Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-secure-cluster-baseline.md

45 lines
1.2 KiB
Markdown

# Pattern: Secure Cluster Baseline
Status: seed
Readiness target: RL3 production
Primary owners: Railiance platform
Genesis family: Kubernetes and platform
## Problem
Production Kubernetes clusters inherit unsafe defaults unless baseline
hardening is explicit, versioned, and verified.
## Context
Use this pattern for every cluster class that hosts platform services,
tenant workloads, identity services, secret managers, or production
applications.
## Forces
- Kubernetes exposes many powerful APIs by default.
- Platform add-ons need privileged access but must be bounded.
- Baseline controls must survive upgrades.
- Product teams need predictable guardrails.
## Solution
Define a secure cluster baseline covering API server settings, RBAC,
node hardening, pod security, admission, network policy, secret
handling, audit, backups, and upgrade posture.
## Verification
- Cluster baseline checks run before production admission.
- Privileged Kubernetes APIs are limited and reviewed.
- Audit logging, backup, and restore paths are enabled.
- Upgrade tests verify baseline controls remain active.
## Related Patterns
- Pod Security Baseline/Restricted.
- Policy-as-Code Admission Control.
- Network Default Deny.
- Runtime Threat Detection.