From 3ab7b5039db4bf21cb248e2eefe63877f51a32d7 Mon Sep 17 00:00:00 2001 From: laugiov Date: Sun, 21 Dec 2025 21:28:41 +0100 Subject: [PATCH] feat: update README with K8s --- README.md | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 76 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index bcf7636..cb259d6 100644 --- a/README.md +++ b/README.md @@ -9,11 +9,59 @@ [![Security](https://img.shields.io/badge/Security-SAST%20|%20SCA%20|%20DAST-blueviolet)](#cicd-security-pipeline) [![OWASP](https://img.shields.io/badge/OWASP-Headers%20Compliant-orange?logo=owasp&logoColor=white)](#4-owasp-security-headers) [![Docker](https://img.shields.io/badge/Docker-Rootless-2496ED?logo=docker&logoColor=white)](#quick-start) +[![Kubernetes](https://img.shields.io/badge/Kubernetes-Helm%20Ready-326CE5?logo=kubernetes&logoColor=white)](#kubernetes-deployment) [![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black) [![Ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff) --- +## Security Highlights + + + + + + + + + + +
+ +**Authentication & Authorization** +- JWT RS256 + mTLS mutual authentication +- Cross-validation (Certificate CN = JWT subject) +- RBAC with 5 roles, 7 permissions +- Per-identity rate limiting (60 req/min) + + + +**DevSecOps Pipeline** +- SAST (Bandit) + SCA (pip-audit, Trivy) +- DAST (OWASP ZAP baseline) +- SBOM generation (CycloneDX) +- Image signing (Sigstore Cosign) + +
+ +**Privacy & Data Protection** +- PII minimization (GPS rounding ~11m) +- AES-256-GCM token encryption +- Structured logging without sensitive data +- Audit trail for compliance + + + +**Kubernetes Production-Ready** +- Helm chart with Pod Security Restricted +- NetworkPolicies (zero-trust) +- External Secrets Operator support +- HPA, PDB, ServiceMonitor + +
+ +--- + ## Why This Project? This project is a **reference implementation** designed to teach and demonstrate how to apply **Security by Design** principles in a realistic microservices context. It is not a production system, but an educational platform showcasing security best practices. @@ -33,7 +81,7 @@ This project is a **reference implementation** designed to teach and demonstrate - **Complete stack**: From threat model to production-ready CI/CD - **Realistic scenario**: Aviation telemetry context with regulatory constraints - **Documented decisions**: Every security control is explained with rationale -- **Testable**: 470+ tests demonstrating security behaviors +- **Testable**: 478 tests demonstrating security behaviors - **Runnable**: Full Docker Compose stack for hands-on learning --- @@ -207,7 +255,7 @@ CI/CD pipeline with security gates at every stage: | **Ruff** | Python linting | lint | | **Black** | Code formatting | lint | | **Bandit** | SAST (security linting) | lint | -| **pytest** | Unit tests (470+ tests, 81% coverage) | test | +| **pytest** | Unit tests (478 tests, 81% coverage) | test | | **Trivy** | Container vulnerability scanning | scan | | **pip-audit** | Python dependency SCA | scan | | **Gitleaks** | Secret detection | scan | @@ -237,6 +285,29 @@ cosign verify-attestation \ --- +## Kubernetes Deployment + +Production-ready Helm chart with security best practices: + +```bash +# Deploy to Kubernetes +helm install skylink ./kubernetes/skylink \ + --namespace skylink --create-namespace \ + -f kubernetes/skylink/values-prod.yaml +``` + +| Security Feature | Implementation | +|------------------|----------------| +| **Pod Security** | Restricted profile (non-root, read-only fs, drop ALL capabilities) | +| **Network Policies** | Zero-trust default deny, explicit allow rules | +| **Secrets** | External Secrets Operator integration | +| **Availability** | HPA (auto-scaling), PDB (disruption budget) | +| **Observability** | ServiceMonitor for Prometheus Operator | + +See [docs/KUBERNETES.md](docs/KUBERNETES.md) for complete deployment guide. + +--- + ## Quick Start ### Prerequisites @@ -414,7 +485,7 @@ make test poetry run pytest ``` -**470+ tests** with **81% coverage** — covering authentication, RBAC authorization, rate limiting, input validation, idempotency, OWASP Top 10 security tests, security headers, error handling, and service integration. +**478 tests** with **81% coverage** — covering authentication, RBAC authorization, rate limiting, input validation, idempotency, OWASP Top 10 security tests, security headers, error handling, and service integration. --- @@ -438,6 +509,7 @@ poetry run pytest - [x] **Image Signing** — Cosign with SBOM attestation - [x] **Non-root Containers** — User `skylink:1000` - [x] **Secrets Management** — Environment variables, never in code +- [x] **Kubernetes Security** — Pod Security Restricted, NetworkPolicies, External Secrets --- @@ -455,6 +527,7 @@ This project aims for a **9+/10 Security by Design** rating. Current status: | **Audit Logging** | Complete | 20 event types, JSON format, no PII | | **Key Management** | Complete | Rotation scripts, compliance docs | | **Supply Chain Security** | Complete | SBOM, image signing, vulnerability scanning | +| **Kubernetes Security** | Complete | Helm chart, Pod Security, NetworkPolicies | ---