Skip to content

Security: sharedvolume/nfs-server-controller

Security

SECURITY.md

Security Policy

Supported Versions

We actively support the following versions with security updates:

Version Supported
0.0.x

Reporting a Vulnerability

The NFS Server Controller team takes security seriously. If you discover a security vulnerability, please report it responsibly.

How to Report

Please do not report security vulnerabilities through public GitHub issues.

Instead, please email details to: [email protected]

Include the following information in your report:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact
  • Suggested fix (if you have one)

What to Expect

  • Initial Response: We will acknowledge receipt of your report within 48 hours.
  • Assessment: We will assess the vulnerability and determine its severity within 5 business days.
  • Fix Timeline:
    • Critical vulnerabilities: Within 7 days
    • High vulnerabilities: Within 14 days
    • Medium/Low vulnerabilities: Within 30 days
  • Disclosure: We will coordinate with you on public disclosure timing.

Security Response Process

  1. Vulnerability Report: Security issue reported via email
  2. Initial Assessment: Team evaluates the report
  3. Verification: Reproduce and confirm the vulnerability
  4. Fix Development: Develop and test the security fix
  5. Release: Create security release with fix
  6. Disclosure: Publish security advisory

Security Best Practices

When using the NFS Server Controller, follow these security best practices:

Network Security

  • Network Policies: Implement Kubernetes Network Policies to restrict NFS traffic
  • Firewall Rules: Configure firewall rules to limit NFS access
  • VPC/Network Segmentation: Deploy in isolated network segments

Authentication and Authorization

  • RBAC: Use Kubernetes RBAC to control access to NFS server resources
  • Service Accounts: Use dedicated service accounts with minimal permissions
  • Namespace Isolation: Deploy NFS servers in dedicated namespaces

Data Protection

  • Encryption: Use storage encryption for sensitive data
  • Backup: Implement regular backup procedures
  • Access Control: Implement proper file system permissions

Container Security

  • Security Context: NFS servers run with privileged access (required for NFS)
  • Pod Security Standards: Apply appropriate pod security policies
  • Image Scanning: Regularly scan container images for vulnerabilities

Monitoring and Auditing

  • Audit Logging: Enable Kubernetes audit logging
  • Monitoring: Monitor NFS server metrics and logs
  • Alerting: Set up alerts for security-related events

Known Security Considerations

Privileged Containers

NFS server pods run with privileged security context due to kernel module requirements:

securityContext:
  privileged: true
  capabilities:
    add: ["SYS_ADMIN", "SYS_MODULE"]

Mitigation Strategies:

  • Deploy in isolated namespaces
  • Use Pod Security Standards to control privileged access
  • Implement network policies to restrict traffic
  • Monitor privileged container activities

NFS Protocol Security

NFS v3 (default) has inherent security limitations:

  • Authentication: Limited authentication mechanisms
  • Encryption: No built-in encryption
  • Access Control: Relies on UID/GID mapping

Recommendations:

  • Use NFSv4 when available (future enhancement)
  • Implement network-level security (VPN, private networks)
  • Consider encryption at rest for storage

Service Exposure

NFS services are exposed within the cluster:

  • Services use ClusterIP (internal only)
  • Ports: 2049 (NFS), 20048 (mountd), 111 (rpcbind)

Security Measures:

  • Services are not exposed externally by default
  • Use Network Policies to restrict access
  • Monitor service endpoints

Security Updates

Automatic Updates

  • Dependabot: Automatically monitors and updates dependencies
  • Container Images: Base images are regularly updated
  • Go Modules: Dependencies are kept up to date

Release Security

  • Signed Releases: All releases are signed
  • SBOM: Software Bill of Materials provided with releases
  • Vulnerability Scanning: Images scanned before release

Compliance

Standards Compliance

  • CIS Kubernetes Benchmark: Follow CIS recommendations
  • NIST Framework: Align with NIST cybersecurity framework
  • SOC 2: Consider SOC 2 controls for enterprise usage

Regulatory Considerations

  • GDPR: Ensure proper data handling for EU deployments
  • HIPAA: Additional controls needed for healthcare data
  • SOX: Financial data requires additional compliance measures

Security Tools and Integrations

Static Analysis

  • gosec: Go security checker
  • golangci-lint: Includes security linters
  • Trivy: Container and dependency scanning

Runtime Security

  • Falco: Runtime security monitoring
  • OPA Gatekeeper: Policy enforcement
  • Pod Security Standards: Kubernetes native security

Monitoring

  • Prometheus: Metrics collection
  • Grafana: Security dashboards
  • AlertManager: Security alerting

Incident Response

Security Incident Handling

  1. Detection: Identify security incidents
  2. Assessment: Evaluate impact and scope
  3. Containment: Limit damage and prevent spread
  4. Eradication: Remove threats and vulnerabilities
  5. Recovery: Restore normal operations
  6. Lessons Learned: Document and improve processes

Contact Information

  • Security Team: [email protected]
  • Emergency Response: For critical security issues requiring immediate attention

Security Training

Developer Security

  • Secure coding practices
  • Dependency management
  • Security testing
  • Threat modeling

Operator Security

  • Kubernetes security best practices
  • Monitoring and alerting
  • Incident response procedures
  • Compliance requirements

Acknowledgments

We acknowledge security researchers and the community for responsible disclosure of vulnerabilities. Security contributors will be recognized in our security advisories and release notes.

Additional Resources

There aren’t any published security advisories