Skip to content

Security consideration for IEM Pro installation

When installing Kubernetes (K8s), it is critical to prioritize security. Key considerations include strong access controls, data encryption, regular updates, network segmentation, and monitoring/logging. By addressing these aspects, organizations can strengthen their infrastructure and improve security. Follow best practises for setting up the K8s cluster.

Secure configuration of helm chart

Use latest version

Industrial Edge is regularly updated. This includes security enhancements and patches for 3rd party software. It is highly recommended that you always use the latest version. Notifications of new versions are provided through the IE Hub.

Default settings

The helm chart offers many configuration options. The default configuration of the helm chart provides secure settings for most cases. Due to the flexible nature of the helm diagram, the optimal settings may differ from the default settings in some cases.

Encryption

In Transit

Internal communication is not encrypted by default. It is up to the K8s operator to secure the network using VPN tunnels, service mesh, or other appropriate measures.

At Rest

The helm charts only create PersistentVolumeClaims (PVC). It is up to the K8s cluster setup to satisfy the storage request. Consider using storage classes that also support encryption at rest. Make sure to keep your backups also encrypted.

Secure Public Access

WAF

A web application firewall (WAF) is useful when integrated with a Kubernetes ingress controller. The primary role of a WAF is to protect web applications from various security threats, such as SQL injection and cross-site scripting (XSS), or to be used for virtual patching and geoblocking. By deploying a WAF alongside an ingress controller in a Kubernetes cluster, you can improve the security posture of your applications.

Cookies and Secure Headers

Proper management of cookies and HTTP headers is essential for securing web applications deployed on Kubernetes. The IEM Gateway sets secure cookie attributes (Secure, HttpOnly, SameSite) and security headers by default, including:

  • Strict-Transport-Security
  • Content-Security-Policy:
    default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; frame-ancestors 'self';
  • X-Frame-Options
  • X-XSS-Protection

Ensure these settings are not overwritten by the ingress controller or other proxies On logout, the IEM Gateway sends the Clear-Site-Data header with the keys: cache, cookies, and executionContexts.

NOTICE

The cookies key may cause some browsers to delete all cookies for lower-level domains, which could lead to unexpected behavior. Regularly review and update header configurations to align with security best practices.

Certificate

Certificates can be placed either in the KONG gateway that is installed with the helm chart, or in the load balancer or ingress controller that can be placed in front of the KONG gateway.

Firewall

A firewall is recommended to secure the cluster and the public endpoint. Allow access only from desired IP address ranges.

DOS

Denial of Service (DOS) protection for a Kubernetes (K8s) cluster involves implementing measures to mitigate or prevent attacks designed to overwhelm the cluster's resources and disrupt its normal operation. Industrial Edge does not currently support horizontal scaling for all containers, so consider mitigating DOS attacks by detecting and blocking traffic at the ingress controller or load balancer.

Logging & Monitoring

Logs

Logging and monitoring are critical to the secure operation of a Kubernetes (K8s) cluster. Industrial Edge sends all logs to `stdout' of the container. By implementing a centralized logging solution, organizations can collect and analyze logs from different cluster components and applications. Monitoring cluster-level metrics, pod-level metrics, and collecting events and audit logs enables proactive identification of problems and potential security threats.

Audit Trails IAM

Keycloak offers comprehensive auditing capabilities that allow every login action to be logged and stored in the database for later review via the Admin Console. Additionally, all administrative actions performed within Keycloak can also be recorded and easily reviewed for monitoring and analysis purposes. This logging functionality ensures a complete audit trail of login activities and administrative changes, promoting accountability and facilitating efficient oversight of the system.

Disaster Recovery Approach

Implementing a robust disaster recovery plan for your K8s cluster involves identifying critical components, establishing backups, implementing replication, testing the plan, maintaining documentation, monitoring, and storing resources offsite. By following these steps, you can ensure the availability and recovery of your cluster in the event of a disaster. It is up to the K8s operator to prepare a disaster recovery plan.

Service Account

The RBAC configuration for service accounts in a Kubernetes (K8s) cluster governs the permissions and access levels for service accounts used by pods to interact with the cluster's APIs and resources. Industrial Edge Management is deploys additional resources on K8s but only within the scope of the namespace. A Service Account can be set during the provisioning to limit the permissions to the namespace only.

Network Security

Network Policies

Kubernetes (K8s) network policies are a critical component for controlling and securing network traffic within a Kubernetes cluster. They provide a declarative way to define rules and restrictions for how pods communicate with each other, and with external resources. Install a network policy provider, such as Calico, and apply policies to limit inbound and outbound traffic to the installation.

Network Segmentation

Network segmentation in a Kubernetes (K8s) cluster involves creating separate public and private network segments. The public network segment is designated to handle ingress and egress traffic from external sources, such as user requests or device communication. This network segment usually includes load balancers, NAT gateways, http-proxies and ingress controllers to expose and manage access to the cluster's services. Network policies and firewall rules ensure authorized communication while mitigating the risk of unauthorized access.

Pod Security Admission

Pod security admission in Kubernetes (K8s) enforces security policies for pods by validating their creation against predefined rules. It ensures that only pods meeting the specified security requirements are allowed. The helm chart does not require any special skills or privileges and can run as a non-root user to limit its attack surface.

Secrets Management

Secure K8s secrets with Vault

The helm chart stores all confidential data as K8s resource type secrets, which are stored unencrypted in the API server's underlying data store by default. Secure Kubernetes (K8s) management with Vault involves integrating 3rd party tools like HashiCorp Vault to protect sensitive data and credentials used within the cluster.

Resource Quotas

Resource quotas in Kubernetes (K8s) namespaces enable administrators to control and allocate resources effectively. By setting limits on CPU, memory, and storage, administrators prevent resource contention and ensure fair allocation within a namespace.

IEM applications

Be aware that IEM apps are installed in the same namespace as your IEM.

Unauthorized or malicious IEM apps can access, modify, and delete all resources in the IEM namespace.

Suspicious applications can consume excessive resources, resulting in performance degradation, system instability, and increased operating costs.

The IE State Service takes backups of device-related data that is provided by each IEM app.

Install IEM apps only from trusted and reputable sources.