-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
121 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,120 @@ | ||
| = Security | ||
|
|
||
| == Access Management | ||
|
|
||
| === Long Lived Tokens | ||
|
|
||
| The default OpenShift 10 year emergency admin token is disabled and replaced by a short lived token. | ||
|
|
||
| See xref:oc4:ROOT:references/architecture/emergency_credentials.adoc[]. | ||
|
|
||
| === Two Factor Authentication | ||
|
|
||
| VSHN managed OpenShift clusters are configured to use two factor authentication through the VSHN SSO for the web console by default. | ||
| The configuration is centrally managed according to best practices. | ||
|
|
||
| See xref:oc4:ROOT:references/architecture/single_sign_on.html[]. | ||
|
|
||
| === Sudo | ||
|
|
||
| VSHN managed OpenShift clusters are configured to deny dangerous operations by default. | ||
|
|
||
| See xref:oc4:ROOT:explanations/sudo.adoc[]. | ||
|
|
||
| == Containers | ||
|
|
||
| === Priviledged Containers and Build Strategies | ||
|
|
||
| VSHN managed OpenShift clusters are configured to deny the use of privileged containers and build strategies by default. | ||
|
|
||
| See xref:oc4:ROOT:explanations/pod_security.adoc[]. | ||
|
|
||
| === Seccomp | ||
|
|
||
| VSHN managed OpenShift clusters are configured to use the CRI-O seccomp profile `runtime/default` by default. | ||
|
|
||
| This restricts some syscalls that could shorten exploit chains. | ||
|
|
||
| == Network | ||
|
|
||
| === Load Balancer | ||
|
|
||
| VSHN managed OpenShift clusters include, depending on the cloud provider, hardened load balancers based on HAProxy. | ||
|
|
||
| Addictional firewalls and jumphosts can be configured on request. | ||
|
|
||
| === Cilium | ||
|
|
||
| VSHN managed OpenShift clusters uses the hardened enterprise version of Cilium as the default network plugin. | ||
|
|
||
| https://cilium.io/[Cilium] | ||
|
|
||
| === Default Namespace Isolation | ||
|
|
||
| VSHN managed OpenShift clusters are configured to deny traffic between different namespaces by default. | ||
|
|
||
| == Updates | ||
|
|
||
| All VSHN managed OpenShift clusters and their load balancers are automatically updated to the latest version of OpenShift and the latest security patches. | ||
| If not otherwise agreed, the updates are applied weekly during the communicated maintenance window. | ||
|
|
||
| See xref:oc4:ROOT:references/architecture/upgrade_controller.adoc[]. | ||
|
|
||
| == Backup | ||
|
|
||
| VSHN managed OpenShift clusters include backups of all Kubernetes manifests and the raw etcd data to a secure location by default. | ||
|
|
||
| == Inventory | ||
|
|
||
| All VSHN managed configuration and software for the OpenShift clusters are stored in a central Git repository. | ||
| Software versions are reported in a central repository and actively monitored. | ||
|
|
||
| We use https://syn.tools/syn/index.html[Project Syn] to manage the inventory. | ||
|
|
||
| === Staged Rollouts | ||
|
|
||
| New software versions are rolled out in a staged manner to ensure that the software is stable and secure. | ||
|
|
||
| == Monitoring and Logging | ||
|
|
||
| === Capacity Monitoring | ||
|
|
||
| VSHN managed OpenShift clusters include capacity monitoring by default. | ||
| VSHN gets notified if the cluster is running out of resources. | ||
|
|
||
| === Logging | ||
|
|
||
| VSHN managed OpenShift clusters include logging by default. | ||
|
|
||
| A copy of the Kubernetes audit logs is stored in a secure location at VSHN. | ||
|
|
||
| == VSHN | ||
|
|
||
| <!-- vale Microsoft.Contractions = NO --> | ||
| <!-- direct quote --> | ||
|
|
||
| > We are convinced that transparency and certified processes improve data security and confidentiality. | ||
| > We are ISO 27001 certified and work according to the strict FINMA guidelines to ensure the security and confidentiality of client data at all times. | ||
|
|
||
| > VSHN is the first Kubernetes Certified Service Provider (KCSP) in Switzerland, Red Hat Advanced CCSP Partner and we are ISO 27001 certified (you can download and view our ISO certificate), we work according to the strict FINMA guidelines and are ISAE 3402 Report Type 2 audited. | ||
|
|
||
| <!-- vale Microsoft.Contractions = YES --> | ||
|
|
||
| * https://www.vshn.ch/en/about/awards-certifications/[VSHN Awards & Certifications] | ||
| * https://handbook.vshn.ch/ism_policies.html[Information Security Management Policies] | ||
| * https://kb.vshn.ch/kb/security_vulnerability_process.html[Security and Vulnerability Handling Process] | ||
|
|
||
| == Partners | ||
|
|
||
| === cloudscale | ||
|
|
||
| > Builds trust | ||
|
|
||
| https://www.cloudscale.ch/en/security[cloudscale Security] | ||
|
|
||
| === Exoscale | ||
|
|
||
| > Security and safety of your data is something we make an essential priority at Exoscale. | ||
| > We understand that trusting an external entity with your data is a difficult step to take. | ||
|
|
||
| https://www.exoscale.com/security/[Exoscale Security Policy] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters