Skip to main content

Service Integrator

A Service Integrator is the organization responsible for making MijnBureau available to users and ensuring its security. This includes securely configuring both Kubernetes and MijnBureau—a critical responsibility and a key value proposition for service integrators.

The security of MijnBureau is closely tied to the underlying Kubernetes cluster. Service integrators must apply Kubernetes security best practices. Below are several practices that are native to Kubernetes:

  1. Enable "deny all" network policies to restrict traffic by default.
  2. Enforce Pod and Container Security Contexts to ensure least privilege.
  3. Deploy across multiple regions to improve resilience.

These recommendations are not ranked; assess which are most relevant for your workload.

Policies (Required)

Implement automated security controls using policies. Kyverno is a popular choice for Kubernetes policy management.

Regularly rotate secrets to minimize risk. The External Secrets Operator can automate secret management.

Use container runtime sandboxes for isolation. Popular options include gVisor and Kata Containers.

Disaster Recovery (Required)

Establish backup and restore systems, ideally outside Kubernetes. Test restore procedures regularly. Tools like Velero are useful for disaster recovery.

Scan container images for vulnerabilities (CVEs) on a regular basis. Trivy is a widely used tool for this purpose.

Consider running MijnBureau on a dedicated Kubernetes cluster to reduce risks from other workloads.

Remove unused or insecure container images from your cluster. Eraser can help automate this process.

Install monitoring tools such as Falco on Kubernetes nodes to detect and respond to security events. Stream audit logs to a central system and set up alerting rules.

Select a Container Network Interface (CNI) provider with robust security options and configure it according to best practices.

Choose a Container Storage Interface (CSI) provider that supports encryption at rest. Ensure your storage solution meets security requirements and is properly configured.

Never run workloads on the Kubernetes control plane node.

Implement observability systems to track metrics and logs. MijnBureau supports Prometheus for metrics and can integrate with the Prometheus Operator. Logs are sent to container STDOUT and can be collected using Kubernetes tools. Store logs and metrics for analysis.

Enable AppArmor profiles for workloads to enhance container security.

Enable Pod Security Standards in all relevant namespaces. MijnBureau recommends using Restricted mode and enforcing it for strict security.

Implement DDoS protection for services exposed by your Kubernetes cluster.

Use kube-bench to scan your Kubernetes configuration and adhere to the latest CIS Kubernetes benchmarks.

Consider Confidential Containers to secure application memory and prevent unauthorized access.

Set up Limit Ranges to prevent containers from consuming excessive resources.