π Stacktic Security Framework Documentation
π Table of Contentsβ
- Executive Summary
- Introduction
- Chapter 1: Network Security
- Chapter 2: Access Control
- Chapter 3: Policy Enforcement
- Chapter 4: Traffic Management
- Chapter 5: Data Protection
- Chapter 6: Compliance & Governance
- Chapter 7: Source Code Security
- Key Takeaways
π Executive Summaryβ
Stacktic provides an automated, metadata-driven security framework that transforms complex security implementations into simplified, manageable processes. This document outlines how Stacktic automates security from infrastructure protection to policies and RBAC, ensuring enterprise-grade security with minimal manual effort.
π― Introductionβ
Why Stacktic Security Framework?β
Stacktic is designed to automate securityβfrom infrastructure protection to policies and RBAC. As a metadata-based solution, Stacktic understands stack layers and can automatically deploy and enforce security best practices.
Core Security Principlesβ
- π Automation First: Security configurations generated automatically
- 𧩠Metadata-Driven: Intelligent security based on stack relationships
- π‘οΈ Defense in Depth: Multi-layered security approach
- π Continuous Compliance: Real-time auditing and reporting
Chapter 1: Network Securityβ
1.1 π‘οΈ Network Policies and Micro-Segmentationβ
The Challengeβ
In real-world Kubernetes environments, NetworkPolicies are rarely used to their full potential because:
- β They're complex to manage
- β Many security teams apply policies only at the cluster level, not at the stack level
- β Micro-segmentationβisolating traffic between stack layersβis challenging and often avoided
The Stacktic Solutionβ
Stacktic automates this complexity by:
- β Analyzing link directions and metadata to generate hundreds of NetworkPolicies automatically
- β Delivering out-of-the-box micro-segmentation in minutesβwork that would normally take months
- β Creating granular policies at the stack layer level
Implementation Exampleβ
# Example: Generated NetworkPolicy structure
tree networkpolicy | wc -l
3146
# Sample generated policies:
βββ networkpolicy__test__strimzi__all__strimzi__egress__ports__strimzi__nr101__lines15.yaml
βββ networkpolicy__test__strimzi__all__strimzi__ingress__ports__strimzi__nr100__lines15.yaml
βββ networkpolicy__test__strimzi__exception__system__egress__ports__443__nr36__lines18.yaml
βββ networkpolicy__test__strimzi__to__minio__egress__ports__9000__nr70__lines18.yaml
βββ networkpolicy__test__strimzi__to__postgresql__egress__ports__5432__nr71__lines18.yaml
β οΈ Best Practice: Test and apply these policies in staging first. If your source code or images communicate outside the relationships defined in Stacktic metadata, the application may break. This is expected behavior for the highest security level.
Chapter 2: Access Controlβ
2.1 π₯ RBAC Simplifiedβ
The Three-Layer RBAC Approachβ
RBAC (Role-Based Access Control) can be difficult to manage. Stacktic addresses this using a three-layer approach:
| Layer | Description | Benefit |
|---|---|---|
| 1. Component-Level RBAC | Enabled by default on every component | Automatic service account management |
| 2. Link-Level RBAC | Relationships between source code and components | Auto-generated app-level permissions |
| 3. User-Level RBAC | Direct user/group to component linking | Simplified kubectl access management |
Key Featuresβ
- π Automatic Service Account Creation
- π Relationship-Based Permissions
- π€ Intuitive User Management
- π Maintainable Configuration
USER LEVEL RBAC
APP RELATION LEVEL RBAC
Chapter 3: Policy Enforcementβ
3.1 π OPA (Open Policy Agent) Integrationβ
Overviewβ
OPA is central to Stacktic's security enforcement, providing policy-as-code capabilities.
Core Capabilitiesβ
Policy Automationβ
- β Automate policies using labels or namespaces
- β Choose between Dry Run and Enforce modes
- β Dynamic policy testing based on environment
Example Workflowβ
1. Add securityContext β Check labels
2. Label source code β Apply policies
3. Integrate metadata β Generate audit reports
Advanced Featuresβ
| Feature | Description |
|---|---|
| Dynamic Testing | Automates tests based on test environment |
| LiveView Integration | True/false insights directly in UI |
| Source Code Tuning | Adjusts code to meet OPA policies |
π‘ Tip: Keep security definitions inside Stacktic to maintain full audit and reporting capabilities. External labels or policies may not appear in audit reports.
Chapter 4: Traffic Managementβ
4.1 π Traffic Securityβ
Layer 7 Security Managementβ
Traffic security is managed through components like Istio or APISIX. Stacktic abstracts complex configurations into links and attributes.
Key Capabilitiesβ
- π¦ Traffic Control
- Block, route, or control traffic at Layer 7
- Limit traffic to specific routes or IP ranges
- π Authentication
- OIDC integration (e.g., Keycloak)
- mTLS between services
- π Traffic Policies
- CORS configuration
- URL rewriting rules
- Rate limiting
- π Links your Services Mesh
- Full Mesh in minutes
- Add rules, and specific configuraiton per link
- Centrelized Mesh control
Chapter 5: Data Protectionβ
5.1 π Secrets Managementβ
Comprehensive Secret Lifecycleβ
Stacktic provides enterprise-grade secrets management with multiple layers of protection.
Core Featuresβ
Default Protectionβ
- β All environment variables saved as Kubernetes secrets
- β Automatic secret rotation capabilities
- β Version-controlled secret management
Advanced Security (SOPS Integration)β
Features:
- Encrypt secret files in public repositories
- Decrypt only with appropriate keys
- Full lifecycle management:
β’ Rotate secrets
β’ Update configurations
β’ Re-encrypt on demand
Secret Management Workflowβ
- Create β Environment variables automatically secured
- Encrypt β SOPS encryption for repository storage (optional)
- Deploy β Secrets injected securely at runtime
- Rotate β Automated rotation without disruption
- Audit β Full tracking and compliance reporting
This ensures secrets remain secure, manageable, and version-controlled throughout the entire stack lifecycle.
Chapter 6: Compliance & Governanceβ
6.1 π Security Audits and Reportsβ
Comprehensive Reportingβ
Every configuration and status generated by Stacktic is translated into comprehensive audit reports.
Report Featuresβ
| Report Type | Content | Use Case |
|---|---|---|
| Configuration Analysis | Policy conflicts, misconfigurations | Pre-deployment validation |
| Security Posture | Overall security score and gaps | Executive reporting |
| Compliance Report | Standards adherence (CIS, PCI-DSS) | Audit preparation |
| Change Tracking | Configuration drift detection | Continuous monitoring |
Benefitsβ
- π Validate compliance continuously
- π Identify security gaps proactively
- π CISO-grade reporting out of the box
Chapter 7: Source Code Securityβ
7.1 π Code Securityβ
Overviewβ
Stacktic provides pre-defined configuration for the container and image level security
Key Featuresβ
- β tune your level security: switch on sec, add allowed directories.
- β Enable OPA validation: IEnforce OPA to validate your source codee configuration
- β Audit report: Audit report will identify the source code security level of the full stack
identify missing Policies
identify missing Source code Security
π― Key Takeawaysβ
What Stacktic Security Framework Deliversβ
| Feature | Traditional Approach | Stacktic Approach | Time Saved |
|---|---|---|---|
| Network Policies | Manual creation, months of work | Auto-generated from metadata | 95% |
| RBAC Setup | Complex role definitions | Three-layer automation | 80% |
| OPA Policies | Manual policy writing | Template-based automation | 70% |
| Traffic Security | Complex Istio/APISIX configs | Abstracted link attributes | 85% |
| Security Audits | Manual assessment | Continuous automated reports | 90% |
| Secrets Management | Multiple tools needed | Integrated lifecycle | 75% |
Summary Benefitsβ
β
Automated Security: Minimal manual configuration required
β
Compliance Ready: CISO-grade reports out of the box
β
Best Practices: Enterprise security patterns by default
β
Micro-segmentation: Zero-trust networking simplified
β
Full Lifecycle: From development to production security
Next Stepsβ
- π Deploy test environment with full security enabled
- π Review generated security reports
- π§ Tune policies based on your requirements
- β Validate in staging before production
- π Monitor continuous compliance
This document ensures your stacks are secure, compliant, and auditableβwith minimal manual effort.