Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md
operational_access.md

README.md

Platform security

TL;DR

Adding the configuration parameters below to your Application will enable NetworkPolicies and Istio RBAC for your application
(note: Only available in GKE so far)

...
metadata:
  name: d
  namespace: default
spec: 
  ...
  accessPolicy:
    inbound:
      - application: a
        namespace: default # optional, defaults to 'metadata.namespace'
      - application: b
      - application: c
        namespace: othernamespace 

Securing applications by placing them in a defined perimiter behind a firewall is a common approach. However, relying on an external perimiter implies trusting everything behind the perimiter, and this is an unsafe assumption. If one application behind the firewall has been compromised, the other applications are left vulnerable as their security relies on firewalls stopping attackers from entering the perimiter. firewall

Network policies

The use of network policies allow us to define a firewall perimiter around each pod, where we can explicitly express which pods are allowed to communicate with eachother.
The platform takes care of implementing and maintaining these policies dynamically using Calico firewall

Istio RBAC

Even though we've got control over which pods are allowed to communicate on the network layer, we still need to ensure that the communication between the pods is safe. Using Istio RBAC, every pod can prove their identity cryptographically and data can be transported with mTLS
firewall

Pod Security Policy

You can’t perform that action at this time.