docs: README, changelog, contributing, security, deployment, operations, CI
This commit is contained in:
commit
bdfd8027f4
12 changed files with 551 additions and 0 deletions
22
SECURITY.md
Normal file
22
SECURITY.md
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
# Security
|
||||
|
||||
## Reporting
|
||||
|
||||
Raise a private issue in Forgejo or contact the repo owner directly.
|
||||
|
||||
## Credentials
|
||||
|
||||
- Never commit keytabs, .ccache files, or .env files - all are in .gitignore
|
||||
- The keytab must be stored as a Docker secret only
|
||||
- The service account (dns-updater) should have no other privileges beyond DnsAdmins
|
||||
- Rotate the keytab periodically - see docs/operations.md
|
||||
|
||||
## Threat model
|
||||
|
||||
| Threat | Mitigation |
|
||||
|---|---|
|
||||
| Keytab compromise | Scoped to DnsAdmins only; rotate via samba-tool user setpassword |
|
||||
| Container escape | Runs as nobody; no capabilities; no host mounts beyond the secret |
|
||||
| DNS spoofing | GSS-TSIG: updates are Kerberos-signed and verified by the KDC |
|
||||
| Unauthorised DNS writes | Only the dns-updater principal can authenticate with this keytab |
|
||||
| Traefik API abuse | API is read-only; no writes to Traefik from this service |
|
||||
Loading…
Add table
Add a link
Reference in a new issue