Data Security
Links to data security configuration topics
A newly installed Hydrolix cluster comes with centralized user authentication, a wide array of support for TLS, and encrypted data at rest.
Unified auth
Each Hydrolix cluster can be configured to support Single Sign-On (SSO) and apply different access restrictions for users.
- Authentication and Authorization - overview of auth systems
- Account Types - local and SSO users, service accounts, administrative accounts
- Account Permissions (RBAC) - account-level access controls; Role-Based Access Controls
- User Authentication - how to authenticate and use tokens for services
Network security
Hydrolix strongly recommends installing certificates to secure client to cluster traffic.
Hydrolix can enforce TLS communication between end users and your cluster. To enforce TLS between end users and your cluster, Enable TLS. When TLS is enabled, Hydrolix disables non-secure port access to endpoints, including ingest, the UI, and query.
- Enable TLS - support different ways to terminate TLS on the cluster
- IP allow-lists - limit allowed IPs with network access control lists
Hydrolix clusters securely retrieve data from object storage with token-based authentication over TLS. The data remains accessible only in the Virtual Private Cloud (VPC) hosting the Kubernetes deployment, isolating it from external networks.
Load balancer choices
When you create your Hydrolix cluster, you can select different load balancers. Hydrolix supports the following load balancers using the traefik_service_type variable:
| Name | identifier | Behavior |
|---|---|---|
public load balancer | public_lb | A load balancer using a routable public IP address |
private load balancer | private_lb | A load balancer using a private IP in the same subnet as the Kubernetes nodes |
cluster IP | cluster_ip | No load balancer at all. You can only access your cluster from within your Kubernetes cluster |
node port | node_port | A custom load balancer provided externally |
Depending on your usage and use case you might want a publicly addressable cluster or a private one.
Whichever load balancer you choose, be sure to Configure IP Access for it.
Encrypt data at rest
For AWS, Google Cloud, and Azure, Hydrolix uses cloud storage layers which encrypt data at rest by default. For more information, see the platform documentation:
Encrypt data at rest to ensure your data storage layer is secure and can't be accessed without authorization.
Object storage access credentials
To connect to data storage layers, Hydrolix requires a service account or a secret key for interacting with the object storage system.
Use a service account or secret key to control access so only your Hydrolix cluster can access your storage layers.
Hydrolix clusters use a cache that stores metadata to disk. This cache is managed by your cloud storage layer provider, and thus is encrypted.
Updated about 23 hours ago