Telco edge platforms sit at the intersection of critical infrastructure and cloud-native software. A compromise doesn't just leak data — it can affect radio network operations. This post covers the five-layer security model implemented in the EIB-Customer platform, from immutable OS to network segmentation.
Security Architecture Overview
Layer 1: OS Security (SLE Micro 6.1)
│ Immutable root filesystem
│ SELinux enforcing
│ CIS kernel parameters
│ Minimal package footprint
▼
Layer 2: Kubernetes Security (RKE2)
│ CIS Benchmark profile
│ TLS everywhere
│ etcd encryption at rest
│ RBAC
▼
Layer 3: Pod Security (Admission Control)
│ Pod Security Standards: restricted
│ Block non-compliant workloads
│ Namespace-level enforcement
▼
Layer 4: Network Segmentation
│ Separate management / data / accelerator networks
│ Calico Network Policies available
│ VLAN isolation
▼
Layer 5: Certificate Management
Automated lifecycle via cert-manager
TLS for all internal communications
Layer 1: OS Security
Immutable Root Filesystem
SLE Micro uses an immutable read-only root filesystem. System files cannot be modified at runtime — an attacker who gains code execution cannot persist changes to /usr, /bin, or /lib. Changes require a transactional update and reboot.
SELinux: Enforcing Mode
Mandatory Access Control via SELinux is enabled in enforcing mode. Every process, file, and network socket has a security label. Operations not explicitly permitted by policy are denied at the kernel level, regardless of Unix permissions.
CIS Kernel Parameters
Applied via rke2-cis-sysctl.conf — a subset of CIS benchmark kernel hardening:
- Kernel panic on oops (no crash dumps with exploitable data)
- Disabled kernel pointer leaks
- SYN flood protection
- ICMP redirect rejection
- Source routing disabled
Layer 2: Kubernetes Security (RKE2 CIS Profile)
RKE2 is deployed with profile: cis, which enforces the CIS Kubernetes Benchmark. This covers:
| Component | Hardening Applied |
|---|---|
| API Server | TLS client authentication required; anonymous auth disabled |
| etcd | Runs as dedicated non-root user; data encrypted at rest |
| Kubelet | Client certificate authentication; read-only port disabled |
| Scheduler | Profiling disabled; bind address restricted |
| Controller Manager | Service account credentials rotated; bind address restricted |
etcd Encryption at Rest
RKE2 enables etcd encryption by default. Secrets, ConfigMaps, and other sensitive resources stored in etcd are encrypted using AES-CBC with a randomly generated key at cluster creation time. An attacker with direct access to etcd storage cannot read Kubernetes secrets.
Layer 3: Pod Security Standards
Kubernetes Pod Security Standards (PSS) enforce workload security at the namespace level via built-in admission control. The default policy across all namespaces is restricted:
# cis-pss.yaml — applied via Combustion
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
configuration:
defaults:
enforce: "restricted"
enforce-version: "latest"
audit: "restricted"
warn: "restricted"The restricted policy enforces:
- No privileged containers
- No host namespace sharing (
hostPID,hostNetwork,hostIPC) - Read-only root filesystem required
- All capabilities dropped; specific adds require explicit grant
- Non-root user required (
runAsNonRoot: true) - seccomp profile required (RuntimeDefault or Localhost)
kube-system, calico-system, longhorn-system, sriov-system) are exempted — they require privileged access for legitimate reasons (kernel modules, storage drivers, CNI plugins).
Layer 4: Network Segmentation
The multi-tier network architecture provides inherent segmentation. Management, data, and hardware acceleration traffic travel on physically separate networks:
| Network | Range | Purpose |
|---|---|---|
| Management | 192.168.41.0/27 | Cluster control plane, SSH, kubectl |
| MacVLAN | 192.168.41.48/28 | Legacy VNF connectivity |
| SR-IOV Netdev | 192.168.27.128/27 | High-throughput data plane (VLAN 538) |
| DPDK | 192.168.27.160/27 | Userspace packet processing (VLAN 539) |
Calico Network Policies can further restrict pod-to-pod communication within the management network. The data plane networks (SR-IOV, DPDK) bypass the Calico datapath entirely — security for those interfaces is enforced at the physical network level via VLAN segmentation.
Layer 5: Certificate Management
cert-manager v1.14.2 is deployed via Helm and handles certificate lifecycle across the cluster:
- Automated certificate issuance and renewal
- TLS for all internal service-to-service communication
- Certificate rotation before expiry (no manual intervention)
- Integration with RKE2's internal PKI
Known Gaps (Pre-Production Checklist)
- RKE2 token:
token: foobarinserver.yaml— replace withopenssl rand -base64 32 - Debug mode:
debug: trueinserver.yaml— set tofalse(verbose logging leaks configuration details) - Root password: Hash visible in
edge-cluster.yaml— rotate immediately after first deployment
- Add audit logging configuration to track API server activity
- Switch SSH to key-based auth only (remove password auth)
- Configure Calico Network Policies for pod isolation
- Implement Longhorn backup encryption for data at rest
Security Posture Summary
| Control | Status | Standard |
|---|---|---|
| OS immutability | Enabled | SLE Micro default |
| SELinux enforcing | Enabled | CIS Level 1 |
| CIS K8s Benchmark | Enabled | CIS Kubernetes 1.8 |
| etcd encryption | Enabled | RKE2 default |
| Pod Security Standards | restricted (default) | Kubernetes 1.25+ |
| Network segmentation | VLAN + multi-NIC | Custom |
| Certificate automation | cert-manager | CNCF |
| Audit logging | Not configured | Gap — add pre-prod |
The multi-layer approach means that a compromise at one layer does not automatically grant access at others. An attacker who escapes a container still faces SELinux, CIS kernel hardening, and network segmentation. This defence-in-depth posture is appropriate for critical telco infrastructure.