Skip to main content

Security Best Practices

This section describes how Wayfinder implements various security best practices, principles and guidelines from the main supported cloud providers (AWS, Azure and GCP) and industry standards.

note

Cloud environment is used as a generic term that refers to an AWS Account, Azure Subscription or Google Project, depending on the cloud provider you are using.


Hosting

Wayfinder supports the major cloud providers (AWS, Azure and GCP). This enables you to easily install Wayfinder's instance in your current cloud environment, ensuring seamless alignment with your organisation's security model, compliance, and regulatory requirements.


Cloud Isolation

Wayfinder only has access to the cloud environments that you have explicitly granted it access to. Each workspace and [stage]/wayfinder/admin/stages/stages-overview is associated with a single cloud environment ensuring segregation of user access and workloads. To discover how to connect additional cloud environments to Wayfinder, click [here].


Secure Authentication

Wayfinder uses IAM Roles for service accounts (IRSA), Azure AD Workload Identity and GCP Workload Identity for cloud native authentication. This approach enables you to assign Wayfinder's access and permissions within your cloud estate with fine-grained control, giving you complete authority over Wayfinder's actions and access within your cloud environment. These authentication methods also facilitates external DNS and certificate management for DNS zones without requiring cluster credentials.

Wayfinder's user authentication module has undergone testing with Auth0, Okta, Google Identity, and Microsoft Azure. By configuring an IDP, you keep the security of user login credentials outside of Wayfinder. This ensures that Wayfinder aligns seamlessly with your existing security model. Furthermore, Wayfinder uses the same provider for both the CLI and UI access, thus reducing security overhead and complexity.


Identity and Access Management (IAM)

Wayfinder adheres to industry principles by operating within scoped, role-based access boundaries when you connect your Wayfinder instance to your preferred cloud environment. These boundaries define specific tasks that Wayfinder can perform, such as network management, cluster management, and DNS management. Each role is assigned based on the principle of least privilege, providing only the required access necessary to perform its designated tasks.


Role Based Access Control (RBAC)

Wayfinder ships with a set of pre-defined least-access privileges that control user access to Wayfinder itself. Additionally, Wayfinder's RBAC implementation is utilised in its workspaces to manage least-access to the Kubernetes clusters that Wayfinder manages. This logical segregation ensures that grouped users and resources remain isolated from each other. Users are only allowed to perform tasks for which they have been granted the necessary permissions.


RBAC Authorisation

Wayfinder's access policies define a comprehensive set of rules for RBAC roles in clusters. Each rule specifies the 'who', the 'what infrastructure', and other constraints (e.g. time of day and duration).


Workload Security

As a default, Wayfinder implements Baseline Pod Security Standards (PSS) to secure workloads. You can control PSS with Wayfinder's Cluster Plans. Additionally, Wayfinder's implementation of default Kyverno policies prevents users from amending RBAC and Network policies. Moreover, you have the flexibility to add custom policies to Wayfinder, enabling you to further constrain access and meet your specific workload security requirements.


Multi-Tenancy Isolation

Wayfinder adheres to multi-tenancy isolation by constraining access to namespace-scoped roles using their own namespace for each tenant. Wayfinder reduces 'noisy-neighbour' problems with its comprehensive quota and limit contraint properties that you can set when you configure your cluster plans. Wayfinder furthermore applies additional policies to ensure that the quotas and limit constraints cannot be amended.


Default TLS

As a default, Wayfinder has TLS (Transport Layer Security) enabled for all container components, thus ensuring that each component is exposed with an HTTPS TLS certificate.



External Resources

note

The following industry resources provide more information on the relevant best practices, principles and guidelines:

Access Control and Isolation:

IAM and RBAC:

Workload Security