feat(mesh): add security recommendation page

Signed-off-by: Charly Molter <[email protected]>
Kong · Apr 4, 2024 · ebfb52b · ebfb52b
1 parent 5e5cd63
commit ebfb52b
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 0 deletions.
diff --git a/app/_data/docs_nav_mesh_2.6.x.yml b/app/_data/docs_nav_mesh_2.6.x.yml
@@ -54,6 +54,11 @@ inherit:
     - path: [ Kong Mesh in Production, Secure your deployment, Kuma API access control ]
       action: modify
       text: Kong Mesh API access control
+    - path: [ Kong Mesh in Production, Secure your deployment ]
+      action: insert
+      index: 0
+      text: Security recommendations
+      url: /production/cp-deployment/security-recommendations
     - path: [ Kong Mesh in Production, Secure your deployment ]
       action: insert
       index: -1

diff --git a/app/_data/docs_nav_mesh_2.7.x.yml b/app/_data/docs_nav_mesh_2.7.x.yml
@@ -54,6 +54,11 @@ inherit:
     - path: [ Kong Mesh in Production, Secure your deployment, Kuma API access control ]
       action: modify
       text: Kong Mesh API access control
+    - path: [ Kong Mesh in Production, Secure your deployment ]
+      action: insert
+      index: 0
+      text: Security recommendations
+      url: /production/cp-deployment/security-recommendations
     - path: [ Kong Mesh in Production, Secure your deployment ]
       action: insert
       index: -1

diff --git a/app/_src/mesh/production/cp-deployment/security-recommendations.md b/app/_src/mesh/production/cp-deployment/security-recommendations.md
@@ -0,0 +1,22 @@
+---
+title: Security Recommendations
+---
+
+{{site.mesh_product_name}} is designed to be secure by default. However, there are additional steps you can take to further secure your deployment.
+For a strongly secure and high-availability deployment checkout [Mesh in Konnect](https://docs.konghq.com/konnect/mesh-manager/).
+
+## Control Plane
+
+### Access Control
+
+For usability, {{site.mesh_product_name}} control plane API is open by default.
+To restrict access to entities and features of the control plane, you can configure [access control policies](/mesh/{{page.release}}/features/rbac/). 
+
+### KDS Authentication
+
+In multi-zone deployments, you can enable [KDS authentication](/mesh/{{page.release}}/features/kds-auth/) to secure the communication between the global and zone control planes.
+
+### CORS
+
+By default CORS setup in {{site.mesh_product_name}} is allowing any origin.
+You can configure it by setting the control-plane config: `KUMA_API_SERVER_CORS_ALLOWED_DOMAINS` to a list of domains that are allowed to access the control plane API.