Please contact the security team at email@example.com for questions not covered in the documentation.
Network Security at Clusters¶
The customer is responsible for providing network security for their on-prem datacenters where the clusters may be provisioned. In a public cloud environments, the cluster is expected to sit behind a customer's primary firewall. For example, in an Amazon AWS deployment, a customer will configure Security Groups.
User Authentication and Authorization¶
All non SSO users in an Org are required to verify access to their registered email address before they are allowed access. Org admins can optionally enable and enforce the use of MFA for all users in their organization. See Users and Roles for additional details.
Customers are recommended to whitelist "firstname.lastname@example.org" in their email platform to ensure that emails sent to users are not inadvertently classified as spam or blocked.
VPN and Zero Trust KubeCTL¶
Authorized end users do not require a VPN to securely access their clusters operating behind corporate firewalls using Zero Trust KubeCTL.
However, if a VPN is configured or in use, please ensure that "*.user.kubeapi-proxy.rafay.dev" FQDN is whitelisted in the proxy configuration.
Zero Trust KubeCTL uses mutual authentication to secure the connection from the end user to the KubeCTL access proxy in the controller. Man-in-the-middle proxies that terminate the connection will break the security model and users will see an error message from the KubeCTL CLI.
Unable to connect to the server: x509: certificate signed by unknown authority
All actions performed by authorized users are audited. A reverse chronological audit log is available for users via the Console.
Role based Access Control (RBAC)¶
The Controller supports a number of roles that can be associated with users. See roles for additional details.
The Controller utilizes a central vault (based on a HSM backed KMS) for managing secrets across the entire infrastructure. Secrets are programmed into local cluster secret stores from the central vault when necessary.
The disks are encrypted per-Org with a unique key for the organization. See key management above for additional information.
All communication channels between the Managed Clusters and the Controller are done over TLS. A private PKI is utilized to generate certificates for inter component mTLS. All customer and partner facing API and Web Console utilize TLS as well.
Security White Paper¶
Upon request, we can provide you with a comprehensive "Security Technical White Paper". Please contact email@example.com for details.