minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-04-25 17:22:39 +03:00
Code
docs/source/operations/checklists/security.rst
Andrea Longo d17c896f75
attempt to remove plugin from docs (#1219) 
The Kubernetes plugin is gone, this PR replaces the procedures that use
`kubectl minio` in all its various forms. The plugin was referenced on
many pages and for many purposes so there is _a lot_ of restructuring
involved.

Some procedures no longer have CLI instructions, which can be addressed
in subsequent PRs. Everything should have at least one working method,
even if it's to use Operator Console.

- Remove references to plugin, except for pre-4.5.8 upgrade paths
- Move pre-4.5.8 upgrade paths to new child page (currently hidden from
TOC, linked in page)
- Fill in with new Kustomize, kubectl, and/or Operator Console steps.

A handful of old screen captures still to be updated

Staged:
- [Operator
deploy](http://192.241.195.202:9000/staging/DOCS-1213-upstream/k8s/operations/installation.html)
- [Operator
upgrade](http://192.241.195.202:9000/staging/DOCS-1213-upstream/k8s/operations/install-deploy-manage/upgrade-minio-operator.html)
- [Deploy and manage
Tenants](http://192.241.195.202:9000/staging/DOCS-1213-upstream/k8s/operations/deploy-manage-tenants.html)

Fixes https://github.com/minio/docs/issues/1213
2024-06-07 09:05:39 -06:00

2.8 KiB
Raw Permalink Blame History

Security Checklist

minio

Table of Contents

Use the following checklist when planning the security configuration for a production, distributed MinIO deployment.

Required Steps

circle Define group policies either on MinIO or the selected 3rd party Identity Provider (LDAP/Active Directory or OpenID)
circle Define individual access policies on MinIO or the selected 3rd party Identity Provider
circle (For Kubernetes deployments only) Configure the tenant(s) to use the selected 3rd party Identity Provider
circle Grant firewall access for TCP traffic to the MinIO Server S3 API Listen Port (Default: 9000).
circle Grant firewall access for TCP traffic to the MinIO Server Console Listen Port <minio-console-port-assignment> (Recommended Default: 9090).

Encryption-at-Rest <minio-sse>

MinIO supports the following external KMS providers through Key Encryption Service (KES):

  • HashiCorp Vault Root KMS <minio-sse-vault>
  • AWS Root KMS <minio-sse-aws>
  • Google Cloud Platform Secret Manager Root KMS <minio-sse-gcp>
  • Azure Key Vault Root KMS <minio-sse-azure>
circle Download and install the MinIO Key Encryption Service (KES)
circle Enable TLS
circle Generate private and public keys for KES
circle Generate private and public keys for MinIO
circle Create a KES configuration file and start the service
circle Generate an external key for the key management service (KMS)
circle Connect MinIO to the KES
circle Enable server side encryption

Encryption-in-Transit ("In flight") <minio-tls>

circle Enable TLS <minio-tls>
circle Add separate certificates and keys for each internal and external domain that accesses MinIO
circle Generate public and private TLS keys using a supported cipher for TLS 1.3 or TLS 1.2
circle Configure trusted Certificate Authority (CA) store(s)
circle Expose your Kubernetes service, such as with NGINX
circle (Optional) Validate certificates, such as with https://www.sslchecker.com/certdecoder