sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 15:31:38 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
3890df064e51338ef94d4acff8241dfc4a14a874
opendesk/docs/security.md
Axel Lender 3890df064e fix(gotmpl): Refactor from external to existing secrets 
Signed-off-by: Axel Lender <lender@b1-systems.de>
2025-11-27 14:03:07 +01:00

60 lines
2.0 KiB
Markdown
Raw Blame History

<!--
SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
-->
<h1>Security</h1>
This document covers the current status of security measures.
<!-- TOC -->
* [Helm Chart Trust Chain](#helm-chart-trust-chain)
* [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
* [NetworkPolicies](#networkpolicies)
* [Existing Secrets](#existing-secrets)
<!-- TOC -->
# Helm chart trust chain
Helm charts are signed and validated against GPG keys in `helmfile/files/gpg-pubkeys`.
For more details on Chart validation, please visit: https://helm.sh/docs/topics/provenance/
All charts except the ones mentioned below are verifiable:
| Repository | Verifiable |
|-------------------|:----------:|
| open-xchange-repo | no |
# Kubernetes security enforcements
This list gives you an overview of default security settings and whether they comply with security standards:
⟶ Visit our generated detailed [Security Context](./docs/security-context.md) overview.
# Network policies
Kubernetes network policies are an essential measure to secure your Kubernetes apps and clusters.
When applied, they restrict traffic to your services.
`NetworkPolicy` resources protect other deployments in your cluster or other services in your deployment from getting compromised when another
component is compromised.
We ship a default set of Otterize `ClientIntents` via
[Otterize intents operator](https://github.com/otterize/intents-operator) which translates intent-based access control
(IBAC) into Kubernetes native network policies.
This requires the Otterize intents operator to be installed.
```yaml
security:
otterizeIntents:
enabled: true
```
# Existing Secrets
We urge you to use existing secrets for your confidential credentials.
For further explanation and documentation please visit [Existing Secrets](./docs/existing-secrets.md).
Reference in New Issue View Git Blame Copy Permalink