Security Checklist

The following provides some general guidelines with respect to securing your ESS deployment. The checklist is not meant to be an exhaustive list.

Limit Network Exposure

Limit external access to specific networks/ports.

Separate internal and external traffic. For example, by running inside a VPC, you can ensure that all communication within the VPC is securely separated from external traffic.

If setting up a VPN endpoint, avoid manually adding public Internet routes/authorizations to the VPN endpoint .

Use Encryption

Use TLS for network encryption.

  • Encrypt in-transit inbound traffic to ESS.

  • For external facing services, use TLS certificates from an official Certificate Authority (CA). Do not use self-signed certificates.

Encrypt data at rest, including audit logs.

See Encryption.

Manage and Safeguard Sensitive Data/Credentials

Many strategies for safeguarding sensitive data/credentials exist for Kubernetes. Investigate the best available options for your environment.

Secure highly-sensitive (i.e., passwords, tokens, etc.) environment variables. Do not set these environment variables on the containers as they are stored and passed in plain text.

Take care about what and to whom you grant access.