Service Integrator

A Service Integrator is the organization responsible for making MijnBureau available to users and ensuring its security. This includes securely configuring both Kubernetes and MijnBureau—a critical responsibility and a key value proposition for service integrators.

The security of MijnBureau is closely tied to the underlying Kubernetes cluster. Service integrators must apply Kubernetes security best practices. Below are several practices that are native to Kubernetes:

Enable "deny all" network policies to restrict traffic by default.
Enforce Pod and Container Security Contexts to ensure least privilege.
Deploy across multiple regions to improve resilience.

These recommendations are not ranked; assess which are most relevant for your workload.

Policies

Implement automated security controls using policies. Kyverno is a popular choice for Kubernetes policy management.

Secret Rotation

Regularly rotate secrets to minimize risk. The External Secrets Operator can automate secret management.

Container Sandboxes

Use container runtime sandboxes for isolation. Popular options include gVisor and Kata Containers.

Disaster Recovery

Establish backup and restore systems, ideally outside Kubernetes. Test restore procedures regularly. Tools like Velero are useful for disaster recovery.

CVE Scanning

Scan container images for vulnerabilities (CVEs) on a regular basis. Trivy is a widely used tool for this purpose.

Dedicated Cluster

Consider running MijnBureau on a dedicated Kubernetes cluster to reduce risks from other workloads.

Removing Unused Images

Remove unused or insecure container images from your cluster. Eraser can help automate this process.

Security Monitoring

Install monitoring tools such as Falco on Kubernetes nodes to detect and respond to security events. Stream audit logs to a central system and set up alerting rules.

Container Network Interface Provider

Select a Container Network Interface (CNI) provider with robust security options and configure it according to best practices.

Container Storage Interface

Choose a Container Storage Interface (CSI) provider that supports encryption at rest. Ensure your storage solution meets security requirements and is properly configured.

Control Plane Node

Never run workloads on the Kubernetes control plane node.

Observability

Implement observability systems to track metrics and logs. MijnBureau supports Prometheus for metrics and can integrate with the Prometheus Operator. Logs are sent to container STDOUT and can be collected using Kubernetes tools. Store logs and metrics for analysis.

AppArmor

Enable AppArmor profiles for workloads to enhance container security.

Pod Security Standards

Enable Pod Security Standards in all relevant namespaces. MijnBureau recommends using Restricted mode and enforcing it for strict security.

DDoS Protection

Implement DDoS protection for services exposed by your Kubernetes cluster.

CIS Benchmarks

Use kube-bench to scan your Kubernetes configuration and adhere to the latest CIS Kubernetes benchmarks.

Confidential Containers

Consider Confidential Containers to secure application memory and prevent unauthorized access.

Limit Ranges

Set up Limit Ranges to prevent containers from consuming excessive resources.

Policies​

Secret Rotation​

Container Sandboxes​

Disaster Recovery​

CVE Scanning​

Dedicated Cluster​

Removing Unused Images​

Security Monitoring​

Container Network Interface Provider​

Container Storage Interface​

Control Plane Node​

Observability​

AppArmor​

Pod Security Standards​

DDoS Protection​

CIS Benchmarks​

Confidential Containers​

Limit Ranges​