diff --git a/app/_data/docs_nav_mesh_2.6.x.yml b/app/_data/docs_nav_mesh_2.6.x.yml index 8ad000af1ccd..5c12d424cf62 100644 --- a/app/_data/docs_nav_mesh_2.6.x.yml +++ b/app/_data/docs_nav_mesh_2.6.x.yml @@ -54,6 +54,11 @@ inherit: - path: [ Kong Mesh in Production, Secure your deployment, Kuma API access control ] action: modify text: Kong Mesh API access control + - path: [ Kong Mesh in Production, Secure your deployment ] + action: insert + index: 0 + text: Security recommendations + url: /production/cp-deployment/security-recommendations - path: [ Kong Mesh in Production, Secure your deployment ] action: insert index: -1 diff --git a/app/_data/docs_nav_mesh_2.7.x.yml b/app/_data/docs_nav_mesh_2.7.x.yml index e76e4873aa2d..8f216fa17cb8 100644 --- a/app/_data/docs_nav_mesh_2.7.x.yml +++ b/app/_data/docs_nav_mesh_2.7.x.yml @@ -54,6 +54,11 @@ inherit: - path: [ Kong Mesh in Production, Secure your deployment, Kuma API access control ] action: modify text: Kong Mesh API access control + - path: [ Kong Mesh in Production, Secure your deployment ] + action: insert + index: 0 + text: Security recommendations + url: /production/cp-deployment/security-recommendations - path: [ Kong Mesh in Production, Secure your deployment ] action: insert index: -1 diff --git a/app/_src/mesh/production/cp-deployment/security-recommendations.md b/app/_src/mesh/production/cp-deployment/security-recommendations.md new file mode 100644 index 000000000000..a14fa9030d56 --- /dev/null +++ b/app/_src/mesh/production/cp-deployment/security-recommendations.md @@ -0,0 +1,22 @@ +--- +title: Security Recommendations +--- + +{{site.mesh_product_name}} is designed to be secure by default. However, there are additional steps you can take to further secure your deployment. +For a strongly secure and high-availability deployment checkout [Mesh in Konnect](https://docs.konghq.com/konnect/mesh-manager/). + +## Control Plane + +### Access Control + +For usability, {{site.mesh_product_name}} control plane API is open by default. +To restrict access to entities and features of the control plane, you can configure [access control policies](/mesh/{{page.release}}/features/rbac/). + +### KDS Authentication + +In multi-zone deployments, you can enable [KDS authentication](/mesh/{{page.release}}/features/kds-auth/) to secure the communication between the global and zone control planes. + +### CORS + +By default CORS setup in {{site.mesh_product_name}} is allowing any origin. +You can configure it by setting the control-plane config: `KUMA_API_SERVER_CORS_ALLOWED_DOMAINS` to a list of domains that are allowed to access the control plane API.