Security: Data store and queue hardening for UCP

[vinayada1]

Summary

The UCP threat assessment identifies THR04 (Data Store Compromise Leads to Full System Compromise) and THR05 (Queue Message Tampering or Injection). While the default Helm chart uses the Kubernetes APIServer backend (inheriting K8s RBAC), the following hardening gaps exist:

1. No TLS enforcement for PostgreSQL backend: When PostgreSQL is used as the data store, connection-level TLS is not enforced by UCP. An attacker with network access could intercept database traffic.

2. No message integrity on queue messages: Queue message keys use crypto/rand for uniqueness, but messages themselves have no integrity verification (HMAC/signing). A compromised queue backend could inject or modify operation messages.

3. No database credential rotation: Database credentials (when using PostgreSQL) are static and not rotated automatically.

Proposed Changes

1. Add a configuration option to enforce TLS on PostgreSQL connections and make it the default.
2. Consider adding HMAC-based message integrity verification for queue messages.
3. Document recommended database credential rotation practices for PostgreSQL deployments.

Related

• UCP threat assessment: RAD.UCP.THR04, RAD.UCP.THR05
• Control catalog: RAD.UCP.CN07, RAD.UCP.CN15