- Voorbereiding
- Hallo wereld
- Extern publiceren
- Persistente volumes
- Geautomatiseerd uitrollen
- Applicatie publiceren
Checks
De Haven standaard bestaat momenteel uit 16 verplichte en 2 voorgestelde checks.
Met de Haven Compliancy Checker wordt een potentiële Haven omgeving automatisch nagelopen langs deze checks om Haven Compliancy te valideren.
Verplichte checks (16)
FUNDAMENTAL
Self test: HCC version is latest major or within 3 months upgrade windowHaven clusters must stay up to date
Self test: does HCC have cluster-adminIn order for the Haven Compliancy Checker to function properly elevated privileges are required.
INFRASTRUCTURE
Multiple availability zones in useRunning a cluster on a single availability zone means a higher risk of downtime when that single zone runs into problems.
Running at least 3 master nodesThis ensures a highly available control plane.
Running at least 3 worker nodesThis enables running highly available workloads.
Nodes have SELinux, Grsecurity, AppArmor, LKRG, Talos or Flatcar enabledSecurity matters on every layer of a system and should an attacker break out of a deployment onto a node increased node security will help prevent further escalation.
Private networking topologyNot directly exposing masters or workers to the public internet can increase the security of the cluster.
CLUSTER
Kubernetes version is latest stable or max 3 minor versions behindThis allows cluster users to access new functionality quickly and encourages a well-implemented update mechanism.
Role Based Access Control is enabledBasic security option which is enabled by default in order to control who can do what on a cluster.
Basic auth is disabledBasic authentication is hard to maintain. We encourage to use OpenID Connect for user authentication.
ReadWriteMany persistent volumes supportThis ensures that storage can be created which can be used by highly available deployments.
EXTERNAL
CNCF Kubernetes ConformanceCloud Native Computing Foundation's Kubernetes checks ensure the Kubernetes cluster adheres to the standard Kubernetes API's.
DEPLOYMENT
Automated HTTPS certificate provisioningThis makes it easy for engineers to expose an Ingress with a valid SSL certificate which automatically renews.
Log aggregation is runningIn order to be in control of the workload on a cluster it's mandatory to aggregate all container logs.
Metrics-server is runningIn order to be in control of a cluster it's mandatory to have eyes and ears on the cluster resources.
VALIDATION
SHA has been validatedHaven CLI should be validated by SHA
Voorgestelde checks (2)
EXTERNAL
CIS Kubernetes Security BenchmarkCenter for Internet Security's Kubernetes benchmark assists in following the best practices of securing a cluster.
KubescapeAqua Security's Kubescape tool assists in following the best practices of securing a cluster.
Aan de slag met Haven?
In onze technische documentatie wordt de standaard toegelicht en beschreven hoe u Haven kunt installeren op uw huidige IT infrastructuur. Bovendien hebben we een handreiking programma van eisen beschikbaar gesteld om het inkopen van Haven te vereenvoudigen. Of neem contact met ons op, we helpen u graag op weg!