-
Notifications
You must be signed in to change notification settings - Fork 60
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
30 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| # Secure your cluster | ||
|
|
||
| This article details the security considerations for deploying Run:ai. It is intended to help administrators and security officers understand the specific permissions required by Run:ai. | ||
|
|
||
| ## Access to the Kubernetes cluster | ||
|
|
||
| Run:ai integrates with Kubernetes clusters and requires specific permissions to successfully operate. These are permissions are controlled with configuration flags that dictate how Run:ai interacts with cluster resources. Prior to installation, security teams can review the permissions and ensure it aligns with their organization’s policies. | ||
|
|
||
| ### Permissions and their related use-case | ||
|
|
||
| Run:ai provides various security-related permissions that can be customized to fit specific organizational needs. Below are brief descriptions of the key use cases for these customizations: | ||
|
|
||
| | Permission | Use case | | ||
| | :---- | :---- | | ||
| | Automatic Namespace creation | Controls whether Run:ai automatically creates Kubernetes namespaces when new projects are created. Useful in environments where namespace creation must be strictly managed. | | ||
| | Automatic user assignment | Decides if users are automatically assigned to projects within Run:ai. Helps manage user access more tightly in certain compliance-driven environments. | | ||
| | Secret propagation | Determines whether Run:ai should propagate secrets across the cluster. Relevant for organizations with specific security protocols for managing sensitive data. | | ||
| | Disabling Kubernetes limit range | Chooses whether to disable the Kubernetes Limit Range feature. May be adjusted in environments with specific resource management needs. | | ||
|
|
||
| !!! Note | ||
| These security customizations allow organizations to tailor Run:ai to their specific needs. All changes should be modified cautiously and only when necessary to meet particular security, compliance or operational requirements. | ||
|
|
||
| ## Secure installation | ||
|
|
||
| Many organizations enforce IT compliance rules for Kubernetes, with strict access control for installing and running workloads. OpenShift uses Security Context Constraints (SCC) for this purpose. Run:ai fully supports SCC, ensuring integration with OpenShift's security requirements. | ||
|
|
||
| ## Security vulnerabilities | ||
|
|
||
| The platform is actively monitored for security vulnerabilities, with regular scans conducted to identify and address potential issues. Necessary fixes are applied to ensure that the software remains secure and resilient against emerging threats, providing a safe and reliable experience. | ||
|
|