AR Cloud Customization and Security
Secure Deployment Best Practices
Magic Leap recommends reviewing the installed infrastructure to align with security best practices listed below.
- Configure Kubernetes secrets to use a secret manager such as Vault together with an external secret operator.
- Follow security best practices when deploying each of the preexisting components
- Best practices for Securing a Kubernetes Cluster
- Kubernetes Security Checklist
- Kubernetes Hardening Guide
- Deployment guide for OPA
- Deployment best practices for Istio
- Security guidelines for PostgreSQL:
- IAM:
What To Avoid?
- Avoid permissive IAM policies in your environment
- Avoid hosting AR Cloud on public IPs
- Avoid public IPs for nodes
- Avoid using a domain without a TLS certificate (one can be automatically issued using cert-manager)
- Avoid allowing all traffic to the cluster on the firewall or disabling the firewall completely
General Pointers
- Deploy the system on its own namespace
- Isolate the deployment’s namespace from other deployed assets on the network level
- Limit access to relevant container registries only
- Make sure to run nodes running Apparmor with Container OS for the host nodes (or other minimal OS)
- Keep all components up-to-date
Advanced Setup
The instruction on other pages are meant to get AR Cloud running quickly and in its simplest manor. However, AR Cloud is built to be flexible and can support many configurations. For example, external object storage solutions can be used instead of MinIO or managed PostgreSQL instances with high availability and integrated backups.
Managed Database
The following steps outline the steps for connecting AR Cloud to the managed database instance.
These steps only apply to a new installation of AR Cloud.
PostgreSQL Minimum Requirements
- PostgreSQL Version:
14+
- PostGIS Version:
3.3+
The PostGIS extension must be enabled on the arcloud
database.
Database Configuration
- Review and configure all settings within the
./scripts/setup-database.sh
script. - Execute the
./scripts/setup-database.sh
script against the managed database instance. - Create Kubernetes database secrets for each application within your AR Cloud namespace.
Secret names are referenced for each AR Cloud application, see the
values.yaml
filepostgresql.existingSecret
keys.
AR Cloud Setup
When running the ./setup.sh
script, you will need to supply the following additional settings in order to disable the
default installation of postgresql, and point application connections to the managed database.
./setup.sh ... --set postgresql.enabled=false,global.postgresql.host=${POSTGRESQL_HOST},global.postgresql.port=${POSTGRESQL_PORT}