🛡️ SECURITY & IDENTITY

دفاع بالعمق

Zero-trust security: SSO, secrets management, policy enforcement, runtime detection, and certificate automation.

طبقات أمان انعدام الثقة

1

الهوية

Keycloak

SSO OIDC عبر جميع الخدمات

2

الأسرار

Vault + ESO

مشفرة في حالة السكون، مزامنة إلى الحاويات

3

السياسة

Kyverno

التحكم في القبول والتحويل والتحقق

4

وقت التشغيل

Falco

كشف الشذوذ المبني على eBPF

5

الفحص

Kubescape

امتثال CIS وNSA وMITRE

تسجيل دخول موحد في كل مكان

تسجيل دخول Keycloak واحد يمنح الوصول إلى كل خدمة في المنصة. لا بيانات اعتماد منفصلة.

Vault
Harbor
Grafana
ArgoCD
OneDev
AFFiNE
Backstage
APISIX Dashboard
Supabase
Matomo

إدارة الأسرار

صفر أسرار في Git. صفر أسرار في etcd. كل شيء يمر عبر Vault.

graph TD
  TF["Terraform"]:::terraform
  VAULT["Vault
HA / 3 Raft replicas
Encrypted at rest"]:::vault
  CSS["ClusterSecretStore
vault-backend"]:::store
  ES["ExternalSecret
Per-app, per-namespace"]:::external
  KS["Kubernetes Secret
Mounted as env or volume"]:::k8s
  POD["Pod
Consumes secret transparently"]:::pod

  TF -->|"Provision secrets"| VAULT
  VAULT --> CSS
  CSS --> ES
  ES --> KS
  KS --> POD

  classDef terraform fill:#0e3a3a,stroke:#06b6d4,color:#67e8f9,stroke-width:2px
  classDef vault fill:#2e2a0e,stroke:#facc15,color:#fde68a,stroke-width:2px
  classDef store fill:#14332a,stroke:#4ade80,color:#86efac,stroke-width:2px
  classDef external fill:#2e1a47,stroke:#a78bfa,color:#c4b5fd,stroke-width:2px
  classDef k8s fill:#1e3a5f,stroke:#60a5fa,color:#93c5fd,stroke-width:2px
  classDef pod fill:#2e1a0e,stroke:#f97316,color:#fdba74,stroke-width:2px

جميع المكونات

Keycloak

production

Enterprise identity and access management with OIDC, SAML, social login, and LDAP integration.

الدور: Centralized SSO for all platform services — Vault, Harbor, Grafana, ArgoCD, OneDev, AFFiNE

HashiCorp Vault

production

Secrets management, encryption as a service, and privileged access management.

الدور: HA deployment (3-replica Raft cluster) storing all platform secrets, DNS credentials, TLS certificates

External Secrets Operator

production

Kubernetes operator that synchronizes secrets from external stores into Kubernetes secrets.

الدور: Bridges Vault ↔ Kubernetes: syncs secrets to pods, pushes certificates back to Vault

cert-manager

production

Automatic TLS certificate management with Let's Encrypt ACME protocol support.

الدور: Automated certificate issuance via DNS-01 challenges with Cloudflare

Kyverno

production

Kubernetes-native policy engine for validation, mutation, and generation of resources.

الدور: Enforces security policies: label requirements, container restrictions, cross-tenant isolation

Falco

production

Runtime security monitoring using eBPF probes to detect anomalous container behavior.

الدور: Real-time threat detection: shell spawning, privilege escalation, sensitive file access

Kubescape

deployed

Kubernetes security platform for continuous scanning against NSA, MITRE, and CIS benchmarks.

الدور: Compliance scanning and hardening recommendations

Open AppSec

deployed

ML-based web application firewall and API security.

الدور: WAF protection for exposed services

← العودة إلى المكونات الكاملة