https://redis.io/docs/latest/operate/kubernetes/8.0/security/ Recent content in Security on Docs Hugo en https://redis.io/docs/latest/operate/kubernetes/8.0/security/manage-rec-credentials/ Mon, 01 Jan 0001 00:00:00 +0000 https://redis.io/docs/latest/operate/kubernetes/8.0/security/manage-rec-credentials/ <p>Redis Enterprise for Kubernetes uses a custom resource called <a href="https://redis.io/docs/latest/operate/kubernetes/8.0/reference/api/redis_enterprise_cluster_api/"><code>RedisEnterpriseCluster</code></a> to create a Redis Enterprise cluster (REC). During creation, it generates random credentials for the operator to use. The credentials are saved in a Kubernetes (K8s) <a href="https://kubernetes.io/docs/concepts/configuration/secret/">secret</a>. The secret name defaults to the cluster name and is specified by the <code>clusterCredentialSecretName</code> field in the REC specification.</p> <div class="alert p-3 relative flex flex-row flex-wrap items-center text-base bg-redis-pencil-200 rounded-md"> <div class="p-2 pr-5"><svg width="21" height="21" viewBox="0 0 21 21" fill="none" xmlns="http://www.w3.org/2000/svg"> <circle cx="10.5" cy="10.5" r="9.75" stroke="currentColor" stroke-width="1.5"/> <path d="M10.5 14V16" stroke="currentColor" stroke-width="2"/> <path d="M10.5 5V12" stroke="currentColor" stroke-width="2"/> </svg> </div> <div class="p-1 pl-4 sm:pl-6 border-l border-l-redis-ink-900 border-opacity-50 flex-1"> <div class="font-medium">Note:</div> This procedure is only supported for operator versions 6.0.20-12 and above.</div> </div> <h2 id="retrieve-the-current-username-and-password" class="group relative"> Retrieve the current username and password <a href="#retrieve-the-current-username-and-password" class="header-link opacity-0 group-hover:opacity-100 transition-opacity duration-200 ml-1 align-baseline" aria-label="Link to this section" title="Copy link to clipboard"> <svg class="inline-block w-4 h-4 align-baseline" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M12.586 4.586a2 2 0 112.828 2.828l-3 3a2 2 0 01-2.828 0 1 1 0 00-1.414 1.414 4 4 0 005.656 0l3-3a4 4 0 00-5.656-5.656l-1.5 1.5a1 1 0 101.414 1.414l1.5-1.5zm-5 5a2 2 0 012.828 0 1 1 0 101.414-1.414 4 4 0 00-5.656 0l-3 3a4 4 0 105.656 5.656l1.5-1.5a1 1 0 10-1.414-1.414l-1.5 1.5a2 2 0 11-2.828-2.828l3-3z" clip-rule="evenodd"></path> </svg> </a> </h2> <p>The credentials can be used to access the Redis Enterprise admin console or the API. Connectivity must be configured to the REC <a href="https://kubernetes.io/docs/concepts/workloads/pods/">pods</a> using an appropriate service (or port forwarding).</p> https://redis.io/docs/latest/operate/kubernetes/8.0/security/sso/ Mon, 01 Jan 0001 00:00:00 +0000 https://redis.io/docs/latest/operate/kubernetes/8.0/security/sso/ <p>Redis Enterprise Software supports SAML 2.0 single sign-on (SSO) for the Cluster Manager UI with both IdP-initiated and SP-initiated authentication. User accounts are automatically created on first sign-in using just-in-time (JIT) provisioning.