Security first, not security as afterthought

StrixHQ enforces security best practices through admission control, supply chain validation, and compliance evidence.

Security Principles

Default Deny

Policies in enforce mode. What is not explicitly allowed is blocked. No post-deploy cleanup.

Defense in Depth

Security on multiple layers: CI gates, admission policies, runtime security context. Failure on one layer stops deployment.

Audit Trail

Every deployment logs policy decisions, SBOM, and image provenance. Compliance evidence without manual work.

Security Controls

Supply Chain Security

CI Layer

Trivy scans images for CVEs. SBOM generation with Syft. Only images from whitelisted registries.

  • Vulnerability scanning - Trivy scans for critical/high CVEs
  • SBOM generation - Syft generates bill of materials per image
  • Registry restrictions - Only ghcr.io, docker.io, registry.k8s.io
  • Base image tracking - Know which base images are used
  • License compliance - SPDX format SBOMs

Admission Control Policies

Kyverno

Hard guardrails via Kyverno. Admission webhooks block non-compliant resources before they are deployed.

  • No privileged containers - hostNetwork, hostPID, hostIPC forbidden
  • Non-root enforcement - runAsNonRoot: true required
  • Resource limits - CPU/memory requests and limits mandatory
  • Health probes - Liveness and readiness probes required
  • Label compliance - Required labels for ownership tracking

Runtime Security Context

Pod-level

Pods run with minimal privileges. Read-only filesystem where possible, dropped capabilities.

  • runAsNonRoot: true - Explicit non-root user (UID 1001+)
  • readOnlyRootFilesystem - Read-only root FS where possible
  • Dropped capabilities - ALL capabilities dropped
  • No privilege escalation - allowPrivilegeEscalation: false
  • Seccomp profiles - RuntimeDefault seccomp (roadmap)

Network Security

Pro Tier

NetworkPolicies for micro-segmentation. TLS everywhere via cert-manager. mTLS roadmap.

  • Ingress TLS - Automated Let's Encrypt certificates
  • NetworkPolicies - Default deny, explicit allow (Pro tier)
  • Service mesh - mTLS via Linkerd/Istio (roadmap)
  • Egress control - Restrict outbound traffic (Pro tier)
  • Rate limiting - ingress-nginx annotations

Secrets Management

Enterprise

Sealed Secrets for GitOps-friendly secret management. External Secrets Operator roadmap for Vault/AWS Secrets Manager.

  • Sealed Secrets - Encrypted secrets in Git (PoC)
  • External Secrets Operator - Vault/cloud integration (roadmap)
  • No secrets in env vars - Volume mounts preferred
  • Secret rotation - Manual rotation (automated roadmap)
  • Audit logging - Secret access logs via K8s audit

Compliance Evidence

Automated

Policy reports, SBOMs, and deployment history for audit trail. No manual documentation.

  • Policy reports - Kyverno audit logs per namespace
  • SBOM artifacts - Stored per image in registry
  • Git history - Deployment manifests traceable via Git
  • Argo CD audit - Who deployed what, when
  • Prometheus metrics - Policy violations over time

Compliance Mapping

StrixHQ controls map to common compliance frameworks.

NIST CSF

  • ID.AM - Service catalog for asset inventory
  • PR.AC - RBAC via Kubernetes, policy enforcement
  • PR.DS - Encryption at rest/transit
  • DE.CM - Observability for continuous monitoring
  • RS.RP - GitOps rollback capabilities

CIS Kubernetes Benchmark

  • 5.2.1 - runAsNonRoot enforced
  • 5.2.2 - Privilege escalation prevention
  • 5.2.3 - Capabilities dropped (ALL)
  • 5.2.6 - hostNetwork denied
  • 5.7.2 - NetworkPolicies (Pro tier)

SOC 2

  • CC6.1 - Logical access controls (RBAC)
  • CC6.6 - Vulnerability management (Trivy scanning)
  • CC7.2 - Monitoring (observability baseline)
  • CC8.1 - Change management (GitOps audit trail)
  • A1.2 - Data availability (health probes, auto-healing)

GDPR (Data Protection)

  • Art. 25 - Data protection by design (PII masking in logs)
  • Art. 30 - Records of processing (audit logs)
  • Art. 32 - Security measures (encryption, access control)
  • Art. 33 - Breach notification (alerting baseline)

Security Roadmap

✓ MVP

Baseline Security

Kyverno policies, Trivy scanning, non-root containers, TLS ingress

Q1 2026

Enhanced Controls

NetworkPolicies, External Secrets Operator, advanced RBAC

Q2 2026

Service Mesh & mTLS

Linkerd integration, mutual TLS between services, advanced observability

Future

Runtime Protection

Falco for runtime anomaly detection, OPA Gatekeeper for advanced policies

Security questions?

Get in touch for a security review or penetration test scope.

Contact Security Team Technical Architecture