Skip to content

Commit acfc73b

Browse files
viccuadviccuad
committed
feat: Expand security-hardening landing page
Signed-off-by: Víctor Cuadrado Juan <[email protected]>
1 parent 04309c2 commit acfc73b

File tree

1 file changed

+47
-2
lines changed

1 file changed

+47
-2
lines changed

docs/howtos/security-hardening/security-hardening.md

+47-2
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,8 @@ doc-type: [howto]
99
doc-topic: [operator-manual, security]
1010
---
1111

12-
Kubewarden strives to be reasonable secure by default, even acknowledging that
13-
security is a spectrum.
12+
Kubewarden strives to be reasonable secure with little configuration, even
13+
acknowledging that security is a spectrum.
1414
In this section and its subpages you can find hardening tips (with their
1515
trade-offs) to secure Kubewarden itself.
1616

@@ -30,3 +30,48 @@ helm install --wait -n kubewarden kubewarden-defaults kubewarden/kubewarden-defa
3030

3131
This provides a default PolicyServer and default policies in protect mode to
3232
ensure the Kubewarden stack is safe from other workloads.
33+
34+
### Verifying Kubewarden artifacts
35+
36+
See the [Verifying Kubewarden](../tutorials/verifying-kubewarden) tutorial.
37+
38+
### RBAC
39+
40+
The Kubewarden RBAC configurations are described in the different
41+
_Explanations_ sections. Users can fine-tune the needed permissions for the
42+
[Audit Scanner](../explanations/audit-scanner#permissions-and-serviceaccounts)
43+
feature, as well as [per Policy Server](../explanations/context-aware-policies)
44+
Service Account for the context-aware feature.
45+
46+
The view all Roles:
47+
48+
```console
49+
kubectl get clusterroles,roles -A | grep kubewarden
50+
```
51+
52+
### Per-policy permissions
53+
54+
For context-aware policies, operators specify fine-graded permissions per
55+
policy under its `spec.contectAwareResources`, and those work in conjuction
56+
with the Service Account configured for the Policy Server where the policy
57+
runs.
58+
59+
### Workload coverage
60+
61+
By default, specific Namespaces are excluded from Kubewarden coverage. This is
62+
done to simplify first-time use and interoperability with other workloads.
63+
64+
Security-conscious operators can tune these Namespaces list via the
65+
`.global.skipNamespaces` Value for both the `kubewarden-controller` and
66+
`kubewarden-defaults` Helm charts.
67+
68+
## SecurityContexts
69+
70+
The `kubewarden-controller` Helm chart configures the SecurityContexts and
71+
exposes it in its `values.yaml`.
72+
73+
The `kubewarden-defaults` Helm chart allows for configuing the default Policy
74+
Server `.spec.securityContexts` under `.Values.policyServer.securityContexts`.
75+
76+
For Policy Servers managed by operators, they can be configured via their
77+
[`spec.securityContexts`](https://docs.kubewarden.io/reference/CRDs#policyserversecurity).

0 commit comments

Comments
 (0)