Security best practices

This page summarises the security measures recommended for an ArmoniK deployment. For the full list of rules, see the Golden Rules.

Authentication and authorisation

ArmoniK supports mTLS-based authentication and a role-permission system. For any deployment beyond a local development machine, enable authentication on both the ingress and the control plane for application clients and the Admin GUI.

See How to configure authentication for the full setup guide.

Recommended minimum for production:

  • Enable mTLS on the ingress (ingress.mTLS = true).

  • Enable control plane authentication and authorisation.

  • Use custom certificates signed by your own Certificate Authority rather than the auto-generated ones.

  • Store certificates and credentials in a secrets manager (AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault).

  • Apply least-privilege roles: grant each user only the permissions they need.

Network security

  • Place ArmoniK workers in a private VPC (or equivalent) with no direct inbound access from the internet.

  • Restrict port exposure for managed services such as ElastiCache, Amazon MQ, and MongoDB.

  • Use Kubernetes NetworkPolicies to limit pod-to-pod communication to what is strictly necessary.

  • Route external client connections through the ingress only.

Data encryption

  • Enable encryption at rest as early as possible for all storage components:

    • AWS: S3, ElastiCache, Amazon MQ, EFS

    • GCP: GCS, Cloud Memorystore, Cloud Pub/Sub

    • On-premises: enable MinIO server-side encryption and RabbitMQ TLS.

  • Enable encryption in transit for all inter-service communication (ElastiCache TLS, S3 HTTPS, MongoDB TLS).

  • Use customer-managed encryption keys where available.

Container image hygiene

  • Regularly scan Docker images for CVEs. This applies to all ArmoniK components (Control Plane, Polling Agent, Worker, Metrics Exporter, Pod Deletion Cost, Admin GUI, Meta Controller) as well as third-party images (Prometheus, Nginx, Grafana, MongoDB, Fluent-bit).

  • Keep images up to date — do not pin to old tags in production.

  • Scan worker images containing application code (e.g. DLLs loaded at runtime) as part of your CI pipeline.

Admin GUI

  • Enable authentication on the Admin GUI before exposing it outside a trusted network.

  • Do not expose the GUI on a public IP without authentication, even temporarily.

Audit and compliance

  • Enable audit logging on the Kubernetes API server to track who performed which operations and when.

  • Review role bindings and permissions periodically to remove stale access.

  • Ensure your deployment configuration is stored in version control so that changes are traceable.