Production Deployment: Security Hardening¶
Part of: Production Deployment Guide
7.1 TLS/mTLS Setup¶
Generate Certificates:
# Create CA
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
-subj "/C=US/ST=CA/L=San Francisco/O=HeliosDB/CN=HeliosDB CA"
# Generate server certificate
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr \
-subj "/C=US/ST=CA/L=San Francisco/O=HeliosDB/CN=heliosdb.example.com"
# Sign server certificate
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out server.crt -days 365
# Generate client certificate
openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.csr \
-subj "/C=US/ST=CA/L=San Francisco/O=HeliosDB/CN=heliosdb-client"
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out client.crt -days 365
Kubernetes Secret:
kubectl create secret generic heliosdb-tls \
--from-file=ca.crt=ca.crt \
--from-file=server.crt=server.crt \
--from-file=server.key=server.key \
--namespace heliosdb
7.2 RBAC Configuration¶
Kubernetes RBAC:
# service-account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: heliosdb-sa
namespace: heliosdb
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: heliosdb-role
namespace: heliosdb
rules:
- apiGroups: [""]
resources: ["pods", "services", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["statefulsets", "deployments"]
verbs: ["get", "list", "watch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: heliosdb-rolebinding
namespace: heliosdb
subjects:
- kind: ServiceAccount
name: heliosdb-sa
namespace: heliosdb
roleRef:
kind: Role
name: heliosdb-role
apiGroup: rbac.authorization.k8s.io
Database RBAC:
-- Create roles
CREATE ROLE readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly;
CREATE ROLE readwrite;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO readwrite;
CREATE ROLE admin_role;
GRANT ALL PRIVILEGES ON DATABASE heliosdb TO admin_role;
-- Create users
CREATE USER app_user WITH PASSWORD 'secure_password';
GRANT readwrite TO app_user;
CREATE USER analyst_user WITH PASSWORD 'secure_password';
GRANT readonly TO analyst_user;
7.3 Network Policies¶
network-policy.yaml:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: heliosdb-network-policy
namespace: heliosdb
spec:
podSelector:
matchLabels:
app: heliosdb
policyTypes:
- Ingress
- Egress
ingress:
# Allow from compute nodes
- from:
- podSelector:
matchLabels:
component: compute
ports:
- protocol: TCP
port: 7002
# Allow from metadata nodes
- from:
- podSelector:
matchLabels:
component: metadata
ports:
- protocol: TCP
port: 8300
# Allow from monitoring
- from:
- namespaceSelector:
matchLabels:
name: monitoring
ports:
- protocol: TCP
port: 9090
egress:
# Allow DNS
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
# Allow internal cluster communication
- to:
- podSelector:
matchLabels:
app: heliosdb
# Allow external APIs (for backups, etc.)
- to:
- podSelector: {}
ports:
- protocol: TCP
port: 443
7.4 Secret Management¶
AWS Secrets Manager Integration:
# external-secrets.yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: aws-secretsmanager
namespace: heliosdb
spec:
provider:
aws:
service: SecretsManager
region: us-east-1
auth:
jwt:
serviceAccountRef:
name: heliosdb-sa
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: heliosdb-secrets
namespace: heliosdb
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secretsmanager
kind: SecretStore
target:
name: heliosdb-secrets
creationPolicy: Owner
data:
- secretKey: database-password
remoteRef:
key: heliosdb/prod/database-password
- secretKey: encryption-key
remoteRef:
key: heliosdb/prod/encryption-key
Navigation¶
- Previous: Monitoring & Observability
- Next: Backup & Disaster Recovery
- Index: Production Deployment Guide