https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/ Recent content in Security on Docs Hugo en https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/cert-manager/ Mon, 01 Jan 0001 00:00:00 +0000 https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/cert-manager/ <p><a href="https://cert-manager.io/">cert-manager</a> is a Kubernetes add-on that automates the management and issuance of TLS certificates. The Redis operator integrates with cert-manager, so you can use automatically managed certificates for:</p> <ul> <li>Redis Enterprise cluster (REC) components (API, CM, proxy, syncer, and others)</li> <li>Database replication with TLS</li> <li>LDAP client authentication</li> <li>SSO/SAML certificates</li> </ul> <p>Benefits of using cert-manager include:</p> <ul> <li><strong>Automatic certificate renewal</strong>: cert-manager handles certificate rotation before expiration.</li> <li><strong>Standardized management</strong>: Use the same certificate management approach across your Kubernetes infrastructure.</li> <li><strong>Multiple certificate authorities</strong>: Support for Let's Encrypt, private CAs, Vault, and more.</li> <li><strong>Automatic propagation</strong>: For Active-Active databases, certificate changes automatically sync across all participating clusters.</li> </ul> <div class="alert p-3 relative flex flex-row flex-wrap items-center text-base bg-redis-pencil-200 rounded-md"> <div class="p-2 pr-5"><svg width="21" height="21" viewBox="0 0 21 21" fill="none" xmlns="http://www.w3.org/2000/svg"> <circle cx="10.5" cy="10.5" r="9.75" stroke="currentColor" stroke-width="1.5"/> <path d="M10.5 14V16" stroke="currentColor" stroke-width="2"/> <path d="M10.5 5V12" stroke="currentColor" stroke-width="2"/> </svg> </div> <div class="p-1 pl-4 sm:pl-6 border-l border-l-redis-ink-900 border-opacity-50 flex-1"> <div class="font-medium">Warning:</div> The cert-manager integration uses Kubernetes secrets. It is not compatible with Vault-based secret management (when <code>clusterCredentialSecretType: vault</code>). See <a href="https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/vault/">HashiCorp Vault integration</a> for details.</div> </div> <h2 id="prerequisites" class="group relative"> Prerequisites <a href="#prerequisites" class="header-link opacity-0 group-hover:opacity-100 transition-opacity duration-200 ml-1 align-baseline" aria-label="Link to this section" title="Copy link to clipboard"> <svg class="inline-block w-4 h-4 align-baseline" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M12.586 4.586a2 2 0 112.828 2.828l-3 3a2 2 0 01-2.828 0 1 1 0 00-1.414 1.414 4 4 0 005.656 0l3-3a4 4 0 00-5.656-5.656l-1.5 1.5a1 1 0 101.414 1.414l1.5-1.5zm-5 5a2 2 0 012.828 0 1 1 0 101.414-1.414 4 4 0 00-5.656 0l-3 3a4 4 0 105.656 5.656l1.5-1.5a1 1 0 10-1.414-1.414l-1.5 1.5a2 2 0 11-2.828-2.828l3-3z" clip-rule="evenodd"></path> </svg> </a> </h2> <ul> <li>Kubernetes cluster with Redis Enterprise operator installed</li> <li>cert-manager v1.19.0 or later installed</li> </ul> <p>If cert-manager is not already installed, see the <a href="https://cert-manager.io/docs/installation/">cert-manager installation documentation</a>.</p> https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/manage-rec-credentials/ Mon, 01 Jan 0001 00:00:00 +0000 https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/manage-rec-credentials/ <p>Redis Enterprise for Kubernetes uses a custom resource called <a href="https://redis.io/docs/latest/operate/kubernetes/8.0.18/reference/api/redis_enterprise_cluster_api/"><code>RedisEnterpriseCluster</code></a> to create a Redis Enterprise cluster (REC). During creation, it generates random credentials for the operator to use. The credentials are saved in a Kubernetes (K8s) <a href="https://kubernetes.io/docs/concepts/configuration/secret/">secret</a>. The secret name defaults to the cluster name and is specified by the <code>clusterCredentialSecretName</code> field in the REC specification.