Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.mka1.com/llms.txt

Use this file to discover all available pages before exploring further.

MKA1 has active encryption controls in the deployed production environment. We verified encryption at rest for Kubernetes secrets and EBS-backed volumes, and encryption in transit for the public edge and the production CNPG/PostgreSQL cluster.

What is active

Encryption at rest

The following controls were verified in the live production environment:
  • EKS secrets envelope encryption is active on mk1-eks-production.
  • The live EKS cluster reports encryptionConfig for resource type secrets.
  • The live cluster reports a KMS provider key ARN: arn:aws:kms:us-west-2:REDACTED:key/5d84bfa7-REDACTED.
  • The production ebs-sc storage class uses the ebs.csi.aws.com provisioner with encrypted: "true" and type: gp3.
The deployed infrastructure source also declares encrypted EBS-backed storage:
  • infra-resources/mk1/resources/storage/ebs-storage-class.yaml sets encrypted: "true" on ebs-sc.
  • infra-resources/helm/cnpg/kube/cluster-production.yaml uses storageClass: ebs-sc for the production PostgreSQL cluster.

Encryption in transit

The following controls were verified in the live production environment:
  • apigw.mka1.com:443 negotiated TLSv1.3 with cipher suite TLS_AES_128_GCM_SHA256.
  • livekit.mka1.com:443 negotiated TLSv1.3 with cipher suite TLS_AES_128_GCM_SHA256.
  • Both public TLS checks completed with certificate verification OK.
  • The public Kong ingress is configured with alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06.
  • The live CNPG/PostgreSQL cluster reports ssl_min_protocol_version: TLSv1.3 and ssl_max_protocol_version: TLSv1.3.
  • The live CNPG/PostgreSQL cluster reports active certificate material in clientCASecret, serverCASecret, serverTLSSecret, and replicationTLSSecret.
The deployed infrastructure source also declares the public TLS-capable ingress policy:
  • infra-resources/kong/resources/ingress-proxy.yaml sets alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06.

How we validate it

We validate the deployed state with repo-owned scripts in infra-resources and live cluster inspection. tools/compliance/verify_storage_encryption.sh captures storage encryption evidence by running: 
aws eks describe-cluster --name mk1-eks-production --region us-west-2
kubectl get storageclass ebs-sc efs-sc -o yaml
aws efs describe-file-systems --region us-west-2
aws ec2 describe-volumes --region us-west-2 \
  --filters Name=tag:kubernetes.io/created-for/pvc/name,Values='*'
tools/compliance/verify_tls13.sh captures public TLS evidence by running openssl s_client with -tls1_3 against each public endpoint: 
openssl s_client -connect apigw.mka1.com:443 -servername apigw.mka1.com -tls1_3 -brief
openssl s_client -connect apigw.mka1.com:443 -servername apigw.mka1.com -tls1_3 -showcerts

openssl s_client -connect livekit.mka1.com:443 -servername livekit.mka1.com -tls1_3 -brief
openssl s_client -connect livekit.mka1.com:443 -servername livekit.mka1.com -tls1_3 -showcerts
We also verify live cluster configuration directly: 
kubectl -n kong get ingress kong-alb-ingress -o yaml
kubectl -n cnpg get cluster -o yaml

Evidence

The following sanitized snippets are excerpted from checks against our live production deployment. They preserve the verified encryption signals and redact unrelated infrastructure details.

EKS secrets envelope encryption

{
  "cluster": {
    "name": "mk1-eks-production",
    "encryptionConfig": [
      {
        "resources": [
          "secrets"
        ],
        "provider": {
          "keyArn": "arn:aws:kms:us-west-2:[redacted-account]:key/[redacted-key-id]"
        }
      }
    ]
  }
}

Encrypted EBS-backed storage class

kind: StorageClass
metadata:
  name: ebs-sc
parameters:
  encrypted: "true"
  type: gp3
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer

Public API gateway TLS 1.3 handshake

Verifying TLS 1.3 for apigw.mka1.com:443
Connecting to [redacted-ip]
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_128_GCM_SHA256
Verification: OK
Peer Temp Key: X25519, 253 bits
...
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Protocol: TLSv1.3
Server public key is 2048 bit
Verify return code: 0 (ok)

LiveKit TLS 1.3 handshake

Verifying TLS 1.3 for livekit.mka1.com:443
Connecting to [redacted-ip]
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_128_GCM_SHA256
Verification: OK
Peer Temp Key: X25519, 253 bits
...
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Protocol: TLSv1.3
Server public key is 2048 bit
Verify return code: 0 (ok)

Verified live cluster excerpts

Kong public ingress:
- alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06

CNPG/PostgreSQL:
- ssl_min_protocol_version: TLSv1.3
- ssl_max_protocol_version: TLSv1.3
- clientCASecret: mk1-db-[redacted]
- serverCASecret: mk1-db-[redacted]
- serverTLSSecret: mk1-db-[redacted]
- replicationTLSSecret: mk1-db-[redacted]