Note: For architectural context, see architecture.md. For getting started, see the root README.

This platform is designed with the following primary security goals:

• Eliminate public exposure of the Kubernetes control plane
• Enforce strict network segmentation
• Prefer identity-based authentication over static credentials
• Prevent secret leakage in source control or CI/CD pipelines
• Limit blast radius through scoped permissions
• Protect application and database communication paths

Security controls are implemented across network, identity, compute, and application layers.

• AKS API server is private
• No public Kubernetes endpoint
• Cluster access restricted to resources within the Virtual Network (VNet)

The VNet is segmented into:

• Application Gateway subnet (public ingress)
• AKS subnet (private compute)
• Management subnet (jumphost and self-hosted runner)
• Database subnet (postgres flexible server)

Only the Application Gateway exposes a public endpoint.

• Azure PostgreSQL Flexible Server uses private networking
• No public database endpoint
• Accessible only from the AKS subnet

All internal service-to-service communication remains within the VNet boundary.

• OIDC federation or Azure Service Connections
• No long-lived cloud credentials stored in pipelines
• Scoped RBAC permissions assigned to service principals
• Separate connections for different environments (dev/prod)

• Used where possible for Azure resource access
• Reduces credential management overhead

• Role-Based Access Control enforced within the cluster
• Namespaced workload isolation
• Principle of least privilege applied to service accounts

• Centralized storage for sensitive values
• Secrets not stored in Git repositories
• Secrets not embedded in Terraform or pipeline code

• Synchronizes secrets from Key Vault into Kubernetes
• Avoids hardcoded Kubernetes Secret manifests
• Enables centralized secret rotation

• No plaintext secrets in CI/CD definitions
• Secure variables stored in Azure DevOps
• Identity-based authentication preferred over static secrets

• Runs inside the VNet
• No exposure of cluster credentials to public agents
• Direct private access to AKS

• Terraform state stored in a remote Azure Storage backend
• Access to state restricted via RBAC
• No local state files committed to the repository

• No direct kubectl access from public networks
• Deployments executed only through controlled pipelines

• TLS certificates managed via cert-manager
• HTTPS enforced at the Application Gateway
• Gateway API manages routing rules
• No direct pod exposure to the internet

• No public Kubernetes API
• No public database endpoint
• Single public ingress point (Application Gateway)

• OIDC instead of long-lived secrets
• Managed identities instead of static keys
• Key Vault integration for centralized secret control

• Subnet segmentation
• Scoped IAM roles
• Kubernetes RBAC enforcement

This platform enforces:

• Network isolation by default
• Identity-first authentication
• Centralized secret management
• Least-privilege access control
• A single controlled ingress boundary

• ← Back to README
• ← architecture.md