Updated on 2025-04-27 GMT+08:00

Security Hardening

Configuration Management is based on Flux v2 open-source components. However, the source-controller component uses HTTP for communication, which may bring security risks. To enhance security, UCS uses network policies by default for refined network isolation. For details, see Configuring Network Policies. If your cluster does not support NetworkPolicy, use other network isolation methods (such as security groups) for security hardening.

Component Communication Relationships

  • Communications between core components
    • source-controller: manages resources such as Helm repositories and Git repositories (over HTTP port 9090).
    • helm-controller: accesses source-controller to obtain chart package metadata.
    • kustomize-controller: accesses source-controller to obtain Kustomize resources.
  • Security risks

    If the access scope of source-controller is not restricted, any pods in a cluster can access source-controller using HTTP, which may cause man-in-the-middle attacks and data leak.

NetworkPolicy Hardening Scheme

  • Basic isolation policy that blocks unauthorized access to source-controller globally
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: deny-all-source
      namespace: flux-system
    spec:
      podSelector:
        matchLabels:
          app: source-controller
      policyTypes:
      - Ingress
      ingress: []     # By default, all inbound traffic is denied.
  • Refined bypass rules

# Allow helm-controller to access source-controller.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-helm-to-source
  namespace: flux-system
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/component: source-controller
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: helm-controller
    ports:
    - protocol: TCP
      port: 9090

# Allow kustomize-controller to access source-controller.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-kustomize-to-source
  namespace: flux-system
spec:
  podSelector:
    matchLabels:
      app: source-controller
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: kustomize-controller
    ports:
    - protocol: TCP
      port: 9090