mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Code Activity

chore: update security best practice (#3794)

Browse source 
Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
This commit is contained in:
Gustavo Fernandes de Carvalho 2024-08-15 16:31:01 -03:00 committed by GitHub
parent d8c232afba
commit 098d03792d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
docs/guides/security-best-practices.md
View file

@ -63,6 +63,14 @@ scopedRBAC: true
scopedNamespace: my-namespace
```
### 5. Restrict Webhook TLS Ciphers
Consider installing ESO restricting webhook ciphers. Use the following Helm values to scope webhook for specific TLS ciphers:
```yaml
webhook:
extraArgs:
tls-ciphers: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
```
## Pod Security
The Pods of the External Secrets Operator have been configured to meet the [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/), specifically the restricted profile. This configuration ensures a strong security posture by implementing recommended best practices for hardening Pods, including those outlined in the [NSA Kubernetes Hardening Guide](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF).