Haven

Checks

De Haven standaard bestaat momenteel uit 16 verplichte en 2 voorgestelde checks.

Met de Haven Compliancy Checker wordt een potentiële Haven omgeving automatisch nagelopen langs deze checks om Haven Compliancy te valideren.


Verplichte checks (16)

FUNDAMENTAL

Self test: HCC version is latest major or within 3 months upgrade window

Haven clusters must stay up to date

Self test: does HCC have cluster-admin

In order for the Haven Compliancy Checker to function properly elevated privileges are required.

INFRASTRUCTURE

Multiple availability zones in use

Running a cluster on a single availability zone means a higher risk of downtime when that single zone runs into problems.

Running at least 3 master nodes

This ensures a highly available control plane.

Running at least 3 worker nodes

This enables running highly available workloads.

Nodes have SELinux, Grsecurity, AppArmor, LKRG, Talos or Flatcar enabled

Security matters on every layer of a system and should an attacker break out of a deployment onto a node increased node security will help prevent further escalation.

Private networking topology

Not directly exposing masters or workers to the public internet can increase the security of the cluster.

CLUSTER

Kubernetes version is latest stable or max 3 minor versions behind

This allows cluster users to access new functionality quickly and encourages a well-implemented update mechanism.

Role Based Access Control is enabled

Basic security option which is enabled by default in order to control who can do what on a cluster.

Basic auth is disabled

Basic authentication is hard to maintain. We encourage to use OpenID Connect for user authentication.

ReadWriteMany persistent volumes support

This ensures that storage can be created which can be used by highly available deployments.

EXTERNAL

CNCF Kubernetes Conformance

Cloud Native Computing Foundation's Kubernetes checks ensure the Kubernetes cluster adheres to the standard Kubernetes API's.

DEPLOYMENT

Automated HTTPS certificate provisioning

This makes it easy for engineers to expose an Ingress with a valid SSL certificate which automatically renews.

Log aggregation is running

In order to be in control of the workload on a cluster it's mandatory to aggregate all container logs.

Metrics-server is running

In order to be in control of a cluster it's mandatory to have eyes and ears on the cluster resources.

VALIDATION

SHA has been validated

Haven CLI should be validated by SHA


Voorgestelde checks (2)

EXTERNAL

CIS Kubernetes Security Benchmark

Center for Internet Security's Kubernetes benchmark assists in following the best practices of securing a cluster.

Kubescape

Aqua Security's Kubescape tool assists in following the best practices of securing a cluster.

Aan de slag met Haven?

In onze technische documentatie wordt de standaard toegelicht en beschreven hoe u Haven kunt installeren op uw huidige IT infrastructuur. Bovendien hebben we een handreiking programma van eisen beschikbaar gesteld om het inkopen van Haven te vereenvoudigen. Of neem contact met ons op, we helpen u graag op weg!