Skip to main content

πŸ” Stacktic Security Framework Documentation

πŸ“‹ Table of Contents​

  1. Executive Summary
  2. Introduction
  3. Chapter 1: Network Security
  4. Chapter 2: Access Control
  5. Chapter 3: Policy Enforcement
  6. Chapter 4: Traffic Management
  7. Chapter 5: Data Protection
  8. Chapter 6: Compliance & Governance
  9. Chapter 7: CVE Analysis and SBOM
  10. Chapter 8: LiveView Security Automation
  11. Chapter 9: Source Code Security
  12. Chapter 10: Multi-tenancy
  13. Key Takeaways

πŸ“ Executive Summary​

Stacktic provides an automated, metadata-driven security framework that transforms complex security implementations into simplified, manageable processes. This document outlines how Stacktic automates security from infrastructure protection to policies and RBAC, ensuring enterprise-grade security with minimal manual effort.

🎯 Introduction​

Why Stacktic Security Framework?​

Security Framework Overview​

Stacktic is designed to automate securityβ€”from infrastructure protection to policies and RBAC. As a metadata-based solution, Stacktic understands stack layers and can automatically deploy and enforce security best practices.

Core Security Principles​

  • πŸ”„ Automation First: Security configurations generated automatically
  • 🧩 Metadata-Driven: Intelligent security based on stack relationships
  • πŸ›‘οΈ Defense in Depth: Multi-layered security approach
  • πŸ“Š Continuous Compliance: Real-time auditing and reporting

Chapter 1: Network Security​

1.1 Network Policies and Micro-Segmentation​

The Challenge​

In real-world Kubernetes environments, NetworkPolicies are rarely used to their full potential because:

  • ❌ They're complex to manage
  • ❌ Many security teams apply policies only at the cluster level, not at the stack level
  • ❌ Micro-segmentationβ€”isolating traffic between stack layersβ€”is challenging and often avoided

The Stacktic Solution​

Stacktic automates this complexity by:

  • βœ… Analyzing link directions and metadata to generate hundreds of NetworkPolicies automatically
  • βœ… Delivering out-of-the-box micro-segmentation in minutesβ€”work that would normally take months
  • βœ… Creating granular policies at the stack layer level

Implementation Example​

# Example: Generated NetworkPolicy structure
tree networkpolicy | wc -l
    3146

# Sample generated policies:
β”œβ”€β”€ networkpolicy__test__strimzi__all__strimzi__egress__ports__strimzi__nr101__lines15.yaml
β”œβ”€β”€ networkpolicy__test__strimzi__all__strimzi__ingress__ports__strimzi__nr100__lines15.yaml
β”œβ”€β”€ networkpolicy__test__strimzi__exception__system__egress__ports__443__nr36__lines18.yaml
β”œβ”€β”€ networkpolicy__test__strimzi__to__minio__egress__ports__9000__nr70__lines18.yaml
└── networkpolicy__test__strimzi__to__postgresql__egress__ports__5432__nr71__lines18.yaml

⚠️ Best Practice: Test and apply these policies in staging first. If your source code or images communicate outside the relationships defined in Stacktic metadata, the application may break. This is expected behavior for the highest security level.

Chapter 2: Access Control​

2.1 RBAC Simplified​

The Three-Layer RBAC Approach​

RBAC (Role-Based Access Control) can be difficult to manage. Stacktic addresses this using a three-layer approach:

LayerDescriptionBenefit
1. Component-Level RBACEnabled by default on every componentAutomatic service account management
2. Link-Level RBACRelationships between source code and componentsAuto-generated app-level permissions
3. User-Level RBACDirect user/group to component linkingSimplified kubectl access management

Key Features​

  • πŸ” Automatic Service Account Creation
  • πŸ”— Relationship-Based Permissions
  • πŸ‘€ Intuitive User Management
  • πŸ“ Maintainable Configuration

Visual Examples​

USER LEVEL RBAC

User Level RBAC

APP RELATION LEVEL RBAC

App Relation Level RBAC

Chapter 3: Policy Enforcement​

3.1 OPA (Open Policy Agent) Integration​

Overview​

OPA is central to Stacktic's security enforcement, providing policy-as-code capabilities.

Core Capabilities​

Policy Automation​
  • βœ… Automate policies using labels or namespaces
  • βœ… Choose between Dry Run and Enforce modes
  • βœ… Dynamic policy testing based on environment
Example Workflow​
1. Add securityContext β†’ Check labels
2. Label source code β†’ Apply policies
3. Integrate metadata β†’ Generate audit reports
OPA Integration

Advanced Features​

FeatureDescription
Dynamic TestingAutomates tests based on test environment
LiveView IntegrationTrue/false insights directly in UI
Source Code TuningAdjusts code to meet OPA policies

πŸ’‘ Tip: Keep security definitions inside Stacktic to maintain full audit and reporting capabilities. External labels or policies may not appear in audit reports.

