typhoon/docs/topics/security.md

# Security

Typhoon aims to be minimal and secure. We're running it ourselves after all.

## Overview

**Kubernetes**

* etcd with peer-to-peer and client-auth TLS
* Generated kubelet TLS certificates and `kubeconfig` (365 days)
* [Role-Based Access Control](https://kubernetes.io/docs/admin/authorization/rbac/) is enabled. Apps must define RBAC policies
* Workloads run on worker nodes only, unless they tolerate the master taint
* Kubernetes [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) and Calico [NetworkPolicy](https://docs.projectcalico.org/latest/reference/calicoctl/resources/networkpolicy) support [^1]

[^1]: Requires `networking = "calico"`. Calico is the default on AWS, bare-metal, and Google Cloud. Azure and Digital Ocean are limited to `networking = "flannel"`.

**Hosts**

* Container Linux auto-updates are enabled
* Hosts limit logins to SSH key-based auth (user "core")

**Platform**

* Cloud firewalls limit access to ssh, kube-apiserver, and ingress
* No cluster credentials are stored in Matchbox (used for bare-metal)
* No cluster credentials are stored in Digital Ocean metadata
* Cluster credentials are stored in AWS metadata (for ASGs)
* Cluster credentials are stored in Azure metadata (for scale sets)
* Cluster credentials are stored in Google Cloud metadata (for managed instance groups)
* No account credentials are available to Digital Ocean droplets
* No account credentials are available to AWS EC2 instances (no IAM permissions)
* No account credentials are available to Azure instances (no IAM permissions)
* No account credentials are available to Google Cloud instances (no IAM permissions)

## Precautions

Typhoon limits exposure to many security threats, but it is not a silver bullet. As usual,

* Do not run untrusted images or accept manifests from strangers
* Do not give untrusted users a shell behind your firewall
* Define network policies for your namespaces

## OpenPGP Signing

Typhoon uses upstream container images and binaries. We do not distribute artifacts of our own. If you find artifacts claiming to be from Typhoon, please send a note.

## Disclosures

If you find security issues, please email dghubble at gmail. If the issue lies in upstream Kubernetes, please inform upstream Kubernetes as well.
README: Add IRC link, CHANGES.md, and minor fixes 2017-09-23 22:02:18 +02:00			`# Security`

			`Typhoon aims to be minimal and secure. We're running it ourselves after all.`

docs: Add details about security features 2017-10-02 06:38:52 +02:00			`## Overview`

			`Kubernetes`

			`* etcd with peer-to-peer and client-auth TLS`
			* Generated kubelet TLS certificates and `kubeconfig` (365 days)
			`* [Role-Based Access Control](https://kubernetes.io/docs/admin/authorization/rbac/) is enabled. Apps must define RBAC policies`
			`* Workloads run on worker nodes only, unless they tolerate the master taint`
Fix Calico network policy docs link 2018-10-03 16:46:51 +02:00			`* Kubernetes [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) and Calico [NetworkPolicy](https://docs.projectcalico.org/latest/reference/calicoctl/resources/networkpolicy) support [^1]`
docs: Add details about security features 2017-10-02 06:38:52 +02:00
Add new tutorial docs and links 2018-08-27 08:39:41 +02:00			[^1]: Requires `networking = "calico"`. Calico is the default on AWS, bare-metal, and Google Cloud. Azure and Digital Ocean are limited to `networking = "flannel"`.
docs: Add details about security features 2017-10-02 06:38:52 +02:00
			`Hosts`

			`* Container Linux auto-updates are enabled`
			`* Hosts limit logins to SSH key-based auth (user "core")`

			`Platform`

			`* Cloud firewalls limit access to ssh, kube-apiserver, and ingress`
			`* No cluster credentials are stored in Matchbox (used for bare-metal)`
			`* No cluster credentials are stored in Digital Ocean metadata`
			`* Cluster credentials are stored in AWS metadata (for ASGs)`
Add new tutorial docs and links 2018-08-27 08:39:41 +02:00			`* Cluster credentials are stored in Azure metadata (for scale sets)`
			`* Cluster credentials are stored in Google Cloud metadata (for managed instance groups)`
docs: Add details about security features 2017-10-02 06:38:52 +02:00			`* No account credentials are available to Digital Ocean droplets`
Add new tutorial docs and links 2018-08-27 08:39:41 +02:00			`* No account credentials are available to AWS EC2 instances (no IAM permissions)`
			`* No account credentials are available to Azure instances (no IAM permissions)`
			`* No account credentials are available to Google Cloud instances (no IAM permissions)`
docs: Add details about security features 2017-10-02 06:38:52 +02:00
			`## Precautions`

			`Typhoon limits exposure to many security threats, but it is not a silver bullet. As usual,`

			`* Do not run untrusted images or accept manifests from strangers`
			`* Do not give untrusted users a shell behind your firewall`
			`* Define network policies for your namespaces`

			`## OpenPGP Signing`
README: Add IRC link, CHANGES.md, and minor fixes 2017-09-23 22:02:18 +02:00
Remove Fedora Atomic documentation * Typhoon for Fedora Atomic was deprecated in March 2019 * https://typhoon.psdn.io/announce/#march-27-2019 2019-06-20 07:21:58 +02:00			`Typhoon uses upstream container images and binaries. We do not distribute artifacts of our own. If you find artifacts claiming to be from Typhoon, please send a note.`
README: Add IRC link, CHANGES.md, and minor fixes 2017-09-23 22:02:18 +02:00
			`## Disclosures`

docs: Add details about security features 2017-10-02 06:38:52 +02:00			`If you find security issues, please email dghubble at gmail. If the issue lies in upstream Kubernetes, please inform upstream Kubernetes as well.`
README: Add IRC link, CHANGES.md, and minor fixes 2017-09-23 22:02:18 +02:00