</p> <h2 id="idp-requirements" class="group relative"> IdP requirements <a href="#idp-requirements" class="header-link opacity-0 group-hover:opacity-100 transition-opacity duration-200 ml-1 align-baseline" aria-label="Link to this section" title="Copy link to clipboard"> <svg class="inline-block w-4 h-4 align-baseline" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M12.586 4.586a2 2 0 112.828 2.828l-3 3a2 2 0 01-2.828 0 1 1 0 00-1.414 1.414 4 4 0 005.656 0l3-3a4 4 0 00-5.656-5.656l-1.5 1.5a1 1 0 101.414 1.414l1.5-1.5zm-5 5a2 2 0 012.828 0 1 1 0 101.414-1.414 4 4 0 00-5.656 0l-3 3a4 4 0 105.656 5.656l1.5-1.5a1 1 0 10-1.414-1.414l-1.5 1.5a2 2 0 11-2.828-2.828l3-3z" clip-rule="evenodd"></path> </svg> </a> </h2> <p>Your identity provider must support:</p> https://redis.io/docs/latest/operate/kubernetes/8.0/security/manage-rec-certificates/ Mon, 01 Jan 0001 00:00:00 +0000 https://redis.io/docs/latest/operate/kubernetes/8.0/security/manage-rec-certificates/ <p>By default, Redis Enterprise Software for Kubernetes generates TLS certificates for the cluster during creation. These self-signed certificates are generated on the first node of each Redis Enterprise cluster (REC) and are copied to all other nodes added to the cluster. For the list of of certificates used by Redis Enterprise Software and the traffic they encrypt, see the <a href="https://redis.io/docs/latest/operate/rs/security/certificates/">certificates table</a>.</p> <p>To install and use your own certificates with Kubernetes on your Redis Enterprise cluster, they need to be stored in <a href="https://kubernetes.io/docs/concepts/configuration/secret/">secrets</a>. The REC custom resource also needs to be configured with those secret names to read and use the certificates.</p> https://redis.io/docs/latest/operate/kubernetes/8.0/security/add-client-certificates/ Mon, 01 Jan 0001 00:00:00 +0000 https://redis.io/docs/latest/operate/kubernetes/8.0/security/add-client-certificates/ <p>For each client certificate you want to use with your database, you need to create a Kubernetes secret to hold it. You can then reference that secret in your Redis Enterprise database (REDB) custom resource spec.</p> <h2 id="create-a-secret-to-hold-the-new-certificate" class="group relative"> Create a secret to hold the new certificate <a href="#create-a-secret-to-hold-the-new-certificate" class="header-link opacity-0 group-hover:opacity-100 transition-opacity duration-200 ml-1 align-baseline" aria-label="Link to this section" title="Copy link to clipboard"> <svg class="inline-block w-4 h-4 align-baseline" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M12.586 4.586a2 2 0 112.828 2.828l-3 3a2 2 0 01-2.828 0 1 1 0 00-1.414 1.414 4 4 0 005.656 0l3-3a4 4 0 00-5.656-5.656l-1.5 1.5a1 1 0 101.414 1.414l1.5-1.5zm-5 5a2 2 0 012.828 0 1 1 0 101.414-1.414 4 4 0 00-5.656 0l-3 3a4 4 0 105.656 5.656l1.5-1.5a1 1 0 10-1.414-1.414l-1.5 1.5a2 2 0 11-2.828-2.828l3-3z" clip-rule="evenodd"></path> </svg> </a> </h2> <ol> <li> <p><a href="https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-config-file/">Create the secret config file</a> with the required fields shown below.