Security hardening
Rune ships with sensible defaults but a few important things are off by default. This page is the punch list before you put a server on a public network.
Hardening checklist
Section titled “Hardening checklist”- TLS enabled on
:7863and:7861. - KEK loaded from env (or vaulted credential), not generated.
- Bootstrap token rotated to a non-
rootadmin token; root token revoked. - No service or user has the
rootpolicy attached for day-to-day use. -
auth.allow_remote_admin: false(default). -
runedbinds to a private interface or fronted by a TLS proxy. - Per-namespace policies, not
*policies, for service teams. - Token TTLs set on all human and CI tokens.
- Backups in place for
--data-dirand the KEK (separate locations).
Generate (or obtain) a server cert + key, then:
auth: tls: enabled: true cert-file: /etc/rune/tls/server.crt key-file: /etc/rune/tls/server.keyRestart runed. Update CLI contexts to point at the new TLS-enabled server:
rune context set prod \ --server runed.example.com:7863 \ --tls-ca /etc/rune/tls/ca.crtmTLS (client certs) is roadmap (RUNE-028). For now, bearer tokens over TLS are the model.
KEK lifecycle
Section titled “KEK lifecycle”Backup
Section titled “Backup”The KEK file is the master key for every secret. Back it up to a separate, equally-protected location (e.g., a sealed Vault entry):
sudo cat /var/lib/rune/kek | base64 -d | wc -c # should be 32sudo cp /var/lib/rune/kek /secure/offsite/kek.$(date +%F)Store with mode 0600, owner restricted.
Rotation (manual today)
Section titled “Rotation (manual today)”KEK rotation is operational, not online — there’s no built-in rune admin rotate-kek yet. The procedure:
- Stand up a second
runedwith the new KEK in env, pointed at a fresh data dir. - For each secret, fetch the plaintext (mount it into a one-off pod, dump it), and re-create on the new server.
- Cut clients over to the new server.
- Decommission the old server and securely destroy the old KEK.
Automated rotation is roadmap.
Narrowing RBAC
Section titled “Narrowing RBAC”Built-in policies are wide. For real teams, write scoped policies:
name: team-alphadescription: Alpha team — full edit on alpha namespaces onlyrules: - resource: "*" verbs: [get, list, watch, create, update, delete, scale, exec] namespace: alpha - resource: "*" verbs: [get, list, watch, create, update, delete, scale, exec] namespace: alpha-stagingrune admin policy create -f policies/team-alpha.yamlrune admin policy attach team-alpha --to-user alicerune admin policy detach readwrite --from-user aliceKnown weak spots (be aware)
Section titled “Known weak spots (be aware)”These are real and tracked. Don’t let them surprise you in an audit.
| Issue | Risk | Mitigation today | Tracked |
|---|---|---|---|
| TLS is opt-in; default is plaintext | Bearer tokens cross the wire unencrypted | Enable TLS in production. Always. | RUNE-028 |
| Token lookup is O(N) and not constant-time | Mild perf and timing-side-channel risk | Keep token count low; use rate-limited proxies | RUNE-028 |
CORS middleware is wide-open (Allow-Origin: *) | Browser-side abuse if REST gateway is exposed | Don’t expose REST to public internet today | RUNE-028 |
| Stream RPCs (logs/exec/watch) bypass namespace-scoped policy rules | Namespace policies don’t restrict streaming | Use cluster-wide policies for streaming if needed | RUNE-028 |
Process runner accepts but doesn’t enforce readOnlyFS, capabilities, syscall filters | Security claims in spec are not enforced | Run as unprivileged user: only | RUNE-004↑ |
| gRPC reflection is on by default | Schema introspection on prod | Front-door with a proxy that strips it | RUNE-028 |
| No rate limiting / brute-force protection on auth | Unbounded credential brute-force | Run behind a proxy that rate-limits | RUNE-028 |
| Bootstrap is gated to localhost server-side (good) | Fine — but allow_remote_admin: true removes the gate | Don’t enable allow_remote_admin | — |
If any of these matter for your environment, deploy runed behind a TLS-terminating, rate-limiting reverse proxy and accept that this is a Release-1 single-node platform under active hardening.
Audit log (planned)
Section titled “Audit log (planned)”A per-RPC audit trail is roadmap (RUNE-089). Today, runed logs every RPC at debug level — enable that for a poor-man’s audit:
server: log-level: debug log-format: jsonShip to a tamper-resistant collector if you need durability.
See also
Section titled “See also”- Identity & RBAC — the policy model.
- Running runed — backups and process management.
- Configuration — runefile knobs.