Features/Security

Multi-Layer Security

Defense in depth: WAF at the application layer, network policies at L3, SMTP firewall for email, container isolation per domain, and automatic TLS certificates.

Four Layers of Protection

Each layer stops different threat types at the right level

L7

Global WAF

ModSecurity rules applied to all traffic through nginx-ingress. Block by domain, IP, path pattern, or geographic location. Managed via a Kubernetes GlobalWAF CRD.

  • ModSecurity rule engine
  • IP, path, and domain pattern matching
  • Country-based geo-blocking
  • Operator-synced to ingress ConfigMap
L7

Per-Domain WAF

Domain-specific ModSecurity rules in the nginx sidecar. Protect login pages, admin paths, and APIs with IP whitelists, rate limits, and country restrictions.

  • Per-domain rule sets
  • Protected path rules (auth, rate limit)
  • Per-domain geo-blocking
  • DomainWAF CRD per namespace
L3

L3 Firewall

Network-level IP blocking via Calico GlobalNetworkPolicy. Allow or deny traffic by CIDR range, port, and protocol before it reaches any application.

  • CIDR-based source/destination rules
  • TCP/UDP port filtering
  • Rate limiting at network level
  • GlobalL3Firewall CRD
SMTP

SMTP Firewall

Block spam and abuse at the email level. Restrict senders by email address, domain, or IP. Rate limit per user to prevent outbound spam.

  • Sender/domain/IP blocking
  • Per-user rate limits (msg/hour, bytes/hour)
  • Real-time SMTP traffic monitoring
  • SMTPFirewall CRD

Container Isolation

Every domain runs in its own Kubernetes namespace with dedicated containers

Namespace Per Domain

Each domain gets its own Kubernetes namespace (dom-example-com) with isolated secrets, configmaps, and network policies. No cross-domain resource access.

Guaranteed Resources

CPU and memory limits are enforced per container. One site cannot consume another site's resources. No noisy neighbor problems, even under load.

Network Segmentation

Calico network policies restrict pod-to-pod communication. Each namespace is isolated at the network layer. Cross-domain traffic is blocked by default.

Additional Security Features

Authentication, encryption, and monitoring

Two-Factor Authentication

TOTP-based 2FA for admin and user accounts. QR code setup for authenticator apps. 10 backup codes for recovery. 5-minute verification timeout.

Automatic SSL/TLS

cert-manager issues and renews Let's Encrypt certificates automatically through Kubernetes Ingress. No cron jobs, no manual renewal. HTTPS enforced by default.

Audit Logging

Every operation is logged with actor, timestamp, level, and context. Login attempts, domain changes, config updates, and security events are all tracked.

Login Rate Limiting

5 attempts per 5 minutes with 15-minute lockout. IP-based tracking with user agent logging. Brute force attacks are blocked automatically.

Live Traffic Monitor

Real-time HTTP and SMTP traffic from ingress logs. See requests by country, status code, and latency. Block suspicious IPs directly from the traffic view.

Self-Healing

The Kopf operator continuously reconciles desired state with actual state. Crashed containers restart automatically. Deleted resources are recreated. Drift is corrected 24/7.

Security Built In, Not Bolted On

Every security feature is included in every plan. No add-ons, no extra cost.

Get Started All Features