Security hardening guidelines¶
Charmed HPC is designed for security out-of-the-box but this guide serves as a companion to help tailor security measures to your environment.
For an overview of Charmed HPC security features see:
Slurm¶
Slurm is the underlying workload scheduler for Charmed HPC and particular care should be taken with user-facing components such as the sackd login nodes and the REST API.
By default, Charmed HPC does not enable SSH access to the login nodes, other than through the juju ssh command available to administrators. Administrators should follow best practices for securing SSH servers when opening the nodes up to their cluster users. A non-exhaustive list of potential options includes:
Use of SSH keys for authentication
Enforcing use of strong, modern ciphers
Use of Fail2ban or equivalent tool to block brute-force attacks
Limiting access to particular IP ranges
For REST API security guidance, see:
Cloud¶
Charmed HPC can be deployed on a variety of backing clouds. Security documentation for common clouds can be found at:
cloud |
security guide |
|---|---|
AWS |
|
Azure |
Security best practices and patterns, Managed identities for Azure resources |
Google Cloud |
|
MAAS |
Juju¶
Juju is the underlying orchestration engine for managing the Charmed HPC Slurm charms throughout their lifecycle. For general Juju security considerations, see:
Cloud credentials¶
When initializing a backing cloud with Juju, it is essential that the credentials provided have suitable access rights and permissions. For guidance see:
For cloud-specific resources, see:
cloud |
security guide |
|---|---|
AWS |
|
Azure |
The Microsoft Azure cloud and Juju, How to use Juju with Microsoft Azure |
Google Cloud |
|
MAAS |
Monitoring and auditing¶
Charmed HPC supports integration with the Canonical Observability Stack (COS) to provide system monitoring and logging, see:
Operating system¶
Charmed HPC runs on the Ubuntu operating system. For documentation on Ubuntu security and compliance, see: