vadzik/sac_project
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
sac_project/SECURITY_README.md

3.1 KiB
Raw Blame History

Security as Code Infrastructure on Proxmox

This repository contains the Infrastructure as Code (IaC) for deploying a secure Kubernetes cluster on Proxmox using Terraform and Ansible with security policies embedded as code.

Security Features

Terraform Security

  • Secure VM Configuration: Virtual machines are created with security best practices:

    • Non-root SSH users
    • Memory limits to prevent resource exhaustion
    • Only approved template images are used
    • Disk encryption available (currently commented)
    • All VMs properly tagged for inventory management
    • EFI disks with secure boot capability

  • Policy as Code: Security policies are enforced through:

    • OPA/Conftest: Rego policies that enforce security rules during Terraform plan/apply
    • Trivy: Comprehensive security scanner for Infrastructure as Code, container images, and dependencies
    • checkov: Plan analysis that detects security issues in the final configuration

Ansible Security

  • SSH Hardening:

    • Disables password authentication
    • Disables root login
    • Configures secure ciphers and key exchange algorithms
    • Limits user access

  • System Hardening:

    • Configures audit rules for comprehensive logging (auditd)
    • Implements fail2ban for brute force protection
    • Configures UFW firewall with restrictive rules
    • Sets up unattended security updates (excluding Kubernetes components)
    • Persistent journald logging
    • Secure sysctl parameters

  • Kubernetes Security:

    • RBAC for access control
    • Network Policies for cluster network security
    • Pod Security Standards/Admission for container security

CI/CD Security Pipeline

The .gitlab-ci.yml file defines a complete security pipeline:

  1. Validation Stage:

    • Terraform validation and formatting check
    • Trivy security scanning for IaC misconfigurations and secrets
    • checkov security scanning
    • Conftest OPA policy validation

  2. Lint Stage:

    • Ansible-lint for playbook security issues
    • Conftest checks for Ansible

  3. Plan/Apply Stage:

    • Terraform plan reviewed before application
    • Ansible playbook syntax checking

  4. Test Stage:

    • Verifies that all nodes are properly configured

Usage

  1. Update Terraform variables in terraform/terraform.tfvars
  2. Run security checks: 
    cd terraform
terraform init
terraform plan -out=tfplan
terraform show -json tfplan > tfplan.json
conftest test tfplan.json -p policies/
  3. Deploy infrastructure: 
    terraform apply tfplan
  4. Configure nodes with Ansible: 
    cd ../ansible
ansible-playbook -i inventory/hosts.ini site.yml

Policy Enforcement

  • All infrastructure changes must pass the security pipeline
  • Policy violations halt the deployment process
  • Security configuration is maintained by Ansible on a regular schedule

Monitoring and Maintenance

  • Centralized logging configuration
  • Audit logs setup for security events
  • Automatic security updates
  • Network security monitoring

For more details, see the README.md file for general infrastructure information.