Production Deployment: Security Hardening
Production Deployment: Security Hardening
Part of: Production Deployment Guide
7.1 TLS/mTLS Setup
Generate Certificates:
# Create CAopenssl genrsa -out ca.key 4096openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \ -subj "/C=US/ST=CA/L=San Francisco/O=HeliosDB/CN=HeliosDB CA"
# Generate server certificateopenssl genrsa -out server.key 4096openssl req -new -key server.key -out server.csr \ -subj "/C=US/ST=CA/L=San Francisco/O=HeliosDB/CN=heliosdb.example.com"
# Sign server certificateopenssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \ -CAcreateserial -out server.crt -days 365
# Generate client certificateopenssl genrsa -out client.key 4096openssl req -new -key client.key -out client.csr \ -subj "/C=US/ST=CA/L=San Francisco/O=HeliosDB/CN=heliosdb-client"openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \ -CAcreateserial -out client.crt -days 365Kubernetes Secret:
kubectl create secret generic heliosdb-tls \ --from-file=ca.crt=ca.crt \ --from-file=server.crt=server.crt \ --from-file=server.key=server.key \ --namespace heliosdb7.2 RBAC Configuration
Kubernetes RBAC:
apiVersion: v1kind: ServiceAccountmetadata: name: heliosdb-sa namespace: heliosdb---apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: name: heliosdb-role namespace: heliosdbrules: - apiGroups: [""] resources: ["pods", "services", "endpoints"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["statefulsets", "deployments"] verbs: ["get", "list", "watch", "update"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: heliosdb-rolebinding namespace: heliosdbsubjects: - kind: ServiceAccount name: heliosdb-sa namespace: heliosdbroleRef: kind: Role name: heliosdb-role apiGroup: rbac.authorization.k8s.ioDatabase RBAC:
-- Create rolesCREATE ROLE readonly;GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly;
CREATE ROLE readwrite;GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO readwrite;
CREATE ROLE admin_role;GRANT ALL PRIVILEGES ON DATABASE heliosdb TO admin_role;
-- Create usersCREATE USER app_user WITH PASSWORD 'secure_password';GRANT readwrite TO app_user;
CREATE USER analyst_user WITH PASSWORD 'secure_password';GRANT readonly TO analyst_user;7.3 Network Policies
network-policy.yaml:
apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: heliosdb-network-policy namespace: heliosdbspec: podSelector: matchLabels: app: heliosdb policyTypes: - Ingress - Egress ingress: # Allow from compute nodes - from: - podSelector: matchLabels: component: compute ports: - protocol: TCP port: 7002 # Allow from metadata nodes - from: - podSelector: matchLabels: component: metadata ports: - protocol: TCP port: 8300 # Allow from monitoring - from: - namespaceSelector: matchLabels: name: monitoring ports: - protocol: TCP port: 9090 egress: # Allow DNS - to: - namespaceSelector: {} ports: - protocol: UDP port: 53 # Allow internal cluster communication - to: - podSelector: matchLabels: app: heliosdb # Allow external APIs (for backups, etc.) - to: - podSelector: {} ports: - protocol: TCP port: 4437.4 Secret Management
AWS Secrets Manager Integration:
apiVersion: external-secrets.io/v1beta1kind: SecretStoremetadata: name: aws-secretsmanager namespace: heliosdbspec: provider: aws: service: SecretsManager region: us-east-1 auth: jwt: serviceAccountRef: name: heliosdb-sa---apiVersion: external-secrets.io/v1beta1kind: ExternalSecretmetadata: name: heliosdb-secrets namespace: heliosdbspec: refreshInterval: 1h secretStoreRef: name: aws-secretsmanager kind: SecretStore target: name: heliosdb-secrets creationPolicy: Owner data: - secretKey: database-password remoteRef: key: heliosdb/prod/database-password - secretKey: encryption-key remoteRef: key: heliosdb/prod/encryption-keyNavigation
- Previous: Monitoring & Observability
- Next: Backup & Disaster Recovery
- Index: Production Deployment Guide