ProficientNowTechRFCs
Platform RFCs/RFC-TENANT-SECURITY-0001: Tenant Application Security Architecture

4. Components

RFC-TENANT-SECURITY-0001                                         Section 4
Category: Standards Track                                       Components

4. Components

← Architecture | Index | Next: Ingress Security →

4.1 Component Overview

The Tenant Application Security Architecture comprises four primary components working together to provide defense-in-depth.

4.2 BunkerWeb

4.2.1 Responsibility

BunkerWeb serves as the unified ingress controller and Web Application Firewall, providing:

FunctionDescription
Ingress RoutingHTTP/HTTPS traffic routing to backend services
TLS TerminationCertificate management and encryption
WAF ProtectionOWASP CRS-based attack detection and prevention
Rate LimitingConnection and request throttling
Bot MitigationChallenge-based verification
IP ReputationBlacklist and DNSBL integration

4.2.2 Interfaces

Inbound Interfaces

InterfaceSourceProtocolPurpose
HTTPSLoad BalancerTCP/443Client traffic
HTTPLoad BalancerTCP/80Redirect to HTTPS
ManagementPlatform TeamTCP/5000Web UI access

Outbound Interfaces

InterfaceDestinationProtocolPurpose
BackendApplication PodsHTTP/HTTPSProxied requests
LoggingLog AggregatorSyslog/HTTPSecurity events
MetricsPrometheusHTTPPerformance metrics
DNSBLExternalDNSIP reputation lookup
CAPTCHAExternal ProvidersHTTPSChallenge verification

4.2.3 Failure Modes

FailureDetectionImpactRecovery
Process crashHealth checkTraffic blockedPod restart (automatic)
Memory exhaustionResource limitsDegraded performanceScale out or restart
Configuration errorStartup failureTraffic blockedGitOps rollback
Backend unreachableHealth check502 errorsBackend recovery
Certificate expiryMonitoring alertTLS failurescert-manager renewal

4.2.4 Security Properties

PropertyGuarantee
No bypassAll traffic passes through WAF (INV-1)
TLS enforcementMinimum TLS 1.2 (INV-2)
Rule transparencyOWASP CRS rules are auditable
Logging completenessAll blocked requests logged (INV-9)

4.3 cert-manager

4.3.1 Responsibility

cert-manager provides automated TLS certificate lifecycle management:

FunctionDescription
Certificate IssuanceAutomated certificate requests
Certificate RenewalPre-expiry renewal
ACME IntegrationLet's Encrypt automation
Secret ManagementKubernetes Secret creation

4.3.2 Interfaces

Inbound Interfaces

InterfaceSourceProtocolPurpose
Certificate CRDGitOpsKubernetes APICertificate definitions
ClusterIssuer CRDPlatform TeamKubernetes APIIssuer configuration

Outbound Interfaces

InterfaceDestinationProtocolPurpose
ACMELet's EncryptHTTPSCertificate issuance
DNS ProviderCloudflare/OtherHTTPSDNS01 challenges
SecretsKubernetes APIKubernetes APICertificate storage

4.3.3 Failure Modes

FailureDetectionImpactRecovery
ACME rate limitError logsIssuance blockedWait for rate limit reset
DNS challenge failureError logsIssuance blockedFix DNS configuration
Certificate expiryMonitoring alertTLS failuresManual intervention
API unavailableHealth checkNo new certificatesAPI recovery

4.3.4 Security Properties

PropertyGuarantee
AutomationNo manual certificate handling (INV-3)
Short-lived certsCertificates renewed before expiry
Secret isolationCertificates stored as Kubernetes Secrets

4.4 Calico CNI

4.4.1 Responsibility

Calico provides network policy enforcement at the CNI layer:

FunctionDescription
Network PolicyKubernetes NetworkPolicy enforcement
Pod NetworkingContainer network connectivity
Policy LoggingFlow log generation
IPAMIP address management

4.4.2 Interfaces

Inbound Interfaces

InterfaceSourceProtocolPurpose
NetworkPolicyGitOpsKubernetes APIPolicy definitions
Pod EventsKubernetesKubernetes APIPod lifecycle

Outbound Interfaces

InterfaceDestinationProtocolPurpose
Flow LogsLog AggregatorSyslogNetwork observability
MetricsPrometheusHTTPPerformance metrics

4.4.3 Failure Modes

FailureDetectionImpactRecovery
CNI crashNode NotReadyAll pod traffic blockedNode restart
Policy misconfigurationApplication errorsTraffic deniedGitOps rollback
Resource exhaustionNode pressureDegraded networkingScale cluster

4.4.4 Security Properties

PropertyGuarantee
Default denyPolicies enforce zero trust (INV-5)
Namespace isolationCross-namespace blocked by default (INV-6)
Egress controlOutbound traffic restricted (INV-7)
Guardrail precedencePlatform policies cannot be overridden (INV-8)

4.5 Component Interactions

4.5.1 Request Processing Sequence

4.5.2 Dependency Matrix

ComponentDepends OnDependency Type
BunkerWebcert-managerTLS certificates
BunkerWebCalicoNetwork connectivity
BunkerWebExternal CAPTCHABot verification (optional)
CalicoKubernetes APIPolicy definitions
cert-managerACME ProviderCertificate issuance
cert-managerDNS ProviderDNS01 challenges

4.6 Component Deployment

4.6.1 Namespace Placement

ComponentNamespaceRationale
BunkerWebingress-systemDedicated ingress namespace
cert-managercert-managerStandard namespace
Calicokube-systemCNI requirement

4.6.2 High Availability

ComponentHA StrategyMinimum Replicas
BunkerWebMultiple replicas behind LB2
cert-managerLeader election1 (HA optional)
CalicoDaemonSet (per-node)N/A

4.6.3 Resource Boundaries

ComponentCPU RequestMemory RequestScaling
BunkerWebPer traffic volumePer connection countHorizontal
cert-managerMinimalMinimalNot typically needed
CalicoPer-nodePer-nodeWith cluster

Document Navigation

PreviousIndexNext
← 3. ArchitectureTable of Contents5. Ingress Security →

End of Section 4

Next

3. Architecture

Next

5. Ingress Security

On this page