Basic hardening
The minimum bar before handing an instance to a client’s security team. Work through each list.
Access and identity
Section titled “Access and identity”- Default admin password changed from the shipped value
- Each user has their own account and least-privilege role (no shared logins)
-
JWT_SECRETis strong and unique per deployment - SSO or MFA enabled where supported
Network
Section titled “Network”- Only the ingress is exposed publicly. It fronts the frontend and backend
- The ai-service, workers, and data services are not reachable from outside the cluster
- TLS enforced on the ingress, with a valid certificate
- Egress limited to the LLM service and enabled integrations, or the Zentara Gateway
- Kubernetes NetworkPolicies restrict pod-to-pod traffic to what is required
Secrets and data
Section titled “Secrets and data”- All credentials stored as Kubernetes Secrets, not in plaintext or images
- Filled secret manifests kept out of version control
- PostgreSQL, Redis, and RabbitMQ require authentication
- PostgreSQL backups encrypted in transit and at rest
Platform
Section titled “Platform”- Running a supported ZEN-INTEL version with current patches
- Images pulled from the trusted ECR registry only
- Resource limits set on pods