Transport Security Design
Transport Security Design
Section titled “Transport Security Design”Overview
Section titled “Overview”This document describes the transport-layer security architecture for the Graph OLAP Platform, covering encryption for all network communications.
Last Updated: 2025-12-20
Security Model
Section titled “Security Model”Design Principles
Section titled “Design Principles”- Defense in Depth: Multiple layers of encryption and authentication
- Zero Trust: Encrypt all traffic, even within the cluster
- Least Privilege: Network policies enforce minimal access
- Transparency: Encryption without application changes
Security Posture
Section titled “Security Posture”| Threat Model | Mitigation |
|---|---|
| Internet eavesdropping | TLS 1.2+ on all external connections |
| Cloud provider snooping | TLS 1.2+ for managed services (Cloud SQL, GCS) |
| Cluster network eavesdropping | WireGuard encryption (Cilium) |
| Pod compromise lateral movement | Network policies + encryption |
| Data exfiltration | FQDN-based egress filtering |
Encryption Architecture
Section titled “Encryption Architecture”1. External Traffic (Internet → GKE)
Section titled “1. External Traffic (Internet → GKE)”Status: ✅ FULLY ENCRYPTED (TLS 1.2+)
Ingress Configuration
Section titled “Ingress Configuration”Control Plane (Internal):
ingress: enabled: true className: "gce-internal" annotations: networking.gke.io/managed-certificates: "graph-olap-internal-cert" tls: - secretName: graph-olap-tls hosts: - graph-olap.internal.hsbc.comProtocol: TLS 1.2+ (GKE-managed) Certificate Management: GKE Managed Certificates (auto-renewal)
2. Database Connections (Application → Cloud SQL)
Section titled “2. Database Connections (Application → Cloud SQL)”Status: ✅ FULLY ENCRYPTED (TLS 1.2+)
Cloud SQL Configuration
Section titled “Cloud SQL Configuration”Terraform (infrastructure/modules/cloudsql/main.tf):
ip_configuration { require_ssl = true # ✅ SSL/TLS required ipv4_enabled = false # Private IP only}Connection String:
postgresql://user:[email protected]:5432/graph_olap?sslmode=require# ^^^^^^^^^^^^^^^^# SSL ENFORCEDCertificate Validation: Google-managed CA (trusted)
3. Cloud Storage (Application → GCS)
Section titled “3. Cloud Storage (Application → GCS)”Status: ✅ FULLY ENCRYPTED (HTTPS)
All GCS operations use HTTPS by default:
- Export Worker → GCS:
gs://URLs (HTTPS transport) - Ryugraph Wrapper → GCS: Google Cloud Storage SDK (HTTPS)
Certificate Validation: Google-managed CA (trusted)
4. External APIs (Application → Starburst)
Section titled “4. External APIs (Application → Starburst)”Status: ✅ FULLY ENCRYPTED (HTTPS)
Configuration (export-worker/deploy/k8s/configmap.yaml):
STARBURST_URL: "https://starburst.example.com"# ^^^^^# HTTPS enforcedCertificate Validation: System CA bundle
5. Internal Pod-to-Pod Traffic (Within GKE)
Section titled “5. Internal Pod-to-Pod Traffic (Within GKE)”Status: ✅ ENCRYPTED (WireGuard)
Cilium Transparent Encryption
Section titled “Cilium Transparent Encryption”Architecture: GKE Dataplane V2 (Cilium-based)
Terraform (infrastructure/modules/gke/main.tf):
resource "google_container_cluster" "primary" { # Enable GKE Dataplane V2 (Cilium-based) datapath_provider = "ADVANCED_DATAPATH"
addons_config { network_policy_config { disabled = false # Required for Cilium network policies } }}Cilium WireGuard Configuration:
apiVersion: v1kind: ConfigMapmetadata: name: cilium-config namespace: kube-systemdata: enable-wireguard: "true" wireguard-persistent-keepalive: "25s"How It Works:
- Cilium creates WireGuard tunnel between every pair of nodes
- All pod-to-pod traffic automatically encrypted in kernel
- No application changes required (transparent)
- ~5% CPU overhead (very efficient)
Encrypted Connections:
- Control Plane → Ryugraph Wrapper
- Export Worker → Control Plane
- KEDA → Cloud SQL Proxy (if deployed)
Protocol: WireGuard (ChaCha20-Poly1305 encryption)
Network Policy Enforcement
Section titled “Network Policy Enforcement”Cilium Network Policies
Section titled “Cilium Network Policies”Architecture: Identity-based + FQDN-based policies
Control Plane Policy
Section titled “Control Plane Policy”# Allow egress to specific destinations onlyapiVersion: cilium.io/v2kind: CiliumNetworkPolicymetadata: name: control-plane-policy namespace: control-planespec: endpointSelector: matchLabels: app: control-plane egress: # Allow to Wrapper pods - toEndpoints: - matchLabels: app: ryugraph-wrapper toPorts: - ports: - port: "8080" protocol: TCP
# Allow to GCS/Starburst via FQDN - toFQDNs: - matchPattern: "*.googleapis.com" toPorts: - ports: - port: "443" protocol: TCPBenefits:
- Identity-based (not IP-based) - survives pod rescheduling
- FQDN filtering - prevent data exfiltration
- L7 visibility - see encrypted traffic in Hubble
- No iptables overhead - eBPF performance
Security Validation
Section titled “Security Validation”Test 1: Verify WireGuard Encryption
Section titled “Test 1: Verify WireGuard Encryption”# Check WireGuard statuskubectl -n kube-system exec daemonset/cilium -- cilium status | grep Encryption# Expected: Encryption: Wireguard [cilium_wg0 (Pubkey: ...)]
# View WireGuard peerskubectl -n kube-system exec daemonset/cilium -- wg show# Expected: List of peer nodes with handshakes and transfer statsTest 2: Verify TLS Termination
Section titled “Test 2: Verify TLS Termination”# Test external ingresscurl -v https://graph-olap.hsbc.com/health# Expected: TLS 1.2+, valid certificate
# Test internal communication (should be encrypted by WireGuard)kubectl -n control-plane exec deploy/control-plane -- curl http://wrapper:8080/health# Expected: Success (HTTP in payload, WireGuard at network layer)Test 3: Verify Network Policies
Section titled “Test 3: Verify Network Policies”# This should be BLOCKED (export worker has no ingress allowed)kubectl run test --rm -it --image=curlimages/curl -- curl http://export-worker:8080# Expected: Timeout or connection refused
# This should work (allowed by policy)kubectl -n control-plane exec deploy/control-plane -- curl http://wrapper.graph-instances:8080/health# Expected: SuccessTest 4: Verify Cloud SQL SSL
Section titled “Test 4: Verify Cloud SQL SSL”# Check connection from Control Planekubectl -n control-plane exec deploy/control-plane -- psql "$DATABASE_URL" -c "SHOW ssl"# Expected: on
# Check from Export Workerkubectl -n control-plane exec deploy/export-worker -- psql "$DATABASE_URL" -c "SELECT * FROM pg_stat_ssl"# Expected: ssl = true, cipher = TLS_AES_256_GCM_SHA384Observability
Section titled “Observability”Hubble Network Flow Monitoring
Section titled “Hubble Network Flow Monitoring”Install Hubble CLI:
export HUBBLE_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/hubble/master/stable.txt)curl -L --remote-name-all https://github.com/cilium/hubble/releases/download/$HUBBLE_VERSION/hubble-linux-amd64.tar.gztar xzvf hubble-linux-amd64.tar.gzsudo mv hubble /usr/local/binMonitor Encrypted Flows:
# Port-forward Hubble Relaykubectl -n kube-system port-forward svc/hubble-relay 4245:80 &
# Observe all flowshubble observe --namespace control-plane
# Show only encrypted flowshubble observe --verdict ENCRYPTED
# Show policy denialshubble observe --verdict DROPPED
# Monitor Control Plane → Wrapper traffichubble observe --from-pod control-plane/control-plane --to-label app=ryugraph-wrapperPerformance Impact
Section titled “Performance Impact”Encryption Overhead
Section titled “Encryption Overhead”| Component | Baseline | With WireGuard | Overhead |
|---|---|---|---|
| CPU | 100% | 105-110% | +5-10% |
| Memory | Baseline | +100-200Mi per node | Minimal |
| Throughput | 10 Gbps | 9.5 Gbps | <5% |
| Latency | 1ms | 1.05ms | <0.1ms |
Cost Impact:
- n2-highmem-4 node: ~0.2 vCPU overhead
- Negligible cost increase (<2%)
- Security benefit >> cost
Comparison: Cilium vs Istio
Section titled “Comparison: Cilium vs Istio”| Feature | Cilium (Our Choice) | Istio |
|---|---|---|
| Architecture | eBPF kernel-level | Envoy sidecars |
| Performance | ✅ Minimal overhead (~5%) | ⚠️ Higher overhead (~15-20%) |
| Memory | ✅ 100Mi per node | ⚠️ 50-100Mi per pod |
| Setup | ✅ One config option | ⚠️ Complex (control plane + sidecars) |
| Encryption | ✅ WireGuard (kernel) | ⚠️ mTLS (userspace) |
| Observability | ✅ Hubble | ✅ Kiali/Jaeger |
| Network Policies | ✅ L3/L4/L7 + FQDN | ✅ L7 policies |
| Maintenance | ✅ GKE-managed | ⚠️ Self-managed |
Recommendation: Cilium for production (better performance, native GKE integration)
Threat Model & Mitigations
Section titled “Threat Model & Mitigations”Threat: Man-in-the-Middle (External)
Section titled “Threat: Man-in-the-Middle (External)”Attack: Intercept traffic between browser and GKE Mitigation:
- ✅ TLS 1.2+ with GKE Managed Certificates
- ✅ HSTS headers (if enabled on ingress)
- ✅ Certificate pinning (optional, for SDK)
Threat: Cloud Provider Eavesdropping
Section titled “Threat: Cloud Provider Eavesdropping”Attack: GCP employee intercepts Cloud SQL traffic Mitigation:
- ✅ TLS required for Cloud SQL connections
- ✅ Google-managed encryption at rest
- ✅ VPC Service Controls (optional, for data exfiltration)
Threat: Pod Compromise → Lateral Movement
Section titled “Threat: Pod Compromise → Lateral Movement”Attack: Compromised pod tries to connect to other services Mitigation:
- ✅ WireGuard encryption (attacker can’t sniff traffic)
- ✅ Cilium network policies (attacker can’t make connections)
- ✅ FQDN egress filtering (attacker can’t exfiltrate data)
Threat: Cluster Network Sniffing
Section titled “Threat: Cluster Network Sniffing”Attack: Attacker with node access sniffs pod-to-pod traffic Mitigation:
- ✅ WireGuard encryption (traffic is encrypted on the wire)
- ✅ Private cluster (no public node IPs)
- ✅ Shielded nodes (secure boot prevents OS compromise)
Compliance
Section titled “Compliance”Industry Standards
Section titled “Industry Standards”| Standard | Requirement | Status |
|---|---|---|
| PCI DSS 4.0 | TLS 1.2+ for card data | ✅ Compliant |
| SOC 2 Type II | Encryption in transit | ✅ Compliant |
| ISO 27001 | Network security controls | ✅ Compliant |
| GDPR | Data protection in transit | ✅ Compliant |
Audit Evidence
Section titled “Audit Evidence”External Traffic Encryption:
# Verify TLS versionopenssl s_client -connect graph-olap.hsbc.com:443 -tls1_2# Shows: TLS 1.2 or higherInternal Traffic Encryption:
# Show WireGuard tunnelskubectl -n kube-system exec daemonset/cilium -- wg show all# Shows: Encrypted tunnels between all nodesDatabase Encryption:
# Show SSL cipherkubectl -n control-plane exec deploy/control-plane -- \ psql "$DATABASE_URL" -c "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()"# Shows: ssl=t, cipher=TLS_AES_256_GCM_SHA384Deployment Checklist
Section titled “Deployment Checklist”Pre-Production
Section titled “Pre-Production”- GKE cluster created with
datapath_provider = "ADVANCED_DATAPATH" - Cilium WireGuard config deployed:
kubectl apply -f cilium-config.yaml - WireGuard verified:
cilium status | grep Wireguard - Network policies deployed and tested
- Hubble observability enabled
- TLS certificates configured (GKE Managed Certificates)
- Cloud SQL
require_ssl = trueverified
Post-Deployment
Section titled “Post-Deployment”- Verify external HTTPS:
curl -v https://graph-olap.hsbc.com - Verify WireGuard encryption:
hubble observe --verdict ENCRYPTED - Verify network policies: Test blocked/allowed traffic
- Monitor Hubble for policy violations:
hubble observe --verdict DROPPED - Load test to verify performance impact is acceptable
- Document any exceptions or deviations
References
Section titled “References”Related Documents
Section titled “Related Documents”- Architectural Guardrails - Technology constraints
- Deployment Design - Kubernetes deployment patterns
- GKE Configuration Reference - GKE best practices
- Cilium Configuration - Deployment guide