Chapter 4: Traffic Management​

4.1 Traffic Security​

Layer 7 Security Management​

Traffic security is managed through components like Istio or APISIX. Stacktic abstracts complex configurations into links and attributes.

Key Capabilities​

Traffic Control​
  • 🚦 Block, route, or control traffic at Layer 7
  • 🚦 Limit traffic to specific routes or IP ranges
Authentication​
  • πŸ” OIDC integration (e.g., Keycloak)
  • πŸ” mTLS between services
Traffic Policies​
  • πŸ”„ CORS configuration
  • πŸ”„ URL rewriting rules
  • πŸ”„ Rate limiting
Traffic Security
Service Mesh Integration​
  • πŸ”„ Full Mesh in minutes
  • πŸ”„ Add rules, and specific configuration per link
  • πŸ”„ Centralized Mesh control
Service Mesh

See Mesh Example​

Chapter 5: Data Protection​

5.1 Secrets Management​

Comprehensive Secret Lifecycle​

Stacktic provides enterprise-grade secrets management with multiple layers of protection.

Core Features​

Default Protection​
  • βœ… All environment variables saved as Kubernetes secrets
  • βœ… Automatic secret rotation capabilities
  • βœ… Version-controlled secret management
Advanced Security (SOPS Integration)​
Features:
  - Encrypt secret files in public repositories
  - Decrypt only with appropriate keys
  - Full lifecycle management:
    β€’ Rotate secrets
    β€’ Update configurations
    β€’ Re-encrypt on demand

Secret Management Workflow​

  1. Create β†’ Environment variables automatically secured
  2. Encrypt β†’ SOPS encryption for repository storage (optional)
  3. Deploy β†’ Secrets injected securely at runtime
  4. Rotate β†’ Automated rotation without disruption
  5. Audit β†’ Full tracking and compliance reporting

This ensures secrets remain secure, manageable, and version-controlled throughout the entire stack lifecycle.

Chapter 6: Compliance & Governance​

6.1 Security Audits and Reports​

Comprehensive Reporting​

Every configuration and status generated by Stacktic is translated into comprehensive audit reports.

Report Features​

Report TypeContentUse Case
Configuration AnalysisPolicy conflicts, misconfigurationsPre-deployment validation
Security PostureOverall security score and gapsExecutive reporting
Compliance ReportStandards adherence (CIS, PCI-DSS)Audit preparation
Change TrackingConfiguration drift detectionContinuous monitoring

Benefits​

  • πŸ“ˆ Validate compliance continuously
  • πŸ” Identify security gaps proactively
  • πŸ“‹ CISO-grade reporting out of the box

Report Location​

Reports exist in the audit folder in every generated stack repo:

Audit Reports Location

Chapter 7: CVE Analysis and SBOM​

7.1 Vulnerability Management​

Overview​

Stacktic provides comprehensive vulnerability management through CVE (Common Vulnerabilities and Exposures) analysis and SBOM (Software Bill of Materials) generation for every component in your stack.

Core Capabilities​

Offline CVE Reports​

Stacktic generates offline CVE reports for each component automatically:

FeatureDescriptionBenefit
Component-Level AnalysisCVE reports per componentIdentify vulnerabilities before deployment
Offline AccessReports available without external dependenciesSecurity analysis in air-gapped environments
Version-SpecificCVE data matched to exact component versionsAccurate vulnerability assessment
Automated UpdatesReports regenerate with version changesStay current with security landscape
Full SBOM Generation​

Stacktic creates complete versioning dependency XMLs for SBOM tools out of the box:

SBOM Features:
  - Complete dependency tree for all components
  - Version tracking across the full stack
  - Export formats compatible with standard SBOM tools
  - Automated updates on stack changes

Key Benefits​

  • πŸ” Proactive Security: Identify vulnerabilities before deployment
  • πŸ“‹ Compliance Ready: SBOM generation for regulatory requirements
  • πŸ”„ Automated Analysis: CVE reports generated with every build
  • πŸ“¦ Complete Visibility: Full dependency tracking across stack layers
  • πŸš€ Zero Configuration: Works out of the box for all components

Integration with Security Workflow​

Design Stack β†’ Build β†’ Generate SBOM β†’ CVE Analysis β†’ Deploy
                           ↓              ↓
                    audit/sbom/     audit/cve/

Use Cases​

ScenarioHow Stacktic Helps
Pre-DeploymentReview CVE reports before production
Compliance AuditsProvide SBOM documentation instantly
Version UpgradesCompare CVE profiles between versions
Security ReviewsComplete dependency analysis available

πŸ’‘ Best Practice: Review CVE reports during the build phase and address high-severity vulnerabilities before deployment to production.

