Security Hardening Guide for Netdata Cloud On-Prem

Security Hardening Guide for Netdata Cloud On-Prem

Table of Contents

• Introduction
• Security Hardening Steps
  • 1. Verify Your Image Signatures
  • 2. Set Up Network Policies
  • 3. Manage Your Secrets Securely
  • 4. Configure Authentication
  • 5. Secure Your Ingress
  • 6. Enable Communication Security (TLS)
• Conclusion

This guide shows you how to harden your Netdata Cloud On-Prem installation using the Helm chart. Following these practices will significantly improve your deployment's security.

Introduction

Your Netdata Cloud On-Prem Helm chart includes several default security measures. Most workloads use Kubernetes Security Contexts with settings like readOnlyRootFilesystem: true, allowPrivilegeEscalation: false, and runAsNonRoot: true. These settings help protect against potential vulnerabilities.

We also scan container base images for known vulnerabilities. Each image includes its own SBOM (Software Bill of Materials) to give you a detailed inventory of components, which is crucial for vulnerability management and compliance. You can find more information in our SBOM documentation.

Security Hardening Steps

1. Verify Your Image Signatures

Ensure the images in your deployment are signed and verified. This prevents you from using tampered or untrusted images. Your Netdata Cloud On-Prem Helm chart is signed with Notary, and you can verify the signatures using the notary CLI tool.

For detailed steps, see our Image Signature Verification guide.

2. Set Up Network Policies

Control communication between your pods and services by implementing Kubernetes Network Policies. These policies restrict network traffic based on labels, namespaces, and ports, preventing unauthorized access to your systems.

You'll need to define rules for accessing dependent services like Apache Pulsar, Elasticsearch, PostgreSQL, EMQX, and Redis. See our detailed guide: Kubernetes Network Policy Configuration.

3. Manage Your Secrets Securely

Never hardcode sensitive information like usernames, passwords, or licenses directly into your Helm value files. Instead, use Kubernetes Secrets to store and manage sensitive data securely.

Create your own secret with the required keys and values, then reference them in your Helm values. For example, these Helm values:

global:
  netdata_cloud_license:
    secretBased:
      existingSecret: "my-netdata-cloud-license-secret"
      licenseKeyKey: license-key
      licenseSubjectKey: license-subject
      licenseSummaryEmailRecipientsKey: license-summary-email-recipients

Require you to create a secret named my-netdata-cloud-license-secret with the keys license-key, license-subject, and license-summary-email-recipients containing your actual values.

4. Configure Authentication

Ensure all your dependent services use strong passwords and limit elevated privileges to provisioning jobs only. For Apache Pulsar, enable authentication and we strongly recommend using OAuth 2.0. This secures your messaging system and prevents unauthorized access to sensitive data.

Configure Apache Pulsar authentication using the Helm values available under global.pulsar.authentication.

5. Secure Your Ingress

Protect your ingress controller by configuring TLS (Transport Layer Security) certificates. This encrypts all communication with your Netdata Cloud On-Prem instance.

Configure the TLS section in your Helm values to specify your certificates:

global:
  ingress:
    tls:
     - hosts:
       - your-netdata-domain.com
       secretName: your-tls-secret

important

You'll need to create a Kubernetes secret your-tls-secret containing your certificate and key.

6. Enable Communication Security (TLS)

Enable TLS encryption for all sensitive communication channels in your environment:

Elasticsearch Security: Enable secure TLS connections to Elasticsearch by setting global.elastic.secureTls: true. This protects communication between your application and the Elasticsearch cluster.

SMTP Security: If you're using SMTP for email notifications, enable TLS via global.mail.smtp.tls: true. This encrypts email communication to protect sensitive information.

Conclusion

By implementing these security hardening steps, you significantly enhance your Netdata Cloud On-Prem deployment's security.

Stay current with Kubernetes security best practices and regularly patch your components to address any known vulnerabilities.

tip

Consider scheduling regular security reviews to ensure your hardening measures remain effective.