Treat security profiles as operating contracts, not just presets.
Development and Hardened are different security contracts, not cosmetic defaults. This page explains what each one is optimizing for, what Hardened requires in production, and why the configuration task belongs in the user guide rather than here.
Decision matrix
Profile intent
| Profile | Optimized for | What it trades off |
|---|---|---|
| Hardened | Production deployments with explicit external trust roots and stricter lifecycle guarantees. | More up-front requirements, less tolerance for weak bootstrap and trust shortcuts. |
| Development | Local testing, CI, and quick evaluation when long-term trust posture is not the goal. | Allows bootstrap and unseal material to exist in cluster Secrets and relaxes some runtime guarantees. |
Reference table
Profile comparison
| Feature | Hardened | Development |
|---|---|---|
| Root token handling | Auto-revoked; not stored in a Secret as part of the supported production path. | Can be stored in a Secret when self-init is disabled. |
| Unseal root of trust | Requires a non-static external trust source such as transit, cloud KMS, or HSM-backed modes. | Defaults can rely on a static key in a Kubernetes Secret. |
| TLS posture | Requires External or ACME style trust; OperatorManaged TLS is not the production path. | Allows operator-managed TLS for local or test usage. |
| Bootstrap model | Self-init is the supported production path. | Manual bootstrap or self-init are both possible. |
| Supply-chain guardrails | Image verification protections remain on and cannot degrade to warning-only behavior. | Verification can be relaxed for testing. |
Why Hardened is the supported production contract
Reference table
Hardened production requirements
| Requirement | Why it exists | Operational effect |
|---|---|---|
| At least three replicas | Raft needs quorum and safe disruption handling in production. | Single-node clusters are not treated as production-safe. |
| External trust root for unseal | The cluster should not keep its root of trust only in Kubernetes etcd. | Cloud KMS, transit, KMIP, or PKCS#11-style paths become part of the deployment contract. |
| Trusted TLS path | The workload identity boundary should be anchored in a production-grade certificate model. | OperatorManaged TLS is rejected for Hardened clusters. |
| Self-init enabled | The supported bootstrap path should avoid persisting the initial root token. | Human bootstrap becomes declarative instead of secret-based. |
| Verification guardrails stay enforced | Production image trust should not be optional. | Managed workloads keep digest and verification enforcement even when omitted from config. |
Hardened means the operator is allowed to assume an external trust root, explicit runtime identity, and production-ready lifecycle posture. It is a statement about the whole operating model, not only about one field in the CR.
What Development deliberately relaxes
Development is still useful, but it should be understood as an intentional weakening of the production contract:
- bootstrap material can persist in cluster Secrets
- static unseal remains available
- operator-managed TLS can be used
- runtime and supply-chain controls can be less strict
- the cluster reports a security-risk signal rather than pretending this posture is production-ready
Teams often start in Development for exploration. When moving to staging or production, create a new Hardened cluster rather than assuming a Development trust path can be promoted safely.
Where configuration belongs
This page explains the contract. The actual task of setting spec.profile, choosing the unseal mode, and satisfying the production requirements belongs in Configure Security Profiles.
Continue the security model
You are reading the unreleased main docs. Use the version menu for the newest published release, or check the release notes for what is already out.
Was this page helpful?
Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.