Defense-in-Depth Security Model
Petra implements security controls at every stage of the artifact lifecycle, from image build to runtime execution.
No SSH
There is no SSH daemon, no SSH keys, and no port 22. All administrative access is through AWS Systems Manager (SSM) Session Manager, which provides authenticated, encrypted, and fully audited shell access.
FIPS Everywhere
FIPS 140-2 validated cryptography is mandatory for all components regardless of deployment target:
- k3s uses Go 1.24 native FIPS crypto (CAVP A6650, replaces deprecated BoringCrypto)
- Chainguard images include FIPS variants
- All TLS connections use FIPS-approved cipher suites
- FIPS mode enforced at runtime via
GODEBUG=fips140=on
Immutable Infrastructure
Flatcar's read-only root filesystem prevents runtime modification of the operating system. Compromised workloads cannot install packages, modify system binaries, or persist backdoors. Node remediation is replacement, not repair.
eBPF Security
- Cilium: Identity-aware network policies at L3/L4/L7
- Tetragon: Syscall-level monitoring, process execution tracking, file integrity detection
Admission Control
- OPA Gatekeeper: No privileged containers, image source restrictions, required resource limits, required labels
- Sigstore Policy Controller: Cosign signature verification on every image at admission time
Supply Chain Verification
| Stage | Control |
|---|---|
| Image sourcing | Chainguard (minimal, no shell, no package manager) |
| Build-time | Cosign verify, vulnerability scan, SBOM generation |
| Bundle | Signed archive, per-image digests, metadata manifest |
| Admission | Sigstore policy-controller re-verifies signatures |
| Runtime | Tetragon monitors process execution and file access |
| Continuous | kube-bench CIS benchmarks |
NIST 800-53 Control Coverage
| Control | Description | Implementation |
|---|---|---|
| AC-6 | Least Privilege | No SSH, SSM-only, RBAC, Gatekeeper |
| AU-2 | Audit Events | CloudTrail, K8s audit logs, Tetragon |
| CM-7 | Least Functionality | Immutable OS, minimal images |
| SC-13 | Cryptographic Protection | FIPS 140-2 Go 1.24 native (CAVP A6650) |
| SI-7 | Software Integrity | Cosign at build, transfer, admission |
| SR-4 | Provenance | SLSA L3, SBOM, digest pinning |