</p> https://redis.io/docs/latest/operate/kubernetes/8.0/security/ldap/ Mon, 01 Jan 0001 00:00:00 +0000 https://redis.io/docs/latest/operate/kubernetes/8.0/security/ldap/ <h2 id="ldap-support-for-redis-enterprise-software" class="group relative"> LDAP support for Redis Enterprise Software <a href="#ldap-support-for-redis-enterprise-software" class="header-link opacity-0 group-hover:opacity-100 transition-opacity duration-200 ml-1 align-baseline" aria-label="Link to this section" title="Copy link to clipboard"> <svg class="inline-block w-4 h-4 align-baseline" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M12.586 4.586a2 2 0 112.828 2.828l-3 3a2 2 0 01-2.828 0 1 1 0 00-1.414 1.414 4 4 0 005.656 0l3-3a4 4 0 00-5.656-5.656l-1.5 1.5a1 1 0 101.414 1.414l1.5-1.5zm-5 5a2 2 0 012.828 0 1 1 0 101.414-1.414 4 4 0 00-5.656 0l-3 3a4 4 0 105.656 5.656l1.5-1.5a1 1 0 10-1.414-1.414l-1.5 1.5a2 2 0 11-2.828-2.828l3-3z" clip-rule="evenodd"></path> </svg> </a> </h2> <p>Redis Enterprise Software supports LDAP authentication and authorization through <a href="https://redis.io/docs/latest/operate/rs/security/access-control/">role-based access controls</a> (RBAC). You can map LDAP groups to <a href="https://redis.io/docs/latest/operate/rs/security/access-control/">Redis Enterprise roles</a> to control access to your database and the Cluster Manager UI. For more details on how LDAP works with Redis Enterprise, see <a href="https://redis.io/docs/latest/operate/rs/security/access-control/ldap/">LDAP authentication</a>.</p> https://redis.io/docs/latest/operate/kubernetes/8.0/security/configuration-secrets/ Mon, 01 Jan 0001 00:00:00 +0000 https://redis.io/docs/latest/operate/kubernetes/8.0/security/configuration-secrets/ <p>You can store Redis Enterprise configuration items in Kubernetes Secrets for automatic updates and secure management. When you update these Secrets, the operator immediately reads the changes and propagates them to the Redis Enterprise Cluster (REC).</p> <h2 id="license-configuration" class="group relative"> License configuration <a href="#license-configuration" class="header-link opacity-0 group-hover:opacity-100 transition-opacity duration-200 ml-1 align-baseline" aria-label="Link to this section" title="Copy link to clipboard"> <svg class="inline-block w-4 h-4 align-baseline" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M12.586 4.586a2 2 0 112.828 2.828l-3 3a2 2 0 01-2.828 0 1 1 0 00-1.414 1.414 4 4 0 005.656 0l3-3a4 4 0 00-5.656-5.656l-1.5 1.5a1 1 0 101.414 1.414l1.5-1.5zm-5 5a2 2 0 012.828 0 1 1 0 101.414-1.414 4 4 0 00-5.656 0l-3 3a4 4 0 105.656 5.656l1.5-1.5a1 1 0 10-1.414-1.414l-1.5 1.5a2 2 0 11-2.828-2.828l3-3z" clip-rule="evenodd"></path> </svg> </a> </h2> <p>Redis Enterprise clusters require a valid license. You can apply licenses using Kubernetes Secrets (recommended) or embed them directly in the cluster specification.</p> https://redis.io/docs/latest/operate/kubernetes/8.0/security/vault/ Mon, 01 Jan 0001 00:00:00 +0000 https://redis.io/docs/latest/operate/kubernetes/8.0/security/vault/ <p>You can configure HashiCorp Vault as the centralized secret management system for the Redis Enterprise Kubernetes operator, replacing the default Kubernetes secrets. This integration provides enhanced security, centralized secret management, and advanced features like secret rotation and audit logging.