Security and Compliance
Secrets Management
- Sealed Secrets — all secrets committed to Git as
SealedSecretobjects encrypted with the cluster's public key - Reflector — mirrors secrets across namespaces without duplicating the source of truth
- Each cluster has its own sealed-secrets keypair — a sealed secret encrypted for prod cannot be decrypted on dev
- Production key rotation: quarterly
Network Isolation
Default NetworkPolicy on every namespace:
ingress: allow from same project namespaces
allow from platform ingress controller
egress: allow to same project namespaces
allow to platform namespaces (monitoring, logging)
allow port 53 (DNS)
deny everything else
Pod Security Defaults
Every Deployment generated by the platform includes:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
containers[*]:
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: [ALL]
RBAC Model
Identity Provider (GitHub / Okta / Azure AD)
│ group membership claim
▼
Kubernetes Group subject
│ RoleBinding (Group → ClusterRole)
▼
Namespace access (project-scoped, env-gated)
Removing a user from the IdP group immediately revokes all Kubernetes access. No manual RBAC cleanup required.
Production Safeguards
| Safeguard | Mechanism |
|---|---|
| No automated deploy to prod | ArgoCD syncWindows: deny + templatePatch removes automated block from prod Applications |
| No accidental DB deletion | Crossplane deletionPolicy: Orphan on all prod Claims |
| No convention bypass | CI validation (validate-conventions.yaml running validate-namespaces.sh) blocks non-compliant PRs from merging |
| Developer prod block | RBAC — prod RoleBindings are simply not created for the developer role |
| No plain-text secrets | Sealed Secrets required — developers self-serve securely via the create-secret Backstage template |