Howso Platform installed on-prem via Helm charts requires several security considerations. Firstly, it is necessarily a shared security model between the Howso Platform application and the operators of the Kubernetes cluster.
Kubernetes is a highly customizable platform, and many aspects that are part of the application security (i.e., establishing TLS between components) are best done at the framework level, using components such as a service mesh. As such, Howso Platform, when distributed as a Helm chart, cannot independently claim to be secure by default – it is the wrong layer for that requirement. It is however designed to fit into a secure environment, and this section will cover the main topics to consider.
Howso Platform consists of several services, data stores, and a message queue (NATS). The basic installation examples in this documentation do not encrypt this traffic. In the case where communication between these components is considered to be within a trusted network, this may be acceptable. However, in many cases, it is necessary to establish encrypted communication between these components.
These docs will cover two approaches:
- Using a service mesh to automatically provide mTLS between all components
- Manually configuring TLS to NATS and external data stores
Note: In a Kubernetes cluster, depending on the Container Network Interface (CNI) used, traffic between nodes may be encrypted. Overlay networks, such as Calico or Weave, can be configured to encrypt traffic between nodes. This is a separate concern from the application-level encryption discussed here, but may be a relevant consideration when assessing the security posture of the cluster and its applications.
For information about ingress traffic TLS see the Custom Ingress section.
Service mesh can be installed to automatically provide mTLS between all communicating endpoints. Typically, organizations with larger Kubernetes teams will likely have a service mesh that they use.
With multiple data stores and a message queue, the Howso Platform can be complex to configure communication paths individually. A service mesh provides a single, uniform way to secure communication between all components, alongside other benefits such as observability and traffic control. It is therefore the recommended approach for securing communication between the Howso Platform components.
See the Linkerd and Network Policies section for an example of using a service mesh with the Howso Platform.
It is possible to manually configure TLS between the Howso Platform and its data stores and message queue.
Within the Howso Platform values file, under the datastores and nats sections, is the configuration for setting up TLS connections. To configure TLS communication to external data stores (i.e. an AWS RDS Postgres, or S3) override the values in this section when installing the chart.
If configuring TLS to the data stores and message queue charts, then corresponding configuration will be required in the NATS, minio, Redis, and Postgres chart installations.
Though possible, setting up TLS manually between Howso Platform and all backend charts is considered an advanced use-case. To do this efficiently will involve setting up Kubernetes Public Key Infrastructure (PKI) tools i.e. cert-manager; alongside significant configuration of the Howso Platform and backend charts. It is recommended instead to use a service mesh for providing mTLS. Reach out to Howso Support for further guidance.
Howso Platform itself does not directly use Persistent Volumes, though the minio, Postgres, Redis (optionally), and NATS chart configurations will create Persistent Volume Claims (PVCs). In the documented examples, these PVCs will use the default storage class of the Kubernetes cluster, though they can be configured to use a specific storage class.
Using a Storage Class that meets your security requirements is considered to be on the Kubernetes operator's side of the shared security model.
See the Container Scanning section for information on scanning the Howso Platform container images, and Howso Platform's approach to container security.
See the Custom Ingress section for information on using custom ingress certificates with the Howso Platform.