unauthorized access. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
- **Log alerting**: Enhance visibility and awareness by setting up alerts based on log data. It enables timely detection and response to security incidents, addressing suspicious activity. | ||||||
|
||||||
- **Advanced network capabilities**: Protect data in transit with advanced network security features, including internal traffic encryption. Implement mutual TLS (mTLS) for service-to-service communication to ensure that data is always encrypted and authenticated. | ||||||
|
||||||
## Cloud-Native technologies | ||||||
|
||||||
Our platform leverages several cloud-native technologies to deliver these security capabilities: | ||||||
|
||||||
- **Kyverno**: Facilitates policy enforcement by allowing you to define and enforce fine-grained security policies across all your clusters. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
- **Trivy and Sigstore**: Rely on our ready-to-use apps to provide image scanning and provenance, ensuring that container images are free from vulnerabilities and their sources are verified. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. AFAIK we haven't done yet a PoC with Sigstore, it could be possible to wire something up with our current setup but hasn't been explored yet. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ok, IMO if we are open for PoC we can leave it There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. These two don't really go together and we don't really offer sigstore (customers could sign with any tool), so I moved the mention elsewhere
Suggested change
|
||||||
|
||||||
- **Falco**: An open-source runtime security project, Falco monitors your Kubernetes environment for runtime anomalies, providing real-time detection of suspicious activities. | ||||||
|
||||||
- **Prometheus and Grafana**: Used for log alerting and monitoring, Prometheus collects and stores metrics, while Grafana provides a customizable dashboard for visualizing and setting up alerts based on these metrics. | ||||||
|
||||||
- **Cilium**: These container networking solutions provide advanced network capabilities, including network policies and internal encryption to secure communication within your clusters. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
Learn how to start with Security on Giant Swarm by visiting our [getting started security page]({{< relref "overview/security/platform-security/" >}}). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.