Enterprise

Security

Security configuration for the nbe-operator and NetBox Enterprise deployment.

RBAC Modes

The operator supports two RBAC scopes controlled by rbac.scope:

Cluster Scope (Default)

rbac:
  scope: "cluster"

Creates ClusterRole and ClusterRoleBinding
Operator watches for NetBoxEnterprise resources in all namespaces
Required for multi-namespace deployments

Namespace Scope

rbac:
  scope: "namespace"

Creates Role and RoleBinding in the release namespace only
Operator watches only its own namespace
More restrictive — suitable for shared clusters where namespace isolation is required

Pod Security

The operator runs with restrictive security defaults:

Setting	Value	Description
`runAsNonRoot`	`true`	Container must run as non-root
`runAsUser`	`65532`	UID for the operator process
`fsGroup`	`65532`	Filesystem group
`allowPrivilegeEscalation`	`false`	No privilege escalation
`capabilities.drop`	`[ALL]`	All Linux capabilities dropped
`readOnlyRootFilesystem`	`true`	Read-only root filesystem

These settings comply with the Kubernetes Restricted pod security standard.

TLS Configuration

Ingress TLS

Serve NetBox over HTTPS by configuring TLS on the Ingress:

netboxEnterprise:
  spec:
    netbox:
      urls:
        - "https://netbox.example.com"

See Ingress & TLS for certificate setup.

Database TLS

Encrypt connections to PostgreSQL using a named profile:

netboxEnterprise:
  spec:
    postgresqlProfiles:
      netbox:
        host: "postgres.example.com"
        port: 5432
        tlsConfig:
          sslmode: verify-full
          keychainCaCertificates:
            - postgres-ca
          keychainClientCertificate: postgres-client

    postgresql:
      external: true
      postgresqlProfile: netbox

See PostgreSQL Configuration for the full TLS reference.

Redis TLS

Encrypt connections to Redis:

netboxEnterprise:
  spec:
    redis:
      external: true
      tlsConfig:
        keychainCaCertificates:
          - redis-ca

Image Pull Secrets

Registry credentials for operator and dependency images are automatically injected when installing through the Replicated registry.

For NetBox application images, you can configure additional pull secrets at the NetBoxEnterprise level:

netboxEnterprise:
  spec:
    imagePullSecrets:
      - netbox-registry-creds

Secrets Management

The operator handles secrets carefully:

Auto-generated secrets: Django secret key, superuser credentials, Hydra secrets are auto-generated if not explicitly provided
PGO password rotation: The operator detects password changes via resourceVersion checksums without reading sensitive data fields, then triggers rolling updates automatically
No secrets in logs: Sensitive values are never logged

Network Policies

The operator does not create NetworkPolicies by default. To restrict traffic, create policies in your namespace:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: netbox-allow-ingress
  namespace: netbox
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: netbox
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: ingress-nginx
      ports:
        - port: 8080
          protocol: TCP

Next Steps

Troubleshooting — Diagnose RBAC and connectivity issues
Helm Values Reference — Full security-related values

RBAC Modes​

Cluster Scope (Default)​

Namespace Scope​

Pod Security​

TLS Configuration​

Ingress TLS​

Database TLS​

Redis TLS​

Image Pull Secrets​

Secrets Management​

Network Policies​

Next Steps​