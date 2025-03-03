This guide provides security best practices for deploying and operating the Apollo GraphOS Operator in production environments. We strongly recommend using the Helm chart as it implements many security best practices by default.

Using the Helm Chart (Recommended)

The Apollo GraphOS Operator Helm chart implements several security best practices out of the box:

Service Account Security

Dedicated Service Account : Creates a dedicated apollo-operator ServiceAccount with minimal required permissions

Namespace-Scoped RBAC : Supports namespace-scoped deployments to limit operator access to specific namespaces

Principle of Least Privilege: Implements granular RBAC rules that grant only necessary permissions for each controller

Manual Deployment Security Considerations

If you cannot use the Helm chart, ensure your manual deployment includes these security measures:

Service Account and RBAC

The Apollo GraphOS Operator requires a dedicated ServiceAccount with specific permissions for each resource type:

Required Permissions by resource type

Subgraph:

Watch, list, and get Subgraph resources

Create, update, and patch Subgraph status resources

Supergraph:

Watch, list, and get Supergraph resources

Create, update, and patch Supergraph status resources

Create, update, and patch Deployments, Services, ConfigMaps, and Secrets

Watch ReplicaSets and Events

Supergraph Schema:

Watch, list, and get Supergraph Schema resources

Create, update, and patch Supergraph Schema status resources

Supergraph Set:

Watch, list, and get SupergraphSet and Supergraph resources

Create, update, and patch SupergraphSet status resources

RBAC Configuration

The operator supports both cluster-scoped and namespace-scoped deployments. For production environments, use namespace-scoped mode to limit the operator's access to specific namespaces.

API Key Security

The Apollo GraphOS Operator requires an Apollo Studio API key to function.

API Key Best Practices

Use Dedicated API Keys: Create API keys specifically for the operator, not shared with other applications Regular Rotation: Implement a process to rotate API keys regularly Monitor Usage: Leverage GraphOS Platform's Audit Logs to monitor API key usage patterns

API Key Types

The Apollo GraphOS Operator handles two types of API keys:

Operator API Key: The key you provide to the operator for accessing Apollo Studio Supergraph API Keys: Keys that the operator creates and stores in Secrets for Supergraph resources

Both types of API keys are stored in Kubernetes Secrets and should be secured according to Kubernetes Secrets Good Practices .

Namespace Scoping

Configure the operator to only access specific namespaces to reduce the attack surface:

YAML copy 1 config : 2 controllers : 3 subgraph : 4 namespaces : 5 - products-subgraph 6 - orders-subgraphs 7 supergraph : 8 namespaces : 9 - apollo 10 supergraphSchema : 11 namespaces : 12 - apollo

Security Checklist

Before deploying to production, verify: