Security Best Practices

Secure your Apollo GraphOS Operator deployment

This guide provides security best practices for deploying and operating the Apollo GraphOS Operator in production environments. We strongly recommend using the Helm chart as it implements many security best practices by default.

Using the Helm Chart (Recommended)

The Apollo GraphOS Operator Helm chart implements several security best practices out of the box:

Service Account Security

Dedicated Service Account: Creates a dedicated apollo-operator ServiceAccount with minimal required permissions
Namespace-Scoped RBAC: Supports namespace-scoped deployments to limit operator access to specific namespaces
Principle of Least Privilege: Implements granular RBAC rules that grant only necessary permissions for each controller

Manual Deployment Security Considerations

If you cannot use the Helm chart, ensure your manual deployment includes these security measures:

Service Account and RBAC

The Apollo GraphOS Operator requires a dedicated ServiceAccount with specific permissions for each resource type:

Required Permissions by resource type

Subgraph:

Watch, list, and get Subgraph resources
Create, update, and patch Subgraph status resources

Supergraph:

Watch, list, and get Supergraph resources
Create, update, and patch Supergraph status resources
Create, update, and patch Deployments, Services, ConfigMaps, and Secrets
Watch ReplicaSets and Events

SupergraphSchema:

Watch, list, and get SupergraphSchema resources
Create, update, and patch SupergraphSchema status resources

SupergraphSet:

Watch, list, and get SupergraphSet and Supergraph resources
Create, update, and patch SupergraphSet status resources

RBAC Configuration

The operator supports both cluster-scoped and namespace-scoped deployments. For production environments, use namespace-scoped mode to limit the operator's access to specific namespaces.

API Key Security

The Apollo GraphOS Operator requires an Apollo Studio API key to function.

API Key Best Practices

Use Dedicated API Keys: Create API keys specifically for the operator, not shared with other applications
Regular Rotation: Implement a process to rotate API keys regularly
Monitor Usage: Leverage GraphOS Platform's Audit Logs to monitor API key usage patterns

API Key Types

The Apollo GraphOS Operator handles two types of API keys:

Operator API Key: The key you provide to the operator for accessing Apollo Studio
Supergraph API Keys: Keys that the operator creates and stores in Secrets for Supergraph resources

Both types of API keys are stored in Kubernetes Secrets and should be secured according to Kubernetes Secrets Good Practices.

Namespace Scoping

Configure the operator to only access specific namespaces to reduce the attack surface:

YAML

1config:
2  controllers:
3    subgraph:
4      namespaces:
5        - products-subgraph
6        - orders-subgraphs
7    supergraph:
8      namespaces:
9        - apollo
10    supergraphSchema:
11      namespaces:
12        - apollo

Security Checklist

Before deploying to production, verify:

API key stored in Kubernetes Secret
Using dedicated API key
Namespace-scoped RBAC and configuration
Service account with minimal required permissions

Subgraph Reference

Development and Tooling

From Federation 1 to 2

Server-Driven UI

Publishing

Contracts

SAML

OIDC

Authentication

Router Telemetry

Log Exporters

Metrics Exporters

Trace Exporters

Instrumentation

Subgraph Observability

Client Observability

OpenTelemetry

GraphQL Subscriptions

Coprocessors

Rhai Scripts

Custom Builds

Dedicated

AWS Lattice