Security Considerations
Control Center is a powerful tool that simplifies the management of Vaadin applications on Kubernetes clusters. However, it’s essential to consider security when deploying and using Control Center. This page outlines the security implications of using the software.
Cluster-Wide Administrator Privileges
During installation, Control Center requires cluster-wide administrator privileges to manage resources across namespaces. This is used by Control Center to install its dependencies in your cluster.
Granting these privileges can pose a security risk. It gives Control Center access to all resources across the cluster, which is unnecessary for its normal operation. To mitigate this risk, you can install Control Center without administrator privileges and manually install its dependencies. This way, you can reduce the potential impact of a security breach.
The instructions for installing Control Center without cluster-wide administrator privileges are in the section Installation of Dependencies.
Config Map and Secrets Access Policy
Control Center uses config maps and secrets to store configuration data and sensitive information, such as database credentials and API keys. It’s crucial to secure these resources to prevent unauthorized access. Applications deployed by Control Center also use config maps to store deployment-specific data.
When you install Control Center without cluster-wide administrator privileges — as recommended for production deployment — it’ll only be allowed access to config maps and secrets within the dedicated namespace created during installation. It won’t have access to resources outside of this namespace.
Conversely, if Control Center is installed with cluster-wide administrator privileges, it’ll have access to all resources in the cluster. Again, this can pose a security risk since Control Center could potentially access sensitive information from other namespaces.
Applications deployed by Control Center only have access to the config maps created for them by Control Center. They don’t have access to other config maps or secrets in the same namespace or in the cluster. This means you can be sure that applications deployed by Control Center cannot access sensitive information from other applications or services.
Control Center Starter
Adding the Control Center starter dependency to your application allows it to be managed by Control Center. It also introduces the following security considerations:
Actuator Endpoints
An actuator endpoint is a public HTTP endpoint that provides information about the application’s health, metrics, and other operational data. The Control Center starter exposes three endpoints by default:
-
/actuator/health/liveness: Used by Kubernetes to check if the application is running. -
/actuator/health/readiness: Used by Kubernetes to check if the application is ready to receive traffic. -
/actuator/vaadin: Used by Control Center to determine relevant application information, such as the Vaadin version used and activated features (i.e., Localization).
Identity Management
When the Identity Management feature is enabled, the application is configured to use Keycloak for authentication and authorization. The users, groups, and roles are managed by Control Center, which is backed by a Keycloak instance. This requires the Keycloak instance to be accessible outside the cluster, which introduces a potential for disruption if it’s compromised.
Control Center prompts for Keycloak administrator credentials during installation. It uses these to create the administrator user for the Keycloak instance. It’s important to keep these credentials secure, as they provide full access to the Keycloak instance, including users, groups, and roles created via Control Center.