Skip to content

Securing the Sensor

Sovereign Data-in-motion (DIM) and Data-at-rest (DAR) Sensors are currently deployed in a Kubernetes environment. Below is a description of specific security aspects and configuration options that you might want to consider.

Please also refer to the separate guide for configuration options that are not related to security. You may also want to check our current helm chart for all values that can be tuned for the Sovereign Sensors.

Access to Kubernetes API

The Sovereign Data-in-motion (DIM) Sensor subscribes to a significant amount of metadata from the Kubernetes API. A dedicated ServiceAccount is created for this purpose. This ServiceAccount is granted cluster-wide permissions (ClusterRoleBinding) to get, list, and watch several apiGroups.

Proxying the traffic

There may be instances when you want to route the traffic between the Soveren Sensor and the Cloud through a proxy. This could be for reasons such as gaining additional control over the traffic leaving your cluster.

To do this, simply specify the top-level value in your values.yaml:


Here, <PROXY_ADDRESS> and <PROXY_PORT> represent the address of your proxy service and the dedicated listening port, respectively.

You can also specify the NO_PROXY top-level variable to allow some of your traffic to bypass the proxy:

httpsProxyNoProxy: ""

Network policy

You may want to specify the network policy for the Soveren Sensor. It is not enabled by default.

Here's how to do it:

  # -- Specifies whether Network Policies should be created
  enabled: false
  # -- Specify when the httpsProxy is enabled
  proxyIp: ""
  # -- The below is specific to Data-in-motion (DIM) sensor
    # -- The k8s API endpoint port
    port: 443

Container privileges

Generic container privileges

All containers of the Soveren Sensors, except for the Interceptors, have the following securityContext by default:

  runAsUser: 1000 # 65534 for prometheusAgent
  runAsGroup: 1000 # 65534 for prometheusAgent
  allowPrivilegeEscalation: false
  runAsNonRoot: true

Interceptors privileges

Interceptors capture traffic by monitoring the virtual interfaces of the host.

In each Interceptor pod, there are two containers: the rpcapd, which handles the actual traffic capturing, and the interceptor itself, which processes the captured data.

To allow Interceptors to read from the host, both the interceptor and rpcapd containers need to run in privileged mode. Hence, they are assigned the following securityContext:

  privileged: true

Additionally, the interceptor container requires the following:

dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
hostPID: true

Modifying these settings for interceptor and rpcapd containers will disrupt traffic interception.

Verifying image signatures

Ensure the authenticity and integrity of downloaded images by validating their digital signatures.

We use Cosign for image signing. Below is the public key you should use when verifying the signatures:

-----END PUBLIC KEY-----