Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

chore: update security best practice (#3794)

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
Gustavo Fernandes de Carvalho 1 year ago
parent
d8c232afba
commit
098d03792d
1 changed files with 8 additions and 0 deletions
Split View Show Diff Stats
  1. 8 0
      docs/guides/security-best-practices.md

+ 8 - 0
docs/guides/security-best-practices.md
View File 

@@ -63,6 +63,14 @@ scopedRBAC: true
 
 scopedNamespace: my-namespace
 
 ```
 
 
+### 5. Restrict Webhook TLS Ciphers
 
+
 
+Consider installing ESO restricting webhook ciphers. Use the following Helm values to scope webhook for specific TLS ciphers:
 
+```yaml
 
+webhook:
 
+  extraArgs:
 
+    tls-ciphers: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
 
+```
 
 ## Pod Security
 
 
 The Pods of the External Secrets Operator have been configured to meet the [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/), specifically the restricted profile. This configuration ensures a strong security posture by implementing recommended best practices for hardening Pods, including those outlined in the [NSA Kubernetes Hardening Guide](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF).