Nexeed
    • Introduction
    • Getting started
      • Getting access
      • Login
      • Main screen
      • Welcome dashboard
      • Detecting process anomalies
      • Analyzing data and detecting event sequences
      • Analyzing KPIs
    • How-tos
      • Monitors on production lines
        • Configuring the automatic login in the Nexeed Industrial Application System
        • Configuring the automatic login to the identity provider with the Windows user
        • Setting cookies in the browser
        • Configuring the automatic logout in the Nexeed Industrial Application System
        • Configuring the command line parameters in the browser
        • Known limitations and troubleshooting
      • Try out the APIs
    • Integration guide
      • Underlying concepts
        • Underlying concepts
        • Onboarding
        • Security
        • Communication
      • Integration journey
      • Overview of APIs
    • Operations manual
      • Release
      • System architecture and interfaces
      • System requirements
        • Cluster requirements
        • Database requirements
        • Support for service meshes
      • Migration from previous Nexeed IAS versions
      • Setup and configuration
        • Deployment process
        • Deployment with Helm
        • Advanced configuration
        • Integrations with external secret management solutions
        • Context paths
        • Service accounts and authorizations
        • Validation tests
        • Setup click once
        • Database user setup and configuration
      • Start and shutdown
      • Regular operations
        • User management & authentication
        • How to add additional tenants
        • How to access the cluster and pods
        • Automatic module role assignments in customer tenants
        • User credentials rotation - database and messaging secrets
      • Failure handling
        • Failure handling guidelines
        • Ansible operator troubleshooting
        • How to reach BCI for unresolved issues
      • Backup and restore
      • Logging and monitoring
        • The concept and conventions
        • ELK stack
        • ELK configurations aspects for beats
        • Proxy setup for ELK
        • Health endpoints configurations
      • Known limitations
      • Supporting functions
      • Security recommendations
        • Kubernetes
        • Security Best Practices for Databases
        • Certificates
        • Threat detection tools
    • Infrastructure manual
      • Release
      • System architecture and interfaces
        • RabbitMQ version support
      • System requirements
      • Migration from previous Nexeed infrastructure versions
      • Setup and configuration
        • Deployment process of the Nexeed infrastructure Helm chart
        • Deployment with Helm
      • Start and shutdown
      • Regular operations
        • RabbitMQ
          • User management & authentication
          • Disk size change
          • Upgrade performance with high performant disk type
          • Pod management policy
      • Failure handling
        • Connection failures
        • Data safety on the RabbitMQ side
        • Fix RabbitMQ cluster partitions
        • Delete unsynchronized RabbitMQ queues
        • How to reach BCI for unresolved issues
      • Backup and restore
      • Logging and monitoring
      • Known limitations
    • Glossary
    • Further information and contact
Industrial Application System
  • Industrial Application System
  • Core Services
    • Block Management
    • Deviation Processor
    • ID Builder
    • Multitenant Access Control
    • Notification Service
    • Ticket Management
    • Web Portal
  • Shopfloor Management
    • Andon Live
    • Global Production Overview
    • KPI Reporting
    • Operational Routines
    • Shift Book
    • Shopfloor Management Administration
  • Product & Quality
    • Product Setup Management
    • Part Traceability
    • Process Quality
    • Setup Specs
  • Execution
    • Line Control
    • Material Management
    • Order Management
    • Packaging Control
    • Rework Control
  • Intralogistics
    • AGV Control Center
    • Stock Management
    • Transport Management
  • Machine & Equipment
    • Condition Monitoring
    • Device Portal
    • Maintenance Management
    • Tool Management
  • Enterprise & Shopfloor Integration
    • Archiving Bridge
    • Data Publisher
    • Direct Data Link
    • Engineering UI
    • ERP Connectivity
    • Gateway
    • Information Router
    • Master Data Management
    • Orchestrator

Nexeed Learning Portal
  • Industrial Application System
  • Operations manual
  • Security recommendations
  • Kubernetes
preview 2025.03.00

Kubernetes

Control plane configuration

Secure API Server

Ensure the API server is configured with secure settings, such as enabling audit logging and using secure communication channels.

Controller Manager and Scheduler

Configure the controller manager and scheduler with secure settings, including enabling secure communication and authentication.

Etcd configuration

Enable Authentication

Ensure etcd is configured to require authentication for access.

Enable Encryption

Encrypt data at rest in etcd to protect sensitive information.

Control plane authentication and authorization

Use Strong Authentication

Implement strong authentication mechanisms for accessing the Kubernetes API, such as using certificates or OAuth tokens.

Implement RBAC

Use RoleBased Access Control (RBAC) to manage permissions and restrict access to the Kubernetes API.

Logging and monitoring

Enable Audit Logging

Enable audit logging to track access and modifications to the Kubernetes API.

Monitor Cluster Activity

Implement monitoring solutions to track cluster activity and detect potential security incidents.

Network policies

Restrict Pod Communication

Use network policies to control traffic between pods and services, limiting communication to only what is necessary.

Pod security policies

Enforce Security Standards

Implement pod security policies to enforce security standards for pod configurations, such as restricting privileged containers and enforcing readonly root file systems.

RBAC and service accounts

Manage Permissions with RBAC

Use RBAC to manage permissions and ensure that users and service accounts have the minimum necessary permissions.

Secure Service Accounts

Ensure service accounts are used securely, with appropriate permissions and token management.

Kubelet configuration

Secure Kubelet Communication

Ensure the Kubelet is configured to use secure communication channels and authentication.

Restrict Kubelet Permissions Limit the permissions of the Kubelet to only what is necessary for its operation.

For detailed information on CIS benchmarks for Kubernetes, please go through the following link: https://www.cisecurity.org/benchmark/kubernetes/

Contents

© Robert Bosch Manufacturing Solutions GmbH 2023-2025, all rights reserved

Changelog Corporate information Legal notice Data protection notice Third party licenses