Security¶

Security configuration and best practices.

Service accounts¶

Playpen uses Kubernetes service accounts for pod authentication:

Jenkins agent¶

apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins-agent
  namespace: playpen-platform

Platform services¶

apiVersion: v1
kind: ServiceAccount
metadata:
  name: platform-services
  namespace: playpen-platform

Secrets management¶

Store credentials in secrets¶

# Create secret
kubectl create secret generic my-secret \
  --from-literal=username=admin \
  --from-literal=password=secret \
  -n playpen-apps

Use in deployments¶

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  template:
    spec:
      containers:
      - name: app
        env:
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: my-secret
              key: password

OIDC authentication¶

Use Dex for application authentication:

# Get token
token = get_oidc_token(
    client_id=os.getenv('OIDC_CLIENT_ID'),
    client_secret=os.getenv('OIDC_CLIENT_SECRET'),
    issuer_url='http://dex.playpen-platform.svc.cluster.local:5556/dex'
)

# Use token in requests
headers = {'Authorization': f'Bearer {token}'}

See Identity guide for detailed integration.

Image security¶

Use trusted base images¶

Always use Playpen base images:

FROM playpen/python-base:latest

Scan images¶

# Use Trivy or similar
trivy image nexus:5000/my-app:1.0.0

Network policies¶

Optional network policies for pod isolation:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
  namespace: playpen-apps
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

RBAC¶

Role and RoleBinding¶

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: app-deployer
  namespace: playpen-apps
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "create", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: app-deployer-binding
  namespace: playpen-apps
subjects:
- kind: ServiceAccount
  name: jenkins-agent
  namespace: playpen-platform
roleRef:
  kind: Role
  name: app-deployer
  apiGroup: rbac.authorization.k8s.io

Best practices¶

Never hard-code secrets¶

# Good
password = os.getenv('DB_PASSWORD')

# Bad
password = "hardcoded-secret"

Use least privilege¶

Grant only necessary permissions to service accounts.

Rotate credentials¶

Regularly rotate: - OIDC client secrets - Database passwords - API tokens

Enable TLS¶

For production-like setups, configure TLS for: - Service-to-service communication - External access

Troubleshooting¶

Permission denied¶

Check service account permissions
Verify RoleBinding exists
Check namespace access

Authentication fails¶

Verify OIDC credentials
Check token expiration
Validate client configuration

Next steps¶

Learn about identity management
Configure platform services