Network Security
Best practices for securing your Kubey deployment based on your network environment.
Deployment Scenarios
How you secure Kubey depends on where and how you deploy it. Choose the scenario that matches your setup.
Local Development
Running on your laptop with Docker Desktop, minikube, or kind.
Risk level: Low
Network exposure: localhost only
Recommendations:
- Your existing kubeconfig is fine to use
- No additional authentication needed
- No network restrictions required
Internal Network / VPN
Deployed on a private network accessible only to your team via VPN or corporate network.
Risk level: Medium
Network exposure: Internal users
Recommendations:
- Use read-only credentials for cluster access
- Enable OAuth authentication (GitHub/Google)
- Restrict signups to your company email domain
- Consider IP allowlisting if your network supports it
Public Internet
Accessible from the public internet without VPN.
Risk level: High
Network exposure: Anyone on the internet
Recommendations:
- Required: Use read-only credentials
- Required: Enable OAuth authentication
- Required: Use HTTPS with valid certificates
- Enable invite-only mode or domain restrictions
- Consider adding a reverse proxy (nginx, Cloudflare) for DDoS protection
- Set up rate limiting
- Monitor access logs for suspicious activity
Recommended: Internal Network Deployment
For most organizations, we recommend deploying Kubey on an internal network that requires VPN access. This provides a strong security boundary while keeping configuration simple.
Why internal networks? By requiring VPN or corporate network access, you add an additional authentication layer before users can even reach Kubey. This defense-in-depth approach means that even if there were a vulnerability in Kubey, attackers would first need to breach your network.
Kubernetes Network Policies
If running Kubey inside your Kubernetes cluster, use NetworkPolicies to restrict its network access.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: kubey-network-policy
namespace: kubey
spec:
podSelector:
matchLabels:
app: kubey
policyTypes:
- Ingress
- Egress
ingress:
# Allow traffic from your ingress controller
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
ports:
- protocol: TCP
port: 8080
egress:
# Allow DNS resolution
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
# Allow access to Kubernetes API
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 443
- protocol: TCP
port: 6443If You Must Expose Publicly
If your use case requires public internet access, take these additional precautions:
1. Use a Reverse Proxy
Place Kubey behind a reverse proxy like nginx, Traefik, or Cloudflare for:
- TLS termination with automatic certificate renewal
- Rate limiting to prevent abuse
- DDoS protection
- Web Application Firewall (WAF) rules
2. Enable All Authentication Features
# Require OAuth login
AUTH_MODE=shared
# Restrict to your company domain
ALLOWED_DOMAINS=yourcompany.com
# Or use invite-only mode
INVITE_ONLY=true
# Set a strong JWT secret
JWT_SECRET=$(openssl rand -base64 32)3. Monitor and Audit
- Enable access logging in your reverse proxy
- Set up alerts for failed login attempts
- Regularly review the user list in the admin panel
- Enable Kubernetes audit logging to track API access
Security Checklist
Before going live, verify:
- ☐HTTPS is enabled with valid certificates
- ☐OAuth authentication is configured and working
- ☐Read-only credentials are used for all clusters
- ☐JWT_SECRET is set to a strong, unique value
- ☐Domain restrictions or invite-only mode is enabled
- ☐Network access is restricted (VPN, firewall, or NetworkPolicy)
- ☐Access logging is enabled