2017-09-23 22:02:18 +02:00
# Security
Typhoon aims to be minimal and secure. We're running it ourselves after all.
2017-10-02 06:38:52 +02:00
## Overview
**Kubernetes**
* etcd with peer-to-peer and client-auth TLS
2020-04-26 01:50:51 +02:00
* Kubelets TLS bootstrap certificates (72 hours)
* Generated TLS certificate (365 days) for admin `kubeconfig`
* [NodeRestriction ](https://kubernetes.io/docs/reference/access-authn-authz/node/ ) is enabled to limit Kubelet authorization
* [Role-Based Access Control ](https://kubernetes.io/docs/admin/authorization/rbac/ ) is enabled. Apps must define RBAC policies for API access
2017-10-02 06:38:52 +02:00
* Workloads run on worker nodes only, unless they tolerate the master taint
2018-10-03 16:46:51 +02:00
* Kubernetes [Network Policy ](https://kubernetes.io/docs/concepts/services-networking/network-policies/ ) and Calico [NetworkPolicy ](https://docs.projectcalico.org/latest/reference/calicoctl/resources/networkpolicy ) support [^1]
2017-10-02 06:38:52 +02:00
2019-10-16 08:09:41 +02:00
[^1]: Requires `networking = "calico"` . Calico is the default on all platforms (AWS, Azure, bare-metal, DigitalOcean, and Google Cloud).
2017-10-02 06:38:52 +02:00
**Hosts**
* Container Linux auto-updates are enabled
* Hosts limit logins to SSH key-based auth (user "core")
2020-05-14 06:57:09 +02:00
* SELinux enforcing mode [^2]
[^2]: SELinux is enforcing on Fedora CoreOS, permissive on Flatcar Linux.
2017-10-02 06:38:52 +02:00
**Platform**
* Cloud firewalls limit access to ssh, kube-apiserver, and ingress
* No cluster credentials are stored in Matchbox (used for bare-metal)
* No cluster credentials are stored in Digital Ocean metadata
* Cluster credentials are stored in AWS metadata (for ASGs)
2018-08-27 08:39:41 +02:00
* Cluster credentials are stored in Azure metadata (for scale sets)
* Cluster credentials are stored in Google Cloud metadata (for managed instance groups)
2017-10-02 06:38:52 +02:00
* No account credentials are available to Digital Ocean droplets
2018-08-27 08:39:41 +02:00
* No account credentials are available to AWS EC2 instances (no IAM permissions)
* No account credentials are available to Azure instances (no IAM permissions)
* No account credentials are available to Google Cloud instances (no IAM permissions)
2017-10-02 06:38:52 +02:00
## Precautions
Typhoon limits exposure to many security threats, but it is not a silver bullet. As usual,
* Do not run untrusted images or accept manifests from strangers
* Do not give untrusted users a shell behind your firewall
* Define network policies for your namespaces
2020-03-17 05:21:41 +01:00
## Container Images
2017-09-23 22:02:18 +02:00
2020-03-17 05:21:41 +01:00
Typhoon uses upstream container images (where possible) and upstream binaries.
!!! note
Kubernetes releases `kubelet` as a binary for distros to package, either as a DEB/RPM on traditional distros or as a container image for container-optimized operating systems.
Typhoon [packages ](https://github.com/poseidon/kubelet ) the upstream Kubelet and its dependencies as a [container image ](https://quay.io/repository/poseidon/kubelet ) for use in Typhoon. The upstream Kubelet binary is checksummed and packaged directly. Quay automated builds provide verifiability and confidence in image contents.
2017-09-23 22:02:18 +02:00
## Disclosures
2017-10-02 06:38:52 +02:00
If you find security issues, please email dghubble at gmail. If the issue lies in upstream Kubernetes, please inform upstream Kubernetes as well.
2017-09-23 22:02:18 +02:00