Skip to main content
Version: next

Choose a security profile

spec.profile is the top-level decision that shapes bootstrap, unseal, TLS, image verification, and failure tolerance. Use this page to choose the cluster posture and then align the rest of the baseline with it.

Decision matrix

Choose the profile deliberately

Choose the profile deliberately.
ProfileUse it whenWhat it assumesAvoid it when
HardenedThe cluster is intended to become a real production service.External unseal, self-initialization, verified TLS, and supply-chain guardrails are part of the normal path.You cannot meet the external trust, identity, or networking requirements yet.
DevelopmentYou need a fast local or evaluation path and accept weaker security defaults temporarily.Bootstrap material may live in Kubernetes Secrets, TLS can be operator-managed, and verification can be relaxed.You are trying to define the baseline that will survive into production.

Diagram

How the profile shapes the baseline

The profile determines whether the cluster can rely on operator-generated trust material and stored bootstrap credentials or whether those paths are explicitly disallowed.

What actually changes with the profile

Reference table

Profile effects

Profile effects.
SurfaceDevelopmentHardened
Bootstrap credential handlingManual init is allowed and can leave a root token in a Secret when self-init is disabled.Self-initialization is the expected path, and root-token persistence is reserved for exceptional workflows.
UnsealStatic unseal in a Secret is allowed for fast evaluation.Use an external trust source such as cloud KMS or transit. Static unseal is limited to development and other deliberate exceptions.
TLSOperator-managed TLS is acceptable for development and internal evaluation.Use External or ACME; the certificate authority should not be operator-generated in production.
Image verificationCan be introduced gradually and warning-only rollouts are possible.Use image verification as the steady-state posture. Warning-only behavior fits rollout or transition periods, and official-image defaults still verify when trust material is omitted.
Networking and jobsYou can tolerate more permissive local defaults while standing up the cluster.Backup and other lifecycle paths should assume explicit egress and identity wiring before go-live.

Representative starting points

Configure

Start from the supported production baseline

yaml

apiVersion: openbao.org/v1alpha1
kind: OpenBaoCluster
metadata:
name: prod-cluster
spec:
profile: Hardened
replicas: 3
version: "2.4.4"
selfInit:
  enabled: true
tls:
  enabled: true
  mode: External
unseal:
  type: awskms
  awskms:
    region: us-east-1
    kmsKeyID: alias/openbao-unseal
imageVerification:
  enabled: true
  failurePolicy: Block
operatorImageVerification:
  enabled: true
  failurePolicy: Block

Hardened is the supported production path. It assumes an external trust source for unseal, non-operator-managed TLS, and a self-initializing bootstrap flow.

Switch the baseline before production use

If other systems will depend on the cluster, move from Development to Hardened before that production usage begins.

Choose the unseal root of trust

Decision matrix

Unseal options by posture

Unseal options by posture.
PathUse it whenWhy it fits or does not fit
Cloud KMSYou run in AWS, GCP, Azure, or another managed platform with a usable external key service.This is usually the cleanest Hardened path because the root of trust stays outside Kubernetes.
TransitYou already run a central OpenBao cluster or equivalent external trust service.This works well for multi-cluster or hybrid environments where central trust management is intentional.
PKCS#11 or KMIPYou need HSM-backed or enterprise key-management integration.Valid for production, but usually more specialized and operationally heavier than cloud KMS or transit.
Static SecretYou need a local development path and understand the blast radius.This is convenient but keeps decryption material inside the same cluster state you are trying to protect.

Configure

Use AWS KMS for Hardened unseal

yaml

spec:
profile: Hardened
serviceAccount:
  annotations:
    eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/openbao-awskms"
unseal:
  type: awskms
  awskms:
    kmsKeyID: "arn:aws:kms:us-east-1:123456789012:key/..."
    region: "us-east-1"

Optional runtime hardening

Configure

Enable AppArmor when the nodes support it

yaml

spec:
workloadHardening:
  appArmorEnabled: true

AppArmor is opt-in because support depends on the underlying node OS and cluster runtime. Pair this with the broader workload baseline in Pod and runtime security.

Continue cluster baseline

Unseal configurationUse the provider-by-provider Secret and mounted-file contract page once you know which root of trust you want.Self-initializationConfigure the bootstrap requests and operator OIDC flow that follow from the profile choice.External accessChoose the TLS and exposure pattern that matches the baseline you just picked.Workload protectionsReview the runtime and supply-chain controls expected behind the Hardened posture.
Next release documentation

You are reading the unreleased main docs. Use the version menu for the newest published release, or check the release notes for what is already out.

Was this page helpful?

Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.

Needs work