</p> <div class="alert p-3 relative flex flex-row flex-wrap items-center text-base bg-redis-pencil-200 rounded-md"> <div class="p-2 pr-5"><svg width="21" height="21" viewBox="0 0 21 21" fill="none" xmlns="http://www.w3.org/2000/svg"> <circle cx="10.5" cy="10.5" r="9.75" stroke="currentColor" stroke-width="1.5"/> <path d="M10.5 14V16" stroke="currentColor" stroke-width="2"/> <path d="M10.5 5V12" stroke="currentColor" stroke-width="2"/> </svg> </div> <div class="p-1 pl-4 sm:pl-6 border-l border-l-redis-ink-900 border-opacity-50 flex-1"> <div class="font-medium">Note:</div> This procedure is only supported for operator versions 6.0.20-12 and above.</div> </div> <h2 id="retrieve-the-current-username-and-password" class="group relative"> Retrieve the current username and password <a href="#retrieve-the-current-username-and-password" class="header-link opacity-0 group-hover:opacity-100 transition-opacity duration-200 ml-1 align-baseline" aria-label="Link to this section" title="Copy link to clipboard"> <svg class="inline-block w-4 h-4 align-baseline" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M12.586 4.586a2 2 0 112.828 2.828l-3 3a2 2 0 01-2.828 0 1 1 0 00-1.414 1.414 4 4 0 005.656 0l3-3a4 4 0 00-5.656-5.656l-1.5 1.5a1 1 0 101.414 1.414l1.5-1.5zm-5 5a2 2 0 012.828 0 1 1 0 101.414-1.414 4 4 0 00-5.656 0l-3 3a4 4 0 105.656 5.656l1.5-1.5a1 1 0 10-1.414-1.414l-1.5 1.5a2 2 0 11-2.828-2.828l3-3z" clip-rule="evenodd"></path> </svg> </a> </h2> <p>The credentials can be used to access the Redis Enterprise admin console or the API. Connectivity must be configured to the REC <a href="https://kubernetes.io/docs/concepts/workloads/pods/">pods</a> using an appropriate service (or port forwarding).</p> https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/sso/ Mon, 01 Jan 0001 00:00:00 +0000 https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/sso/ <p>Redis Enterprise Software supports SAML 2.0 single sign-on (SSO) for the Cluster Manager UI with both IdP-initiated and SP-initiated authentication. User accounts are automatically created on first sign-in using just-in-time (JIT) provisioning.</p> <h2 id="idp-requirements" class="group relative"> IdP requirements <a href="#idp-requirements" class="header-link opacity-0 group-hover:opacity-100 transition-opacity duration-200 ml-1 align-baseline" aria-label="Link to this section" title="Copy link to clipboard"> <svg class="inline-block w-4 h-4 align-baseline" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M12.586 4.586a2 2 0 112.828 2.828l-3 3a2 2 0 01-2.828 0 1 1 0 00-1.414 1.414 4 4 0 005.656 0l3-3a4 4 0 00-5.656-5.656l-1.5 1.5a1 1 0 101.414 1.414l1.5-1.5zm-5 5a2 2 0 012.828 0 1 1 0 101.414-1.414 4 4 0 00-5.656 0l-3 3a4 4 0 105.656 5.656l1.5-1.5a1 1 0 10-1.414-1.414l-1.5 1.5a2 2 0 11-2.828-2.828l3-3z" clip-rule="evenodd"></path> </svg> </a> </h2> <p>Your identity provider must support:</p> https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/manage-rec-certificates/ Mon, 01 Jan 0001 00:00:00 +0000 https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/manage-rec-certificates/ <p>Redis Software for Kubernetes generates self-signed TLS certificates for each new cluster. You can replace any of those certificates with your own.</p> <p>You can manage REC certificates in two ways:</p> <ul> <li><strong><a href="#method-1-manage-certificates-with-the-rec-custom-resource">Method 1: Manage certificates with the REC custom resource</a></strong> (recommended). Store each certificate in a Kubernetes secret and reference the secret from the REC custom resource. The operator applies the certificate and keeps the cluster in sync with the secret. Use this method whenever the certificate type is exposed in <code>spec.certificates</code>.</li> <li><strong><a href="#method-2-manage-certificates-with-the-redis-software-rest-api">Method 2: Manage certificates with the Redis Software REST API</a></strong>. Call the cluster's REST API directly, bypassing the operator. Use this method only when you need to follow the Redis Software procedure for a cluster that does not define the certificate in <code>spec.certificates</code>. The operator overwrites changes made this way if the same certificate is also defined in the REC custom resource.</li> </ul> <p>For the list of certificates and what each one encrypts, see the <a href="https://redis.io/docs/latest/operate/rs/security/certificates/">certificates table</a>.