Chapter 8: LiveView Security Automation​

8.1 Real-time Security Assessment​

Overview​

Stacktic LiveView agent provides continuous, real-time security assessment directly from your live cluster, automating security validation across all critical security layers.

Core Capabilities​

The LiveView agent validates security posture continuously by monitoring:

Security Validation Areas​
Validation TypeWhat It ChecksReal-time Alerts
RBAC ComplianceRole assignments, service accounts, permissionsβœ“ Unauthorized access attempts
Policy EnforcementNetworkPolicies, OPA rules, admission controlsβœ“ Policy violations
Secrets StrengthEncryption status, rotation compliance, exposureβœ“ Weak or exposed secrets
Security BreachesSuspicious activity, unauthorized changesβœ“ Immediate breach detection
Endpoints SecurityExposed services, TLS configuration, ingress rulesβœ“ Insecure endpoints

LiveView Architecture​

Live Cluster β†’ LiveView Agent β†’ API β†’ Stacktic Platform β†’ UI Dashboard
     ↓              ↓              ↓           ↓
  Metrics      Validation    Real-time    Security
  Collection   Engine        Analysis     Insights

Key Features​

Automated Security Assessment​
  • βœ… Continuous Monitoring: Real-time validation of security controls
  • βœ… Automated Remediation: Suggestions for fixing detected issues
  • βœ… Compliance Verification: Ensures all security policies are active
  • βœ… Drift Detection: Identifies configuration changes from desired state
Security Validation Coverage​
RBAC Validation:
  - Service account permissions
  - Role bindings accuracy
  - Cluster role assignments
  - User access patterns

Policy Validation:
  - NetworkPolicy enforcement
  - OPA Gatekeeper constraints
  - Pod security standards
  - Admission webhook status

Secrets Management:
  - Encryption verification
  - Rotation compliance
  - Secret exposure check
  - SOPS integration status

Endpoint Security:
  - TLS certificate validation
  - Ingress configuration
  - Service exposure audit
  - mTLS verification

Benefits​

  • πŸ” Proactive Detection: Identify security issues before they become incidents
  • πŸ“Š Real-time Insights: Live security posture in UI dashboard
  • πŸ”„ Continuous Compliance: Automated validation of security controls
  • 🚨 Instant Alerts: Immediate notification of security violations
  • πŸ“ˆ Trend Analysis: Track security improvements over time

LiveView Dashboard​

The LiveView agent provides real-time visibility into:

  1. Security Score: Overall security posture percentage
  2. Active Violations: Current policy and RBAC issues
  3. Vulnerability Status: Live CVE exposure from running components
  4. Compliance Status: Real-time adherence to security standards
  5. Remediation Queue: Prioritized list of security improvements

Integration with Audit Reports​

LiveView complements static audit reports by providing:

Static Reports (Build Time)     LiveView (Runtime)
        ↓                              ↓
   CVE Analysis              β†’    Active Vulnerability Status
   SBOM Generation           β†’    Runtime Dependency Validation
   Policy Configuration      β†’    Policy Enforcement Status
   RBAC Design              β†’    Active Permission Verification
   Secrets Setup            β†’    Secrets Strength Monitoring

⚑ Key Advantage: LiveView transforms security from a build-time check into a continuous runtime validation system, ensuring your security posture remains strong throughout the stack lifecycle.

Use Cases​

ScenarioLiveView Response
Policy DriftAlerts when runtime differs from design
Unauthorized AccessImmediate notification of RBAC violations
Weak SecretsFlags secrets not meeting strength requirements
Security BreachReal-time detection of suspicious activity
Compliance AuditLive proof of security controls enforcement

Chapter 9: Source Code Security​

9.1 Code Security​

Overview​

Stacktic provides pre-defined configuration for the container and image level security.

Key Features​

1. Tune Your Security Level​

Switch on security, add allowed directories:

Security Level Tuning
2. Enable OPA Validation​

Enforce OPA to validate your source code configuration:

OPA Validation
3. Audit Report​

Audit report will identify the source code security level of the full stack.

Identify Missing Policies:

Missing Policies

Identify Missing Source Code Security:

Missing Source Code Security

Chapter 10: Multi-tenancy​

10.1 Multi-tenancy Isolation​

The Complete Security Architecture​

Kubernetes Namespace Isolation: Recreating VM-Style Security Boundaries​
The Lost Art of Workload Isolation​

Companies spent 20 years perfecting VM isolation with VLANs, firewalls, and DMZ zones. Then moved to Kubernetes and deployed everything in one flat network with no boundaries.

Stacktc operates on a principle of isolation by default. This means every part of the stack is completely isolated and managed separately. We automate the security relationships between these isolated stack layers β€” which can represent components like databases, backends, messaging, or observability. Each layer is fully separated and secured by design.

