Security

Access Management

Long Lived Tokens

The default OpenShift 10 year emergency admin token is disabled and replaced by a short lived token.

See Cluster Emergency Credentials.

Two Factor Authentication

VSHN Managed OpenShift clusters are configured to use two factor authentication through VSHN Login for the web console by default. The OpenID client configuration is centrally managed according to best practices.

See Single Sign On.

Sudo

VSHN Managed OpenShift clusters are configured to deny dangerous operations by default.

See Privilege Escalation.

Privileged Containers and Build Strategies

VSHN Managed OpenShift clusters are configured to deny the use of privileged containers and build strategies by default.

OpenShift SecurityContextConstraints

VSHN Managed OpenShift clusters run workloads with OpenShift’s restricted-v2 SCC by default.

The restricted-v2 SCC:

  • Ensures that pods cannot run as privileged

  • Ensures that pods cannot mount host directory volumes

  • Requires that a pod is run as a user in a pre-allocated range of UIDs

  • Requires that a pod is run with a pre-allocated MCS label

  • Requires that a pod is run with a preallocated FSGroup

  • Allows pods to use any supplemental group

  • ALL capabilities are dropped from containers.

  • The NET_BIND_SERVICE capability can be added explicitly.

  • seccompProfile is set to runtime/default by default.

  • allowPrivilegeEscalation must be unset or set to false in security contexts

from the OpenShift default SCC documentation

Seccomp

CRI-Os seccomp profile runtime/default restricts syscalls that can be used to shorten exploit chains.

Kubernetes Pod Security Admission

VSHN Managed OpenShift clusters are configured to validate workloads against the restricted Kubernetes Pod Security Standard by default. Currently, the Pod Security Admission is configured to only warn users about violating configurations.

See Pod Security for details on how PSA and OpenShift SCCs interact.

Network

Load Balancer

VSHN Managed OpenShift clusters include, depending on the cloud provider, hardened load balancers based on HAProxy.

Additional firewalls and jump hosts can be configured on request.

Cilium

VSHN Managed OpenShift clusters uses the hardened enterprise version of Cilium as the default network plugin.

See VSHN Products: Isovalent Enterprise for Cilium and Cilium.

Default Namespace Isolation

VSHN Managed OpenShift clusters are configured to deny traffic between namespaces by default.

OpenShift Service Mesh

VSHN Managed OpenShift can use a hardened version of Istio as the default service mesh.

See VSHN Managed OpenShift for End-Users: OpenShift Service Mesh.

Updates

All VSHN Managed OpenShift clusters and their load balancers are automatically updated to the latest version of OpenShift and the latest security patches. If not otherwise agreed, the updates are applied weekly during the communicated maintenance window.

See Upgrade Controller.

Backup

VSHN Managed OpenShift clusters include backups of all Kubernetes manifests and the raw etcd data to a secure location by default.

Inventory

All VSHN managed configuration and software for the OpenShift clusters are stored in a central Git repository. Software versions are reported in a central repository and actively monitored.

We use Project Syn to manage the inventory.

Staggered Rollouts

New software versions are rolled out in a staggered manner to ensure that the software is stable and secure.

Monitoring and Logging

See Central Insights for more information.

Capacity Monitoring

VSHN Managed OpenShift clusters include capacity monitoring by default. VSHN gets notified if the cluster is running out of resources.

See Cluster Monitoring

Logging

VSHN Managed OpenShift clusters include logging by default. The log management is done by the OpenShift cluster itself. It’s based on Loki and integrated into the OpenShift console.

Also see VSHN Managed OpenShift for End-Users: Query application logs.

A copy of the Kubernetes audit logs is stored in a secure location at VSHN.

Deletion

Robust, tested, and audited deletion processes are in place to ensure that all data is securely deleted when no longer needed.

VSHN

We are convinced that transparency and certified processes improve data security and confidentiality. We are ISO 27001 certified and work according to the strict FINMA guidelines to ensure the security and confidentiality of client data at all times.

VSHN is the first Kubernetes Certified Service Provider (KCSP) in Switzerland, Red Hat Advanced CCSP Partner and we are ISO 27001 certified (you can download and view our ISO certificate), we work according to the strict FINMA guidelines and are ISAE 3402 Report Type 2 audited.

Partners

cloudscale

Builds trust

cloudscale Security

Exoscale

Security and safety of your data is something we make an essential priority at Exoscale. We understand that trusting an external entity with your data is a difficult step to take.

Exoscale Security Policy