🛡️ SECURITY & IDENTITY

Défense en profondeur

Zero-trust security: SSO, secrets management, policy enforcement, runtime detection, and certificate automation.

COUCHES DE SÉCURITÉ ZERO-TRUST

1

Identité

Keycloak

SSO OIDC sur tous les services

2

Secrets

Vault + ESO

Chiffrés au repos, synchronisés vers les pods

3

Politique

Kyverno

Contrôle d'admission, mutation, validation

4

Runtime

Falco

Détection d'anomalies basée sur eBPF

5

Analyse

Kubescape

Conformité CIS, NSA, MITRE

Authentification unique partout

Une seule connexion Keycloak donne accès à tous les services de la plateforme. Aucun identifiant séparé.

Vault
Harbor
Grafana
ArgoCD
OneDev
AFFiNE
Backstage
APISIX Dashboard
Supabase
Matomo

Gestion des secrets

Zéro secret dans Git. Zéro secret dans etcd. Tout passe par Vault.

graph TD
  TF["Terraform"]:::terraform
  VAULT["Vault
HA / 3 Raft replicas
Encrypted at rest"]:::vault
  CSS["ClusterSecretStore
vault-backend"]:::store
  ES["ExternalSecret
Per-app, per-namespace"]:::external
  KS["Kubernetes Secret
Mounted as env or volume"]:::k8s
  POD["Pod
Consumes secret transparently"]:::pod

  TF -->|"Provision secrets"| VAULT
  VAULT --> CSS
  CSS --> ES
  ES --> KS
  KS --> POD

  classDef terraform fill:#0e3a3a,stroke:#06b6d4,color:#67e8f9,stroke-width:2px
  classDef vault fill:#2e2a0e,stroke:#facc15,color:#fde68a,stroke-width:2px
  classDef store fill:#14332a,stroke:#4ade80,color:#86efac,stroke-width:2px
  classDef external fill:#2e1a47,stroke:#a78bfa,color:#c4b5fd,stroke-width:2px
  classDef k8s fill:#1e3a5f,stroke:#60a5fa,color:#93c5fd,stroke-width:2px
  classDef pod fill:#2e1a0e,stroke:#f97316,color:#fdba74,stroke-width:2px

Tous les composants

Keycloak

production

Enterprise identity and access management with OIDC, SAML, social login, and LDAP integration.

Rôle : Centralized SSO for all platform services — Vault, Harbor, Grafana, ArgoCD, OneDev, AFFiNE

HashiCorp Vault

production

Secrets management, encryption as a service, and privileged access management.

Rôle : HA deployment (3-replica Raft cluster) storing all platform secrets, DNS credentials, TLS certificates

External Secrets Operator

production

Kubernetes operator that synchronizes secrets from external stores into Kubernetes secrets.

Rôle : Bridges Vault ↔ Kubernetes: syncs secrets to pods, pushes certificates back to Vault

cert-manager

production

Automatic TLS certificate management with Let's Encrypt ACME protocol support.

Rôle : Automated certificate issuance via DNS-01 challenges with Cloudflare

Kyverno

production

Kubernetes-native policy engine for validation, mutation, and generation of resources.

Rôle : Enforces security policies: label requirements, container restrictions, cross-tenant isolation

Falco

production

Runtime security monitoring using eBPF probes to detect anomalous container behavior.

Rôle : Real-time threat detection: shell spawning, privilege escalation, sensitive file access

Kubescape

deployed

Kubernetes security platform for continuous scanning against NSA, MITRE, and CIS benchmarks.

Rôle : Compliance scanning and hardening recommendations

Open AppSec

deployed

ML-based web application firewall and API security.

Rôle : WAF protection for exposed services

← RETOUR AU STACK COMPLET