Security Practices
Secure coding practices
Least-privilege permissions, standard cryptographic primitives, controller-safe execution, and careful handling of secrets in memory and logs.
Decision matrix
Secure coding defaults
| Area | Expected default | Avoid |
|---|---|---|
| Filesystem permissions | Use the narrowest permissions possible, especially 0600 for keys and secrets. | World-writable or broadly readable secret material. |
| Randomness | Use crypto/rand for security-sensitive values. | math/rand for tokens, passwords, keys, or nonces. |
| Controller execution model | Use Go libraries and Kubernetes clients directly. | Shelling out to kubectl, helm, bao, vault, or similar binaries from controllers. |
| Input validation | Validate paths, ranges, and other CR-driven input before use. | Passing raw user input into filesystem or runtime-sensitive operations. |
| Secret handling | Do not log secret contents and minimize their lifetime in memory. | Debug output that prints token, key, or secret payload fields. |
Minimal secure examples
// private key file permissions
if err := os.WriteFile(keyPath, keyData, 0o600); err != nil {
return err
}
// cryptographically secure randomness
token := make([]byte, 32)
if _, err := rand.Read(token); err != nil {
return err
}
Controllers must not shell out
Shelling out introduces injection risk, hidden runtime dependencies, and slower, harder-to-test control paths. Use Kubernetes clients and internal helpers instead.
Input and secret handling
- Clean and validate filesystem paths before use.
- Enforce numeric and enum bounds from CR input explicitly.
- Never log secret payloads, even in debug-only paths.
- Zero sensitive byte slices after use when the code keeps them in memory for any meaningful period.
Related secure-contributor guides
Supply chain securityOpen the artifact-trust controls when the change moves from secure coding into build, provenance, or release security.Dependency license policyUse the dependency policy when the security question is whether a new dependency is even shippable.Security docsReturn to the operator-facing security section when you need the runtime trust model rather than contributor implementation rules.
Next release documentation
You are reading the unreleased main docs. Use the version menu for the newest published release, or check the release notes for what is already out.
Was this page helpful?
Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.