Skip to content

Basic hardening

The minimum bar before handing an instance to a client’s security team. Work through each list.

  • Default admin password changed from the shipped value
  • Each user has their own account and least-privilege role (no shared logins)
  • JWT_SECRET is strong and unique per deployment
  • SSO or MFA enabled where supported
  • Only the ingress is exposed publicly. It fronts the frontend and backend
  • The ai-service, workers, and data services are not reachable from outside the cluster
  • TLS enforced on the ingress, with a valid certificate
  • Egress limited to the LLM service and enabled integrations, or the Zentara Gateway
  • Kubernetes NetworkPolicies restrict pod-to-pod traffic to what is required
  • All credentials stored as Kubernetes Secrets, not in plaintext or images
  • Filled secret manifests kept out of version control
  • PostgreSQL, Redis, and RabbitMQ require authentication
  • PostgreSQL backups encrypted in transit and at rest
  • Running a supported ZEN-INTEL version with current patches
  • Images pulled from the trusted ECR registry only
  • Resource limits set on pods