minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-08-08 01:43:18 +03:00
Code Activity
Files
relax-event-restriction
docs/source/operations/checklists/security.rst
Andrea Longo d17c896f75 attempt to remove plugin from docs (#1219) 
The Kubernetes plugin is gone, this PR replaces the procedures that use
`kubectl minio` in all its various forms. The plugin was referenced on
many pages and for many purposes so there is _a lot_ of restructuring
involved.

Some procedures no longer have CLI instructions, which can be addressed
in subsequent PRs. Everything should have at least one working method,
even if it's to use Operator Console.

- Remove references to plugin, except for pre-4.5.8 upgrade paths
- Move pre-4.5.8 upgrade paths to new child page (currently hidden from
TOC, linked in page)
- Fill in with new Kustomize, kubectl, and/or Operator Console steps.

A handful of old screen captures still to be updated

Staged:
- [Operator
deploy](http://192.241.195.202:9000/staging/DOCS-1213-upstream/k8s/operations/installation.html)
- [Operator
upgrade](http://192.241.195.202:9000/staging/DOCS-1213-upstream/k8s/operations/install-deploy-manage/upgrade-minio-operator.html)
- [Deploy and manage
Tenants](http://192.241.195.202:9000/staging/DOCS-1213-upstream/k8s/operations/deploy-manage-tenants.html)

Fixes https://github.com/minio/docs/issues/1213
2024-06-07 09:05:39 -06:00

101 lines
2.8 KiB
ReStructuredText
Raw Permalink Blame History

.. _minio-security-checklist:
==================
Security Checklist
==================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
Use the following checklist when planning the security configuration for a production, distributed MinIO deployment.
Required Steps
--------------
.. list-table::
:widths: auto
:width: 100%
* - :octicon:`circle`
- Define group policies either on MinIO or the selected 3rd party Identity Provider (LDAP/Active Directory or OpenID)
* - :octicon:`circle`
- Define individual access policies on MinIO or the selected 3rd party Identity Provider
* - :octicon:`circle`
- (For Kubernetes deployments only) Configure the tenant(s) to use the selected 3rd party Identity Provider
* - :octicon:`circle`
- Grant firewall access for TCP traffic to the MinIO Server S3 API Listen Port (Default: ``9000``).
* - :octicon:`circle`
- Grant firewall access for TCP traffic to the :ref:`MinIO Server Console Listen Port <minio-console-port-assignment>` (Recommended Default: ``9090``).
:ref:`Encryption-at-Rest <minio-sse>`
-------------------------------------
MinIO supports the following external KMS providers through Key Encryption Service (KES):
- :ref:`HashiCorp Vault Root KMS <minio-sse-vault>`
- :ref:`AWS Root KMS <minio-sse-aws>`
- :ref:`Google Cloud Platform Secret Manager Root KMS <minio-sse-gcp>`
- :ref:`Azure Key Vault Root KMS <minio-sse-azure>`
.. list-table::
:widths: auto
:width: 100%
* - :octicon:`circle`
- Download and install the MinIO Key Encryption Service (KES)
* - :octicon:`circle`
- Enable TLS
* - :octicon:`circle`
- Generate private and public keys for KES
* - :octicon:`circle`
- Generate private and public keys for MinIO
* - :octicon:`circle`
- Create a KES configuration file and start the service
* - :octicon:`circle`
- Generate an external key for the key management service (KMS)
* - :octicon:`circle`
- Connect MinIO to the KES
* - :octicon:`circle`
- Enable server side encryption
:ref:`Encryption-in-Transit ("In flight") <minio-tls>`
------------------------------------------------------
.. list-table::
:widths: auto
:width: 100%
* - :octicon:`circle`
- :ref:`Enable TLS <minio-tls>`
* - :octicon:`circle`
- Add separate certificates and keys for each internal and external domain that accesses MinIO
* - :octicon:`circle`
- Generate public and private TLS keys using a supported cipher for TLS 1.3 or TLS 1.2
* - :octicon:`circle`
- Configure trusted Certificate Authority (CA) store(s)
* - :octicon:`circle`
- Expose your Kubernetes service, such as with NGINX
* - :octicon:`circle`
- (Optional) Validate certificates, such as with https://www.sslchecker.com/certdecoder
View Git Blame Copy Permalink