Redis security

Namespace access

By default, Redis can be accessed only from the namespace it was issued. To access Redis from other namespaces the service must be configured.

apiVersion: vshn.appcat.vshn.io/v1
kind: VSHNRedis
metadata:
  name: redis-app1-prod
  namespace: prod-app
spec:
  parameters:
    security:
      allowedNamespaces:
        - redis-prod (1)
      allowAllNamespaces: false (2)
  writeConnectionSecretToRef:
    name: redis-creds-connection

1	List of namespaces to be allowed to access Redis
2	Allows access to Redis from any namespace in the cluster. Supersedes `allowedNamespaces` if true.

Namespace RBAC

On APPUiO Cloud, every member of the same organization to which the claim namespace belongs to has limited access to the namespace for debugging and port-fowarding.

On APPUiO Managed, we don’t have this construct and no RBAC rules are deployed by default.

However, it is possible to specify a list of Groups or Users that should have that limited access to the namespace. This can be done using the two fields allowedGroups and allowedUsers:

apiVersion: vshn.appcat.vshn.io/v1
kind: VSHNRedis
metadata:
  name: redis-app1-prod
  namespace: prod-app
spec:
  parameters:
    security:
      allowedGroups:  (1)
        - my-dev-engineers
        - my-support-engineers
      allowedUsers:  (2)
        - my-special-user
  writeConnectionSecretToRef:
    name: redis-creds-connection

1	List of groups to be allowed limited access to the Redis namespace
2	List of users to be allowed limited access to the Redis namespace