From 34a0d7bad1e9e8a150ad388cafb5542a29396d14 Mon Sep 17 00:00:00 2001 From: Charly Molter Date: Thu, 4 Apr 2024 18:53:03 +0200 Subject: [PATCH 1/2] feat(mesh): add security recommendation page Signed-off-by: Charly Molter --- app/_data/docs_nav_mesh_2.6.x.yml | 5 +++++ app/_data/docs_nav_mesh_2.7.x.yml | 5 +++++ .../cp-deployment/security-recommendations.md | 22 +++++++++++++++++++ 3 files changed, 32 insertions(+) create mode 100644 app/_src/mesh/production/cp-deployment/security-recommendations.md diff --git a/app/_data/docs_nav_mesh_2.6.x.yml b/app/_data/docs_nav_mesh_2.6.x.yml index 8ad000af1ccd..5c12d424cf62 100644 --- a/app/_data/docs_nav_mesh_2.6.x.yml +++ b/app/_data/docs_nav_mesh_2.6.x.yml @@ -54,6 +54,11 @@ inherit: - path: [ Kong Mesh in Production, Secure your deployment, Kuma API access control ] action: modify text: Kong Mesh API access control + - path: [ Kong Mesh in Production, Secure your deployment ] + action: insert + index: 0 + text: Security recommendations + url: /production/cp-deployment/security-recommendations - path: [ Kong Mesh in Production, Secure your deployment ] action: insert index: -1 diff --git a/app/_data/docs_nav_mesh_2.7.x.yml b/app/_data/docs_nav_mesh_2.7.x.yml index e76e4873aa2d..8f216fa17cb8 100644 --- a/app/_data/docs_nav_mesh_2.7.x.yml +++ b/app/_data/docs_nav_mesh_2.7.x.yml @@ -54,6 +54,11 @@ inherit: - path: [ Kong Mesh in Production, Secure your deployment, Kuma API access control ] action: modify text: Kong Mesh API access control + - path: [ Kong Mesh in Production, Secure your deployment ] + action: insert + index: 0 + text: Security recommendations + url: /production/cp-deployment/security-recommendations - path: [ Kong Mesh in Production, Secure your deployment ] action: insert index: -1 diff --git a/app/_src/mesh/production/cp-deployment/security-recommendations.md b/app/_src/mesh/production/cp-deployment/security-recommendations.md new file mode 100644 index 000000000000..a14fa9030d56 --- /dev/null +++ b/app/_src/mesh/production/cp-deployment/security-recommendations.md @@ -0,0 +1,22 @@ +--- +title: Security Recommendations +--- + +{{site.mesh_product_name}} is designed to be secure by default. However, there are additional steps you can take to further secure your deployment. +For a strongly secure and high-availability deployment checkout [Mesh in Konnect](https://docs.konghq.com/konnect/mesh-manager/). + +## Control Plane + +### Access Control + +For usability, {{site.mesh_product_name}} control plane API is open by default. +To restrict access to entities and features of the control plane, you can configure [access control policies](/mesh/{{page.release}}/features/rbac/). + +### KDS Authentication + +In multi-zone deployments, you can enable [KDS authentication](/mesh/{{page.release}}/features/kds-auth/) to secure the communication between the global and zone control planes. + +### CORS + +By default CORS setup in {{site.mesh_product_name}} is allowing any origin. +You can configure it by setting the control-plane config: `KUMA_API_SERVER_CORS_ALLOWED_DOMAINS` to a list of domains that are allowed to access the control plane API. From f088f915d11bb2a47dae23a70942a58b4405f715 Mon Sep 17 00:00:00 2001 From: Charly Molter Date: Thu, 4 Apr 2024 19:05:16 +0200 Subject: [PATCH 2/2] add more info Signed-off-by: Charly Molter --- .../mesh/production/cp-deployment/security-recommendations.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/_src/mesh/production/cp-deployment/security-recommendations.md b/app/_src/mesh/production/cp-deployment/security-recommendations.md index a14fa9030d56..abf94b2f168d 100644 --- a/app/_src/mesh/production/cp-deployment/security-recommendations.md +++ b/app/_src/mesh/production/cp-deployment/security-recommendations.md @@ -3,7 +3,7 @@ title: Security Recommendations --- {{site.mesh_product_name}} is designed to be secure by default. However, there are additional steps you can take to further secure your deployment. -For a strongly secure and high-availability deployment checkout [Mesh in Konnect](https://docs.konghq.com/konnect/mesh-manager/). +For a strongly secure and high-availability deployment checkout [Mesh in Konnect](/konnect/mesh-manager/). ## Control Plane @@ -19,4 +19,4 @@ In multi-zone deployments, you can enable [KDS authentication](/mesh/{{page.rele ### CORS By default CORS setup in {{site.mesh_product_name}} is allowing any origin. -You can configure it by setting the control-plane config: `KUMA_API_SERVER_CORS_ALLOWED_DOMAINS` to a list of domains that are allowed to access the control plane API. +You can configure it by setting the [control-plane config](/mesh/{{page.release}}/documentation/configuration): `KUMA_API_SERVER_CORS_ALLOWED_DOMAINS` to a list of domains that are allowed to access the control plane API.