Security first, niet security als afterthought

StrixHQ dwingt security best practices af via admission control, supply chain validation en compliance evidence.

Security Principles

Default Deny

Policies in enforce mode. Wat niet expliciet toegestaan is, wordt geblokkeerd. Geen post-deploy cleanup.

Defense in Depth

Security op meerdere lagen: CI gates, admission policies, runtime security context. Falen op één laag stopt deployment.

Audit Trail

Elk deployment logt policy decisions, SBOM en image provenance. Compliance evidence zonder manual work.

Security Controls

Supply Chain Security

CI Layer

Trivy scant images voor CVEs. SBOM generation met Syft. Alleen images van whitelisted registries.

  • Vulnerability scanning - Trivy scant op critical/high CVEs
  • SBOM generation - Syft genereert bill of materials per image
  • Registry restrictions - Alleen ghcr.io, docker.io, registry.k8s.io
  • Base image tracking - Weet welke base images gebruikt worden
  • License compliance - SPDX format SBOMs

Admission Control Policies

Kyverno

Hard guardrails via Kyverno. Admission webhooks blokkeren non-compliant resources voordat ze deployed worden.

  • No privileged containers - hostNetwork, hostPID, hostIPC verboden
  • Non-root enforcement - runAsNonRoot: true vereist
  • Resource limits - CPU/memory requests en limits mandatory
  • Health probes - Liveness en readiness probes vereist
  • Label compliance - Required labels voor ownership tracking

Runtime Security Context

Pod-level

Pods draaien met minimale privileges. Read-only filesystem waar mogelijk, dropped capabilities.

  • runAsNonRoot: true - Expliciet non-root user (UID 1001+)
  • readOnlyRootFilesystem - Read-only root FS waar mogelijk
  • Dropped capabilities - ALL capabilities gedropped
  • No privilege escalation - allowPrivilegeEscalation: false
  • Seccomp profiles - RuntimeDefault seccomp (roadmap)

Network Security

Pro Tier

NetworkPolicies voor micro-segmentation. TLS everywhere via cert-manager. mTLS roadmap.

  • Ingress TLS - Automated Let's Encrypt certificates
  • NetworkPolicies - Default deny, explicit allow (Pro tier)
  • Service mesh - mTLS via Linkerd/Istio (roadmap)
  • Egress control - Restrict outbound traffic (Pro tier)
  • Rate limiting - ingress-nginx annotations

Secrets Management

Enterprise

Sealed Secrets voor GitOps-friendly secret management. External Secrets Operator roadmap voor Vault/AWS Secrets Manager.

  • Sealed Secrets - Encrypted secrets in Git (PoC)
  • External Secrets Operator - Vault/cloud integration (roadmap)
  • No secrets in env vars - Volume mounts preferred
  • Secret rotation - Manual rotation (automated roadmap)
  • Audit logging - Secret access logs via K8s audit

Compliance Evidence

Automated

Policy reports, SBOMs en deployment history voor audit trail. Geen handmatige documentation.

  • Policy reports - Kyverno audit logs per namespace
  • SBOM artifacts - Stored per image in registry
  • Git history - Deployment manifests traceable via Git
  • Argo CD audit - Who deployed what, when
  • Prometheus metrics - Policy violations over time

Compliance Mapping

StrixHQ controls mappen naar common compliance frameworks.

NIST CSF

  • ID.AM - Service catalog voor asset inventory
  • PR.AC - RBAC via Kubernetes, policy enforcement
  • PR.DS - Encryption at rest/transit
  • DE.CM - Observability voor continuous monitoring
  • RS.RP - GitOps rollback capabilities

CIS Kubernetes Benchmark

  • 5.2.1 - runAsNonRoot enforced
  • 5.2.2 - Privilege escalation prevention
  • 5.2.3 - Capabilities dropped (ALL)
  • 5.2.6 - hostNetwork denied
  • 5.7.2 - NetworkPolicies (Pro tier)

SOC 2

  • CC6.1 - Logical access controls (RBAC)
  • CC6.6 - Vulnerability management (Trivy scanning)
  • CC7.2 - Monitoring (observability baseline)
  • CC8.1 - Change management (GitOps audit trail)
  • A1.2 - Data availability (health probes, auto-healing)

GDPR (Data Protection)

  • Art. 25 - Data protection by design (PII masking in logs)
  • Art. 30 - Records of processing (audit logs)
  • Art. 32 - Security measures (encryption, access control)
  • Art. 33 - Breach notification (alerting baseline)

Security Roadmap

✓ MVP

Baseline Security

Kyverno policies, Trivy scanning, non-root containers, TLS ingress

Q1 2026

Enhanced Controls

NetworkPolicies, External Secrets Operator, advanced RBAC

Q2 2026

Service Mesh & mTLS

Linkerd integration, mutual TLS between services, advanced observability

Future

Runtime Protection

Falco voor runtime anomaly detection, OPA Gatekeeper voor advanced policies

Security vragen?

Neem contact op voor een security review of penetration test scope.

Contact Security Team Technical Architecture