This document outlines security best practices and considerations for running SupaControl in production.

• Security Best Practices
  • Secrets Management
  • Network Security
  • TLS/HTTPS
  • API Security
  • RBAC
• Security Updates
• Reporting Security Issues

DO:

• ✅ Use strong, randomly generated secrets
• ✅ Store secrets in Kubernetes Secrets
• ✅ Rotate secrets regularly
• ✅ Use separate secrets for dev/staging/prod
• ✅ Limit access to secrets using RBAC

DON'T:

• ❌ Commit secrets to git
• ❌ Use default passwords in production
• ❌ Share secrets via insecure channels
• ❌ Reuse secrets across environments

# Enable network policies for instance isolation
networkPolicy:
  enabled: true
  policyTypes:
    - Ingress
    - Egress

Always use TLS in production:

ingress:
  enabled: true
  tls:
    - secretName: supacontrol-tls
      hosts:
        - supacontrol.yourdomain.com

Use cert-manager for automatic certificates:

ingress:
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod"

• All endpoints require authentication (except health check and login)
• JWT tokens expire after 24 hours
• API keys can be revoked at any time
• Rate limiting recommended (use ingress annotations)

Review and minimize ServiceAccount permissions:

# View current permissions
kubectl describe clusterrole supacontrol

# Audit access
kubectl auth can-i --list --as=system:serviceaccount:supacontrol:supacontrol

• Monitor GitHub Security Advisories
• Keep dependencies updated: go get -u ./... and npm update
• Subscribe to Kubernetes security announcements
• Regularly review audit logs

DO NOT open public issues for security vulnerabilities.

Instead, email: security@qubitquilt.io (if available) or open a private security advisory.

Related Documentation:

• Deployment Guide
• Configuration Guide
• Troubleshooting Guide
• CONTRIBUTING.md

Last Updated: November 2025