This document describes the security controls implemented in the Kubernetes Security Baseline Checker to ensure enterprise-ready security posture.
The system supports two authentication methods:
- JWT Tokens: JSON Web Tokens signed with HS256 algorithm
- API Keys: Static API keys with associated roles
Authentication is enabled via the --auth flag or auth.enabled configuration:
auth:
enabled: true
jwt_secret: "your-secret-key-change-in-production"
token_expiry: 24h
api_keys:
"api-key-123": "user-id-1"
api_key_roles:
"api-key-123": "operator"Three roles are supported:
- viewer: Can view benchmarks and reports
- operator: Can execute checks and view reports
- admin: Full access including configuration management
All API endpoints (except /health) require authentication when enabled:
# Using JWT token
curl -H "Authorization: Bearer <token>" http://localhost:8080/api/v1/benchmarks
# Using API key
curl -H "Authorization: ApiKey <key>" http://localhost:8080/api/v1/benchmarksAll user inputs are validated before processing:
- Benchmark IDs: Must be in allowlist (cis, nist, iso-27001, soc2, custom)
- Framework Names: Must be in allowlist
- Output Formats: Must be in allowlist (json, html, csv, pdf)
- File Paths: Sanitized to prevent path traversal attacks
- Kubernetes Namespaces: Validated against RFC 1123 naming requirements
File paths are sanitized to prevent directory traversal:
../sequences are rejected- Absolute paths are validated against allowlist
- Null bytes and control characters are rejected
The system automatically redacts sensitive data from:
- Logs
- Error messages
- Reports
- JWT tokens
- API keys
- Passwords and secrets
- Certificates (PEM format)
- AWS access keys
- Private IP addresses
- Kubeconfig content
redactor := redaction.NewRedactor()
safeLog := redactor.Redact("password: secret123")
// Output: "password: [REDACTED_SECRET]"Rate limiting is configured via:
rate_limit:
rps: 100 # Requests per second
burst: 200 # Burst capacityToken bucket algorithm is used:
- Default: 100 requests/second per IP
- Burst: 200 requests
- Per-IP or per-token limiting
When rate limit is exceeded:
{
"error": "rate limit exceeded"
}HTTP Status: 429 Too Many Requests
All errors follow a standardized format:
type AppError struct {
Code ErrorCode
Severity ErrorSeverity
Message string // User-safe message
InternalMessage string // Internal details (not exposed)
Cause error
}VALIDATION_ERROR: Input validation failureAUTHENTICATION_ERROR: Authentication failureAUTHORIZATION_ERROR: Authorization failureEXECUTION_ERROR: Check execution failureTIMEOUT_ERROR: Operation timeoutRATE_LIMIT_ERROR: Rate limit exceeded
All API endpoints have panic recovery middleware that:
- Catches panics
- Logs stack traces
- Returns user-safe error messages
- Prevents server crashes
In production, TLS must be enabled:
server:
tls_enabled: true
tls_cert: /path/to/cert.pem
tls_key: /path/to/key.pemThe server will reject HTTP connections when TLS is enabled.
- Change Default Secrets: Never use default JWT secrets in production
- Enable Authentication: Always enable auth in production
- Use TLS: Always use HTTPS in production
- Rotate API Keys: Regularly rotate API keys
- Limit Permissions: Use least-privilege principle for roles
- Never Log Secrets: All sensitive data is automatically redacted
- Structured Logging: Use structured logging for better analysis
- Log Levels: Use appropriate log levels (DEBUG for development, INFO for production)
- Rate Limiting: Always enable rate limiting
- Input Validation: All inputs are validated automatically
- Error Messages: User-facing errors don't leak internal details
If you discover a security vulnerability, please report it to: security@example.com
Do not open public GitHub issues for security vulnerabilities.
This system implements security controls aligned with:
- NIST SP 800-53 (Access Control, System Protection)
- ISO 27001 (Access Control, Operations Security)
- SOC 2 (Logical Access Controls)