Security

Security in knext is not a milestone to defer — these controls run through every phase. The non-negotiable rule: no unauthenticated mutating endpoints, ever. Several controls are enforced automatically; the rest are documented guarantees knext holds to.

No unauthenticated mutating endpoints

Any route that changes state requires auth. Two app routes mutate cache state, and both require a Bearer token:

The token check is:

• Fail-closed — if CACHE_INVALIDATE_TOKEN is unset or empty, nothing is authorized. An unconfigured deployment rejects all invalidations rather than leaving the endpoint open.
• Constant-time — comparison uses timingSafeEqual so the token cannot be recovered via response timing (length is checked first, which does not leak the secret).

The token is provisioned from a Kubernetes Secret into the CACHE_INVALIDATE_TOKEN env var — never hardcoded.

The browser RUM beacon POST /api/rum is a deliberate, justified exception — a bounded metrics aggregator, not a write primitive. See Observability → RUM for the full rationale.

Network isolation

Auth is one factor; network isolation is the second. knext reconciles a default-on Kubernetes NetworkPolicy for your app automatically.

• Object: a NetworkPolicy named <app>-allow-ingress, tied to your app's lifecycle (garbage-collected on delete).
• Targets: the app's serving pods (selected by serving.knative.dev/service: <app>).
• Allows ingress from: the knative-serving and kourier-system namespaces (so scale-from-zero traffic keeps flowing) plus same-namespace pods. Everything else — arbitrary cross-namespace and external pod-direct traffic — is denied.
• Toggle: spec.security.networkPolicy (*bool). nil (unset) or true reconciles the policy (default-on); false skips it and deletes any existing one on the next reconcile.

Digest pinning

knext rejects mutable image tags everywhere.

• :latest is rejected. An app whose image is :latest, tag-only, or untagged is marked Degraded (reason InvalidImage) and never deployed — a ref is accepted only if it is digest-pinned (@sha256:).
• knext's own images are digest-pinned too. A build-time check fails if any internal deployment manifest references a non-pinned tag, so knext never ships a mutable image reference.

See Operator → Security defaults.

Supply chain

Both the app image and the operator image go through the same supply-chain pipeline:

• SBOM per image — generated with syft (SPDX-JSON), published as an artifact.
• Vulnerability scan — Trivy scanning for HIGH,CRITICAL, failing the build on released images.
• Signing + attestation — cosign keyless signing (OIDC / Sigstore) on releases, plus an SBOM attestation (cosign attest --type spdxjson) bound to the image digest.

Runtime hardening

• Distroless, non-root. The operator image is gcr.io/distroless/static:nonroot running as UID 65532; the app image runs as a non-root node user.
• No token automount. knext sets AutomountServiceAccountToken: false on the app's ServiceAccount.
• Graceful shutdown. On SIGTERM the server forwards the signal to Next.js so it drains in-flight requests and runs after() callbacks before exit, then closes the metrics server — no dropped requests on scale-down. The drain has a hard cap kept below the pod's terminationGracePeriodSeconds.

Secrets

Secrets live in Kubernetes Secrets / env only — never in config files, source, container images, or URLs. knext provisions them (via spec.secrets — envFrom / envMap) and the app reads them from the environment.

See also: Operator & the NextApp CRD · Observability · Scale-to-zero.