</p> <h2 id="what-secrets-are-managed-by-vault" class="group relative"> What secrets are managed by Vault? <a href="#what-secrets-are-managed-by-vault" class="header-link opacity-0 group-hover:opacity-100 transition-opacity duration-200 ml-1 align-baseline" aria-label="Link to this section" title="Copy link to clipboard"> <svg class="inline-block w-4 h-4 align-baseline" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M12.586 4.586a2 2 0 112.828 2.828l-3 3a2 2 0 01-2.828 0 1 1 0 00-1.414 1.414 4 4 0 005.656 0l3-3a4 4 0 00-5.656-5.656l-1.5 1.5a1 1 0 101.414 1.414l1.5-1.5zm-5 5a2 2 0 012.828 0 1 1 0 101.414-1.414 4 4 0 00-5.656 0l-3 3a4 4 0 105.656 5.656l1.5-1.5a1 1 0 10-1.414-1.414l-1.5 1.5a2 2 0 11-2.828-2.828l3-3z" clip-rule="evenodd"></path> </svg> </a> </h2> <p>When Vault integration is enabled, all secrets referenced in Redis Enterprise custom resources are retrieved from Vault instead of Kubernetes secrets, including:</p> https://redis.io/docs/latest/operate/kubernetes/8.0/security/allow-resource-adjustment/ Mon, 01 Jan 0001 00:00:00 +0000 https://redis.io/docs/latest/operate/kubernetes/8.0/security/allow-resource-adjustment/ <p>Redis Enterprise for Kubernetes 7.22.0-6 introduces the ability to run with automatic resource adjustment disabled, which drops all capabilities from the Redis Enterprise container and sets <code>allowPrivilegeEscalation</code> to <code>false</code>. All other security-related settings remain the same as in automatic resource adjustment enabled. Automatic resource adjustment disabled is the default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later.</p> <h2 id="default-behavior" class="group relative"> Default behavior <a href="#default-behavior" class="header-link opacity-0 group-hover:opacity-100 transition-opacity duration-200 ml-1 align-baseline" aria-label="Link to this section" title="Copy link to clipboard"> <svg class="inline-block w-4 h-4 align-baseline" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M12.586 4.586a2 2 0 112.828 2.828l-3 3a2 2 0 01-2.828 0 1 1 0 00-1.414 1.414 4 4 0 005.656 0l3-3a4 4 0 00-5.656-5.656l-1.5 1.5a1 1 0 101.414 1.414l1.5-1.5zm-5 5a2 2 0 012.828 0 1 1 0 101.414-1.414 4 4 0 00-5.656 0l-3 3a4 4 0 105.656 5.656l1.5-1.5a1 1 0 10-1.414-1.414l-1.5 1.5a2 2 0 11-2.828-2.828l3-3z" clip-rule="evenodd"></path> </svg> </a> </h2> <p>Automatic resource adjustment is disabled by default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later. This default behavior is in effect if REC spec has <code>allowAutoAdjustment</code> set to <code>false</code> or removed.</p> https://redis.io/docs/latest/operate/kubernetes/8.0/security/internode-encryption/ Mon, 01 Jan 0001 00:00:00 +0000 https://redis.io/docs/latest/operate/kubernetes/8.0/security/internode-encryption/ <p>Internode encryption provides added security by encrypting communication between nodes in your Redis Enterprise cluster (REC).</p> <h2 id="enable-internode-encryption" class="group relative"> Enable internode encryption <a href="#enable-internode-encryption" class="header-link opacity-0 group-hover:opacity-100 transition-opacity duration-200 ml-1 align-baseline" aria-label="Link to this section" title="Copy link to clipboard"> <svg class="inline-block w-4 h-4 align-baseline" fill="currentColor" viewBox="0 0 20 20" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" d="M12.586 4.586a2 2 0 112.828 2.828l-3 3a2 2 0 01-2.828 0 1 1 0 00-1.414 1.414 4 4 0 005.656 0l3-3a4 4 0 00-5.656-5.656l-1.5 1.5a1 1 0 101.414 1.414l1.5-1.5zm-5 5a2 2 0 012.828 0 1 1 0 101.414-1.414 4 4 0 00-5.656 0l-3 3a4 4 0 105.656 5.656l1.5-1.5a1 1 0 10-1.414-1.414l-1.5 1.5a2 2 0 11-2.828-2.828l3-3z" clip-rule="evenodd"></path> </svg> </a> </h2> <p>Enable internode encryption in the <code>spec</code> section of your REC custom resource file.</p>