The Security Architecture Evolution​

The Complete Isolation Matrix​

CategoryBenefitWithout SeparationWith Full SeparationReal-World Impact
SECURITY
Resource IsolationLarger blast radius; cross-app name/secret clashesScoped RBAC/Secrets/NetworkPolicy; smaller blast radiusBreach in app A can't access app B's secrets
RBAC ScopeComplex role definitions with many exceptionsSimple, namespace-scoped rolesDev team can't accidentally delete prod resources
Network PoliciesDifficult to enforce traffic rulesClear rules per namespaceDatabase only accessible from its app namespace
MicrosegmentationNot supportedPCI-DSS compliant zonesPass compliance audits
Admission ControlForcing rules is complicatedEasy enforcement per namespaceAutomated security policies
RESOURCE MANAGEMENT
Quota EnforcementHard to prevent resource hoggingResourceQuotas per namespaceTeam A can't starve Team B
Cost AttributionUnclear who's using whatClear cost per namespaceAccurate billing per department
Capacity PlanningGuesswork on resource needsPredictable allocationGuaranteed resources per team
OPERATIONS
CleanupManual tracking of resourceskubectl delete ns <name> removes allOne command cleanup
TroubleshootingIssues affect entire clusterProblems contained in namespaceFaster debugging
Service DiscoveryComplex naming neededSimple: <service>.<namespace>.svc.cluster.localdb-service vs prod-eu-mysql-primary-db-service
Kustomize/HelmHarder to isolate environmentsReuse configs across dev/test/prodClean environment separation
COMPLIANCE
Audit TrailsMixed logs, hard to filterClean audit boundariesCompliance reports per namespace
Data SovereigntyDifficult to enforce locationNamespace-specific policiesGDPR compliance
Security StandardsOne-size-fits-all policiesDifferent standards per workloadPCI namespace stricter than dev
DEVELOPMENT
Environment IsolationRisk of cross-environment pollutionClear dev/staging/prod boundariesDev won't affect production
CI/CD PipelinesComplex deployment logicNamespace-based deploymentsDeploy to namespace = environment
TestingHard to create isolated test environmentsSpin up temporary namespacesEach PR gets its own namespace
ADVANCED
Service MeshDifficult to manage Istio labelsPer-namespace mesh configmTLS between components
Label ManagementComplex across entire clusterSimple per namespaceEasy GitOps automation

Implementation Comparison​

Without Namespace Separation (What Most Do)​
# Everything in default or one namespace
kubectl apply -f entire-stack.yaml

# Problems:
# - All secrets visible to all pods
# - Any pod can talk to database
# - One misconfigured pod can consume all resources
# - Developer mistake can delete production database
# - Compliance auditor fails you immediately

The Bottom Line​

Without proper namespace isolation, NetworkPolicies, and multi-layer RBAC, you have LESS security in Kubernetes than you had with VMs from 2005.

This means every part of the stack must be completely isolated and managed separately. We automate the security relationships between these isolated stack layers β€” which can represent components like databases, backends, messaging, or observability. Each layer is fully separated and secured by design.

Remember: Namespace isolation is not just about NetworkPolicies​
  • βœ… RBAC boundaries
  • βœ… Secret isolation
  • βœ… Resource quotas
  • βœ… Audit separation
  • βœ… Cost tracking
  • βœ… Compliance scope
  • βœ… Service mesh configuration
  • βœ… Admission controls

It's about creating proper security boundaries that match or exceed what we had in the VM world.

🎯 Key Takeaways​

What Stacktic Security Framework Delivers​

FeatureTraditional ApproachStacktic ApproachTime Saved
Network PoliciesManual creation, months of workAuto-generated from metadata95%
RBAC SetupComplex role definitionsThree-layer automation80%
OPA PoliciesManual policy writingTemplate-based automation70%
Traffic SecurityComplex Istio/APISIX configsAbstracted link attributes85%
Security AuditsManual assessmentContinuous automated reports90%
Secrets ManagementMultiple tools neededIntegrated lifecycle75%
CVE AnalysisManual vulnerability scanningAutomated offline CVE reports85%
SBOM GenerationManual dependency trackingAuto-generated XMLs90%
Security MonitoringManual cluster inspectionLiveView real-time validation95%

Summary Benefits​

βœ… Automated Security: Minimal manual configuration required
βœ… Compliance Ready: CISO-grade reports out of the box
βœ… Best Practices: Enterprise security patterns by default
βœ… Micro-segmentation: Zero-trust networking simplified
βœ… Full Lifecycle: From development to production security

Next Steps​

  1. πŸš€ Deploy test environment with full security enabled
  2. πŸ“Š Review generated security reports
  3. πŸ”§ Tune policies based on your requirements
  4. βœ… Validate in staging before production
  5. πŸ“ˆ Monitor continuous compliance

This document ensures your stacks are secure, compliant, and auditableβ€”with minimal manual effort.