AR Cloud Customization and Security

Secure Deployment Best Practices

Magic Leap recommends reviewing the installed infrastructure to align with security best practices listed below.

• Configure Kubernetes secrets to use a secret manager such as Vault together with an external secret operator.
• Follow security best practices when deploying each of the preexisting components
  • Best practices for Securing a Kubernetes Cluster
  • Kubernetes Security Checklist
  • Kubernetes Hardening Guide
  • Deployment guide for OPA
  • Deployment best practices for Istio
  • Security guidelines for PostgreSQL:
    • Client Authentication
    • Database Roles
    • Privileges
    • GCP Cloud SQL best practices
    • AWS RDS best practices
  • IAM:
    • GCP Use IAM securely
      • Use Workload identity
      • Use Cloud SQL IAM database authentication
    • AWS Security best practices in IAM

What To Avoid?

• Avoid permissive IAM policies in your environment
• Avoid hosting AR Cloud on public IPs
• Avoid public IPs for nodes
• Avoid using a domain without a TLS certificate (one can be automatically issued using cert-manager)
• Avoid allowing all traffic to the cluster on the firewall or disabling the firewall completely

General Pointers

• Deploy the system on its own namespace
• Isolate the deployment’s namespace from other deployed assets on the network level
• Limit access to relevant container registries only
• Make sure to run nodes running Apparmor with Container OS for the host nodes (or other minimal OS)
• Keep all components up-to-date

Advanced Setup

The instruction on other pages are meant to get AR Cloud running quickly and in its simplest manor. However, AR Cloud is built to be flexible and can support many configurations. For example, external object storage solutions can be used instead of MinIO or managed PostgreSQL instances with high availability and integrated backups.

Managed Database

The following steps outline the steps for connecting AR Cloud to the managed database instance.

note

These steps only apply to a new installation of AR Cloud.

PostgreSQL Minimum Requirements

• PostgreSQL Version: 14+
• PostGIS Version: 3.3+

note

The PostGIS extension must be enabled on the arcloud database.

Database Configuration

• Review and configure all settings within the ./scripts/setup-database.sh script.
• Execute the ./scripts/setup-database.sh script against the managed database instance.
• Create Kubernetes database secrets for each application within your AR Cloud namespace. Secret names are referenced for each AR Cloud application, see the values.yaml file postgresql.existingSecret keys.

AR Cloud Setup

When running the ./setup.sh script, you will need to supply the following additional settings in order to disable the default installation of postgresql, and point application connections to the managed database.

./setup.sh ... --set postgresql.enabled=false,global.postgresql.host=${POSTGRESQL_HOST},global.postgresql.port=${POSTGRESQL_PORT}