Security Details
The following sections describe details of the security set up.
GKE Access Management
GKE clusters are deployed as private clusters with authorized networks configured:
| Access Type | Configuration | Allowed From |
|---|---|---|
| Control Plane | Private IP only | Authorized networks (CIDR ranges) |
| Nodes | Private IP only | VPC internal + Cloud NAT for egress |
| LoadBalancer | Public IP via GLB | Public internet (health checks + client traffic) |
Kubeconfig Access
The kubeconfig is generated declaratively by Terraform using
local_sensitive_file with
gke-gcloud-auth-plugin exec-based authentication. The
project_id and region from your tfvars determine the
cluster endpoint and context name. Ensure your GCP identity has valid
credentials before running kubectl commands:
gcloud auth list
gcloud config get-value project
terraform versionWorkload Identity
Workload Identity enables Kubernetes service accounts to assume GCP service account roles without storing keys:
| Resource | Binding | Purpose |
|---|---|---|
K8s SA <cluster-name>-humio
|
GCP SA
<infrastructure-prefix>-wl-identity@<project>.iam.gserviceaccount.com
| LogScale pods read/write GCS via Workload Identity |
| Cloud Function SA |
GCP SA
<cluster-name>-dr-failover@<project>.iam.gserviceaccount.com
| DR failover function accesses GKE API |
Note: The Workload Identity binding is managed by the
terraform-google-modules/kubernetes-engine//modules/workload-identity
module. The GCP SA name is configurable via
logscale_cluster_k8s_service_account_name (default:
<infrastructure_prefix>-wl-identity).
Setup:
# Bind K8s SA to GCP SA (handled automatically by Terraform workload-identity module)
gcloud iam service-accounts add-iam-policy-binding <gcp-sa>@<project>.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:<project>.svc.id.goog[<namespace>/<k8s-sa>]"Encryption at Rest
GCS buckets: Encrypted with a Terraform-generated random password (
random_password, 64 characters) stored as a Kubernetes secret. This is not CMEK/KMS — it uses LogScale's application-level encryption.Kubernetes secrets: Encrypted by GKE using Application-layer Secrets Encryption (ALSE)
Persistent volumes: Encrypted using GCE Persistent Disk encryption (default)
Encryption in Transit
API server <-> Node: TLS 1.2+ (default)
Node <-> Pod: mTLS via service mesh (optional, not default)
GLB <-> NodePort: HTTPS with TLS 1.2+, certificate from cert-manager
Inter-region: VPC peering or VPN tunnel (recommended for sensitive workloads)
Network Security
| Layer | Security Measure |
|---|---|
| Perimeter | VPC with private subnets, no public IPs on nodes |
| Ingress | Firewall rules allow only necessary ports (31036, 10256, 8080 for health checks; 443 for proxy subnet) |
| Network Policy | Kubernetes NetworkPolicy restricts pod-to-pod traffic within cluster |
| Egress | Cloud NAT for controlled outbound access, audit via VPC Flow Logs |
Kubernetes Secrets Requiring DR Synchronization
The following secrets must be synced between primary and secondary clusters for DR recovery:
| Secret | Namespace | Type | Sync Method |
|---|---|---|---|
logscale-license
| logscale | Docker registry (for private images) | Manual copy or shared registry |
<cluster-name>-logscale-tls
| logscale | TLS certificate | cert-manager auto-renewal |
<cluster-name>-gcp-storage-encryption-key
| logscale | Opaque (encryption key) | Terraform-managed via remote state |
dr-secondary-gcs-storage-encryption
| logscale | Opaque (DR recovery encryption key) | Terraform-managed via remote state (standby only) |
Audit and Compliance
| Service | Audit Capability | Retention |
|---|---|---|
| Cloud Audit Logs | API calls to GCP services | 400 days (default) or Cloud Storage |
| GKE Control Plane Logs | API server, authenticator | Cloud Logging |
| LogScale Audit Logs | User actions, queries | LogScale retention policy |
| Cloud Function Logs | DR failover invocations | Cloud Logging |
IAM Permissions Reference
The deploying user/service account requires the following IAM roles at a minimum:
| Role | Purpose |
|---|---|
roles/container.admin
| GKE cluster management |
roles/storage.admin
| GCS bucket creation and management |
roles/dns.admin
| Cloud DNS zone and record management |
roles/cloudfunctions.admin
| DR failover Cloud Function management |
roles/iam.serviceAccountAdmin
| Service account creation for Workload Identity |
roles/monitoring.admin
| Uptime checks and alert policies |
These roles include the following granular permissions that are actually exercised by Terraform.
GKE Permissions:
container.clusters.create, container.clusters.delete, container.clusters.get, container.clusters.update
container.nodeGroups.create, container.nodeGroups.delete, container.nodeGroups.get
GCS Permissions:
storage.buckets.create, storage.buckets.delete, storage.buckets.get, storage.buckets.setIamPolicy
storage.objects.get, storage.objects.create, storage.objects.list (for state and data buckets)
Cloud DNS Permissions:
dns.managedZones.create, dns.managedZones.delete, dns.managedZones.get
dns.resourceRecordSets.create, dns.resourceRecordSets.delete, dns.resourceRecordSets.update
Cloud Functions Permissions (for DR failover automation):
cloudfunctions.functions.create, cloudfunctions.functions.delete, cloudfunctions.functions.update
Additional Permissions:
iam.serviceAccounts.create, iam.serviceAccounts.delete, iam.serviceAccountKeys.create
pubsub.topics.create, pubsub.topics.delete, pubsub.subscriptions.create
monitoring.alertPolicies.create, monitoring.alertPolicies.delete
monitoring.uptimeCheckConfigs.create, monitoring.uptimeCheckConfigs.delete