</p> https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/add-client-certificates/ Mon, 01 Jan 0001 00:00:00 +0000 https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/add-client-certificates/ <p>For each client certificate you want to use with your database, you need to create a Kubernetes secret to hold it. You can then reference that secret in your Redis Enterprise database (REDB) custom resource spec.</p> <h2 id="create-a-secret-to-hold-the-new-certificate" class="group relative"> Create a secret to hold the new certificate <a href="#create-a-secret-to-hold-the-new-certificate" class="header-link opacity-0 group-hover:opacity-100 transition-opacity duration-200 ml-1 align-baseline" aria-label="Link to this section" title="Copy link to clipboard"> <svg class="inline-block w-4 h-4 align-baseline" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M12.586 4.586a2 2 0 112.828 2.828l-3 3a2 2 0 01-2.828 0 1 1 0 00-1.414 1.414 4 4 0 005.656 0l3-3a4 4 0 00-5.656-5.656l-1.5 1.5a1 1 0 101.414 1.414l1.5-1.5zm-5 5a2 2 0 012.828 0 1 1 0 101.414-1.414 4 4 0 00-5.656 0l-3 3a4 4 0 105.656 5.656l1.5-1.5a1 1 0 10-1.414-1.414l-1.5 1.5a2 2 0 11-2.828-2.828l3-3z" clip-rule="evenodd"></path> </svg> </a> </h2> <ol> <li> <p><a href="https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-config-file/">Create the secret config file</a> with the required fields shown below.</p> https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/ldap/ Mon, 01 Jan 0001 00:00:00 +0000 https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/ldap/ <h2 id="ldap-support-for-redis-enterprise-software" class="group relative"> LDAP support for Redis Enterprise Software <a href="#ldap-support-for-redis-enterprise-software" class="header-link opacity-0 group-hover:opacity-100 transition-opacity duration-200 ml-1 align-baseline" aria-label="Link to this section" title="Copy link to clipboard"> <svg class="inline-block w-4 h-4 align-baseline" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M12.586 4.586a2 2 0 112.828 2.828l-3 3a2 2 0 01-2.828 0 1 1 0 00-1.414 1.414 4 4 0 005.656 0l3-3a4 4 0 00-5.656-5.656l-1.5 1.5a1 1 0 101.414 1.414l1.5-1.5zm-5 5a2 2 0 012.828 0 1 1 0 101.414-1.414 4 4 0 00-5.656 0l-3 3a4 4 0 105.656 5.656l1.5-1.5a1 1 0 10-1.414-1.414l-1.5 1.5a2 2 0 11-2.828-2.828l3-3z" clip-rule="evenodd"></path> </svg> </a> </h2> <p>Redis Enterprise Software supports LDAP authentication and authorization through <a href="https://redis.io/docs/latest/operate/rs/security/access-control/">role-based access controls</a> (RBAC). You can map LDAP groups to <a href="https://redis.io/docs/latest/operate/rs/security/access-control/">Redis Enterprise roles</a> to control access to your database and the Cluster Manager UI. For more details on how LDAP works with Redis Enterprise, see <a href="https://redis.io/docs/latest/operate/rs/security/access-control/ldap/">LDAP authentication</a>.</p> https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/configuration-secrets/ Mon, 01 Jan 0001 00:00:00 +0000 https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/configuration-secrets/ <p>You can store Redis Enterprise configuration items in Kubernetes Secrets for automatic updates and secure management. When you update these Secrets, the operator immediately reads the changes and propagates them to the Redis Enterprise Cluster (REC).</p> <h2 id="license-configuration" class="group relative"> License configuration <a href="#license-configuration" class="header-link opacity-0 group-hover:opacity-100 transition-opacity duration-200 ml-1 align-baseline" aria-label="Link to this section" title="Copy link to clipboard"> <svg class="inline-block w-4 h-4 align-baseline" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M12.586 4.586a2 2 0 112.828 2.828l-3 3a2 2 0 01-2.828 0 1 1 0 00-1.414 1.414 4 4 0 005.656 0l3-3a4 4 0 00-5.656-5.656l-1.5 1.5a1 1 0 101.414 1.414l1.5-1.5zm-5 5a2 2 0 012.828 0 1 1 0 101.414-1.414 4 4 0 00-5.656 0l-3 3a4 4 0 105.656 5.656l1.5-1.5a1 1 0 10-1.414-1.414l-1.5 1.5a2 2 0 11-2.828-2.828l3-3z" clip-rule="evenodd"></path> </svg> </a> </h2> <p>Redis Enterprise clusters require a valid license. You can apply licenses using Kubernetes Secrets (recommended) or embed them directly in the cluster specification.