secure-development-in-the-kyma-environment-ff51a32.md

Secure Development in the Kyma Environment

Secure development focuses on Pod security, network traffic restriction, Istio sidecar proxy injection, and workload exposure. Learn about the security measures you can take to improve the security of your Kyma environment .

Pod Security

To learn how to secure your Kubernetes Pods in Kyma, see Kubernetes Pod Security Recommendations.

Restrict and Secure Network Traffic

• Set up Kubernetes Network Policies to restrict the network traffic between Pods in your namespaces.

• Enabling Istio Sidecar Proxy Injection for your namespaces.

Expose Workloads Securely

To securely expose workloads in SAP BTP, Kyma runtime, use the Istio and API Gateway modules. As a prerequisite, make sure that you have those two modules added to your Kyma cluster. Then, perform the following tasks:

• Set Up a Custom Domain for a Workload

• Disable the default gateway. See Disable or Enable Kyma Gateway.

• Set up your own API gateway with one of the following options:

  • Set Up a TLS Gateway in Simple Mode

  • Set Up an mTLS Gateway and Expose Workloads Behind It

• Create an APIRule Custom Resource to securely expose your workloads

  • Expose and Secure a Workload with JWT

  • Expose and Secure a Workload with a Certificate

Module-Specific Security Considerations

Serverless Module

For more information, see Security Considerations for the Serveless module.

Related Information

Kyma Security Concepts

Secure Administration and Operations in the Kyma Environment

Kubernetes Pod Security Recommendations