We actively maintain security updates for the following versions:
| Version | Supported |
|---|---|
| 0.3.x | β |
| < 0.3 | β |
We take security vulnerabilities seriously. If you discover a security issue, please follow these guidelines:
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please:
- Email: Send details to [email protected]
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Response Time: We aim to respond within 48 hours
- Resolution Time: Critical issues will be addressed within 7 days
- Acknowledgment - We'll confirm receipt of your report
- Assessment - We'll evaluate the severity and impact
- Fix Development - We'll develop and test a fix
- Coordinated Disclosure - We'll work with you on responsible disclosure
- Security Advisory - We'll publish a security advisory if needed
- Minimal Attack Surface: Scratch-based container with only essential binaries
- Non-root User: Runs as unprivileged user (UID 1001)
- Read-only Filesystem: Root filesystem is read-only
- No Shell Access: No shell or debug tools in production image
- Secure Defaults: Security-first configuration out of the box
- API Key Authentication: Uses Rancher API keys for secure authentication
- HTTPS Only: All communication with Rancher API over HTTPS
- Certificate Validation: Full SSL/TLS certificate validation
- Secrets Management: Supports Kubernetes secrets for credential management
- Health Checks: Built-in health and readiness endpoints
- Audit Logging: Comprehensive logging for security monitoring
- Metrics: Security-relevant metrics exposed via Prometheus endpoint
- Fail-Safe: Fails securely when connectivity or authentication issues occur
Our CI/CD pipeline includes comprehensive security scanning:
| Tool | Purpose | Frequency |
|---|---|---|
| GitLeaks | Secret detection | Every commit |
| CodeQL | Static analysis (SAST) | Every commit |
| Gosec | Go security analyzer | Every commit |
| Trivy | Vulnerability scanning | Every build |
| Grype | Container image scanning | Every build |
| Checkov | Infrastructure as Code | Every commit |
- β Source code security analysis
- β Dependency vulnerability scanning
- β Container image vulnerabilities
- β Dockerfile security best practices
- β Kubernetes manifest security
- β Helm chart security
- β Secret detection in code/config
- β License compliance
# Recommended security context
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1001
runAsGroup: 1001
podSecurityContext:
fsGroup: 1001
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001# Recommended network policies
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: rancher-monitoring-relay
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: rancher-monitoring-relay
policyTypes:
- Ingress
- Egress
egress:
- to: [] # Allow all egress (required for Rancher API)
ports:
- protocol: TCP
port: 443 # HTTPS to Rancher
ingress:
- from: [] # Restrict as needed
ports:
- protocol: TCP
port: 9000 # Metrics endpoint# Prevent resource exhaustion attacks
resources:
limits:
cpu: 500m
memory: 512Mi
ephemeral-storage: 100Mi
requests:
cpu: 100m
memory: 128Mi
ephemeral-storage: 50Mi# Use Kubernetes secrets (not inline values)
rancher:
auth:
existingSecret: "rancher-api-credentials"
accessKeySecretKey: "access-key"
secretKeySecretKey: "secret-key"- Rotate Rancher API keys every 90 days
- Use automated secret rotation where possible
- Monitor for expired or compromised credentials
- Use Latest Version: Always deploy the latest stable version
- Enable Security Context: Use recommended security contexts
- Network Policies: Implement least-privilege network access
- Resource Limits: Set appropriate resource limits
- Secrets Management: Use Kubernetes secrets, not inline values
- TLS/SSL: Ensure HTTPS communication to Rancher
- Monitoring: Enable security monitoring and alerting
- Minimal Permissions: Use least-privilege Rancher API keys
- Regular Rotation: Rotate API keys regularly
- Audit Logging: Enable comprehensive logging
- Health Checks: Monitor health endpoints
- Updates: Keep dependencies and base images updated
- Dependency Scanning: Scan dependencies for vulnerabilities
- Static Analysis: Use static code analysis tools
- Secret Detection: Prevent secrets in code/config
- Security Testing: Include security tests in CI/CD
- Code Review: Require security-focused code reviews
We follow these security standards and frameworks:
- CIS Kubernetes Benchmark: Container and Kubernetes security
- OWASP Top 10: Web application security risks
- NIST Cybersecurity Framework: Overall security posture
- STIG Guidelines: Security configuration guidelines
- Security reviews for all major changes
- Regular security assessments
- Incident response procedures
- Vulnerability management process
Subscribe to security updates:
- GitHub: Watch repository for security advisories
- Email: Subscribe to [email protected]
- RSS: Follow our security RSS feed
- Critical: Emergency patches within 24 hours
- High: Patches within 7 days
- Medium: Patches within 30 days
- Low: Patches in next regular release
- Email: [email protected]
- PGP Key: Available on request
- Response Time: 48 hours maximum
- Security Team: Available 24/7 for critical issues
We appreciate the security research community and will acknowledge researchers who responsibly disclose vulnerabilities:
- Hall of Fame on our website
- Public acknowledgment (with permission)
- Swag/rewards for significant findings
Last Updated: August 2025
Next Review: November 2025