</p> https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/vault/ Mon, 01 Jan 0001 00:00:00 +0000 https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/vault/ <p>You can configure HashiCorp Vault as the centralized secret management system for the Redis Enterprise Kubernetes operator, replacing the default Kubernetes secrets. This integration provides enhanced security, centralized secret management, and advanced features like secret rotation and audit logging.</p> <h2 id="what-secrets-are-managed-by-vault" class="group relative"> What secrets are managed by Vault? <a href="#what-secrets-are-managed-by-vault" class="header-link opacity-0 group-hover:opacity-100 transition-opacity duration-200 ml-1 align-baseline" aria-label="Link to this section" title="Copy link to clipboard"> <svg class="inline-block w-4 h-4 align-baseline" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M12.586 4.586a2 2 0 112.828 2.828l-3 3a2 2 0 01-2.828 0 1 1 0 00-1.414 1.414 4 4 0 005.656 0l3-3a4 4 0 00-5.656-5.656l-1.5 1.5a1 1 0 101.414 1.414l1.5-1.5zm-5 5a2 2 0 012.828 0 1 1 0 101.414-1.414 4 4 0 00-5.656 0l-3 3a4 4 0 105.656 5.656l1.5-1.5a1 1 0 10-1.414-1.414l-1.5 1.5a2 2 0 11-2.828-2.828l3-3z" clip-rule="evenodd"></path> </svg> </a> </h2> <p>When Vault integration is enabled, all secrets referenced in Redis Enterprise custom resources are retrieved from Vault instead of Kubernetes secrets, including:</p> https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/allow-resource-adjustment/ Mon, 01 Jan 0001 00:00:00 +0000 https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/allow-resource-adjustment/ <p>Redis Enterprise for Kubernetes 7.22.0-6 introduces the ability to run with automatic resource adjustment disabled, which drops all capabilities from the Redis Enterprise container and sets <code>allowPrivilegeEscalation</code> to <code>false</code>. All other security-related settings remain the same as in automatic resource adjustment enabled. Automatic resource adjustment disabled is the default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later.</p> <h2 id="default-behavior" class="group relative"> Default behavior <a href="#default-behavior" class="header-link opacity-0 group-hover:opacity-100 transition-opacity duration-200 ml-1 align-baseline" aria-label="Link to this section" title="Copy link to clipboard"> <svg class="inline-block w-4 h-4 align-baseline" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M12.586 4.586a2 2 0 112.828 2.828l-3 3a2 2 0 01-2.828 0 1 1 0 00-1.414 1.414 4 4 0 005.656 0l3-3a4 4 0 00-5.656-5.656l-1.5 1.5a1 1 0 101.414 1.414l1.5-1.5zm-5 5a2 2 0 012.828 0 1 1 0 101.414-1.414 4 4 0 00-5.656 0l-3 3a4 4 0 105.656 5.656l1.5-1.5a1 1 0 10-1.414-1.414l-1.5 1.5a2 2 0 11-2.828-2.828l3-3z" clip-rule="evenodd"></path> </svg> </a> </h2> <p>Automatic resource adjustment is disabled by default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later. This default behavior is in effect if REC spec has <code>allowAutoAdjustment</code> set to <code>false</code> or removed.</p> https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/internode-encryption/ Mon, 01 Jan 0001 00:00:00 +0000 https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/internode-encryption/ <p>Internode encryption provides added security by encrypting communication between nodes in your Redis Enterprise cluster (REC).</p> <h2 id="enable-internode-encryption" class="group relative"> Enable internode encryption <a href="#enable-internode-encryption" class="header-link opacity-0 group-hover:opacity-100 transition-opacity duration-200 ml-1 align-baseline" aria-label="Link to this section" title="Copy link to clipboard"> <svg class="inline-block w-4 h-4 align-baseline" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M12.586 4.586a2 2 0 112.828 2.828l-3 3a2 2 0 01-2.828 0 1 1 0 00-1.414 1.414 4 4 0 005.656 0l3-3a4 4 0 00-5.656-5.656l-1.5 1.5a1 1 0 101.414 1.414l1.5-1.5zm-5 5a2 2 0 012.828 0 1 1 0 101.414-1.414 4 4 0 00-5.656 0l-3 3a4 4 0 105.656 5.656l1.5-1.5a1 1 0 10-1.414-1.414l-1.5 1.5a2 2 0 11-2.828-2.828l3-3z" clip-rule="evenodd"></path> </svg> </a> </h2> <p>Enable internode encryption in the <code>spec</code> section of your REC custom resource file.</p>