Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

chore(docs): update helm charts (#5203)

* chore(docs): update docs to reflect shipped helm charts use case

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

* fix: title

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

---------

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>
Gustavo Fernandes de Carvalho 7 months ago
parent
cc13d31698
commit
86ce74a6c0
3 changed files with 24 additions and 0 deletions
Split View Show Diff Stats
  1. 8 0
      SECURITY.md
  2. 12 0
      docs/guides/security-best-practices.md
  3. 4 0
      docs/introduction/stability-support.md

+ 8 - 0
SECURITY.md
View File 

@@ -21,6 +21,14 @@ We learn about critical software updates and security threats from these sources
 
 1. GitHub Security Alerts
 
 2. [Dependabot](https://dependabot.com/) Dependency Updates
 
 
+## Helm Chart Security
 
+
 
+Our Helm charts are designed for ease of use and general-purpose scenarios. We strongly recommend that you review the default configuration and harden it to fit your security requirements. 
+
 
+You can do this by customizing the chart values, or by using our chart as a dependency and extending it with your own security measures, such as NetworkPolicies, Admission Control logic, or other controls.
 
+
 
+Any misconfiguration caused by using the provided helm charts is not covered by our support policy - even if it leads to a security incident.
 
+
 
 ## Security Incident Response
 
 
 Please follow the guide [SECURITY_RESPONSE.md](SECURITY_RESPONSE.md).

+ 12 - 0
docs/guides/security-best-practices.md
View File 

@@ -83,6 +83,18 @@ webhook:
 
   extraArgs:
 
     tls-ciphers: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
 
 ```
 
+### 6. Harden the Helm Chart
 
+
 
+The provided Helm chart is designed for ease of use and may not meet your organization's specific security requirements out-of-the-box. It is crucial to review the default Helm chart values and harden the configuration. Any misconfiguration caused by using the provided helm charts is not covered by our support policy - even if it leads to a security incident.
 
+
 
+Here are some examples of how you can harden the Helm chart:
 
+
 
+* **Scope RBAC Permissions**: The default chart grants permissions to create service account tokens for any service account. You can restrict this by modifying the `ClusterRole` to only allow token creation for specific, known service accounts. This limits the operator's ability to impersonate other service accounts.
 
+
 
+* **Use Tightly Scoped Deployments**: If you don't need certain features, disable them. For example, you can prevent the injection of sidecar containers by using a custom appArmor profile, or an admission controller like Kyverno to enforce restrictions on your deployment.
 
+
 
+* **Use it as a Dependency**: Instead of deploying the chart directly, you can use it as a dependency in your own Helm chart. This allows you to extend its functionality and layer on your own security controls, such as `NetworkPolicies`, custom `RBAC` roles, and other security mechanisms that are specific to your environment.
 
+
 
 ## Pod Security
 
 
 The Pods of the External Secrets Operator have been configured to meet the [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/), specifically the restricted profile. This configuration ensures a strong security posture by implementing recommended best practices for hardening Pods, including those outlined in the [NSA Kubernetes Hardening Guide](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF).

+ 4 - 0
docs/introduction/stability-support.md
View File 

@@ -125,3 +125,7 @@ We provide assistance for deploying/upgrading etc. on a best-effort basis. You c
 
 - GitHub [Discussions](https://github.com/external-secrets/external-secrets/discussions)
 
 
 Even though we have active maintainers and people assigned to this project, we kindly ask for patience when asking for support. We will try to get to priority issues as fast as possible, but there may be some delays.
 
+
 
+### Helm Charts
 
+
 
+The Helm charts provided by this project are offered "as-is" and are primarily focused on providing a good user experience and ease of use. Hardened Helm charts are not a deliverable of this project. We encourage users to review the default chart values and customize them to meet their own security requirements and best practices.