vadzik/sac_project
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
sac_project/SECURITY_README.md

98 lines
3.1 KiB
Markdown
Raw Permalink Blame History

# Security as Code Infrastructure on Proxmox
This repository contains the Infrastructure as Code (IaC) for deploying a secure Kubernetes cluster on Proxmox using Terraform and Ansible with security policies embedded as code.
## Security Features
### Terraform Security
- **Secure VM Configuration**: Virtual machines are created with security best practices:
- Non-root SSH users
- Memory limits to prevent resource exhaustion
- Only approved template images are used
- Disk encryption available (currently commented)
- All VMs properly tagged for inventory management
- EFI disks with secure boot capability
- **Policy as Code**: Security policies are enforced through:
- **OPA/Conftest**: Rego policies that enforce security rules during Terraform plan/apply
- **Trivy**: Comprehensive security scanner for Infrastructure as Code, container images, and dependencies
- **checkov**: Plan analysis that detects security issues in the final configuration
### Ansible Security
- **SSH Hardening**:
- Disables password authentication
- Disables root login
- Configures secure ciphers and key exchange algorithms
- Limits user access
- **System Hardening**:
- Configures audit rules for comprehensive logging (auditd)
- Implements fail2ban for brute force protection
- Configures UFW firewall with restrictive rules
- Sets up unattended security updates (excluding Kubernetes components)
- Persistent journald logging
- Secure sysctl parameters
- **Kubernetes Security**:
- RBAC for access control
- Network Policies for cluster network security
- Pod Security Standards/Admission for container security
## CI/CD Security Pipeline
The `.gitlab-ci.yml` file defines a complete security pipeline:
1. **Validation Stage**:
- Terraform validation and formatting check
- Trivy security scanning for IaC misconfigurations and secrets
- checkov security scanning
- Conftest OPA policy validation
2. **Lint Stage**:
- Ansible-lint for playbook security issues
- Conftest checks for Ansible
3. **Plan/Apply Stage**:
- Terraform plan reviewed before application
- Ansible playbook syntax checking
4. **Test Stage**:
- Verifies that all nodes are properly configured
## Usage
1. Update Terraform variables in `terraform/terraform.tfvars`
2. Run security checks:
```
cd terraform
terraform init
terraform plan -out=tfplan
terraform show -json tfplan > tfplan.json
conftest test tfplan.json -p policies/
```
3. Deploy infrastructure:
```
terraform apply tfplan
```
4. Configure nodes with Ansible:
```
cd ../ansible
ansible-playbook -i inventory/hosts.ini site.yml
```
## Policy Enforcement
- All infrastructure changes must pass the security pipeline
- Policy violations halt the deployment process
- Security configuration is maintained by Ansible on a regular schedule
## Monitoring and Maintenance
- Centralized logging configuration
- Audit logs setup for security events
- Automatic security updates
- Network security monitoring
For more details, see the [README.md](README.md) file for general infrastructure information.
Reference in New Issue View Git Blame Copy Permalink