Default Security: All system components within the eSurfing Cloud CCSE clusters are hardened according to container security best practices. The system component images are free from critical CVE vulnerabilities. Each new cluster must be assigned a corresponding security group. By default, clusters do not allow SSH access from the Internet.
Identity Management: All communication links between components within CCSE clusters require TLS certificate validation to ensure secure full-link data transmission. Sub-account users can obtain Kubeconfig access credentials for the API Server of the specified cluster through the console or OpenAPI. For detailed operations, refer to Obtaining Cluster Kubeconfig API. CCSE maintains the issued identity information within the access credentials and can promptly revoke potentially compromised Kubeconfig credentials.
Fine-Grained Access Control: Based on Kubernetes RBAC, fine-grained access control is implemented to regulate access to Kubernetes resources within the CCSE cluster. It is a fundamental and essential security measure to protect applications. The authorization management page in the CCSE console provides fine-grained namespace-level RBAC authorization capabilities, including:
1) Predefined RBAC permission templates for different roles within an organization, such as administrators, O&M personnel, and developers, reducing the complexity of RBAC authorization.
2) Support role-based user authorization.
3) Support users to bind custom ClusterRole within the cluster.
CCSE also supports the installation of the Gatekeeper component through component management for fine-grained access control based on the OPA policy engine.