Security
Security
This section covers additional security hardening for production deployments.
Security Overview
Zilla Platform includes Istio mTLS enabled by default for encrypted pod-to-pod communication.
For additional security hardening, consider the following features:
| Feature | Purpose | Status |
|---|---|---|
| Istio mTLS | Encrypts all pod-to-pod traffic | Enabled by default |
| Network Policies | Restricts pod communication | Optional (requires CNI support) |
| PostgreSQL SSL | Encrypts database connections | Optional (for external PostgreSQL) |
| Kafka SASL | Authenticates Kafka clients | Optional (for external Kafka) |
| Bootstrap Token Secret | Secures bootstrap credentials | Recommended |
Install Istio
Istio must be installed before deploying Zilla Platform. This is a prerequisite for the default deployment.
# Add Istio Helm repository
helm repo add istio https://istio-release.storage.googleapis.com/charts
helm repo update
# Create Istio namespace
kubectl create namespace istio-system
# Install Istio base (CRDs)
helm install istio-base istio/base -n istio-system --wait
# Install Istiod (control plane)
helm install istiod istio/istiod -n istio-system --wait
# Verify installation
kubectl get pods -n istio-systemExpected output:
NAME READY STATUS RESTARTS AGE
istiod-xxx 1/1 Running 0 1mNetwork Policies
Network Policies are enabled by default and restrict which pods can communicate with each other.
Prerequisites
EKS requires a CNI that supports NetworkPolicies. Install Calico:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/master/config/master/calico-operator.yaml
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/master/config/master/calico-crs.yamlNote
If your cluster doesn't have a CNI that supports NetworkPolicies, the policies will be ignored (no effect) but won't cause errors.
External PostgreSQL with SSL
For production, use an external PostgreSQL database (e.g., Amazon RDS) with SSL enabled.
Create RDS PostgreSQL Instance
aws rds create-db-instance \
--db-instance-identifier zilla-platform-db \
--db-instance-class db.t3.medium \
--engine postgres \
--master-username zilla_admin \
--master-user-password "YourSecurePassword" \
--allocated-storage 20 \
--vpc-security-group-ids ${SG_ID} \
--db-subnet-group-name your-subnet-group \
--storage-encrypted \
--enable-iam-database-authenticationUpdate values.yaml
management:
db:
host: "zilla-platform-db.xxxxx.us-east-1.rds.amazonaws.com"
port: 5432
database: zilla
username: zilla_admin
password: "YourSecurePassword"
ssl:
enabled: true
mode: require
postgres:
enabled: falseExternal Kafka with SASL
For production, use an external Kafka cluster (e.g., Amazon MSK) with SASL authentication.
Create Kafka Credentials Secret
kubectl create secret generic kafka-credentials \
-n zilla-platform \
--from-literal=username=kafka-user \
--from-literal=password=kafka-password \
--from-literal=jaas-config='org.apache.kafka.common.security.scram.ScramLoginModule required username="kafka-user" password="kafka-password";'Update values.yaml
control:
kafka:
enabled: false
security:
enabled: true
protocol: SASL_SSL
sasl:
mechanism: SCRAM-SHA-512
secretName: kafka-credentialsBootstrap Token Secret
Store the bootstrap token in a Kubernetes Secret instead of passing it as a plain value.
kubectl create secret generic gateway-bootstrap-token \
-n my-environment \
--from-literal=token="${BOOTSTRAP_TOKEN}"Production Deployment Example
Example Helm values for a production-ready Zilla Platform deployment.
values.yaml
global:
licenseKey: ""
domain: "<DOMAIN>"
jwt:
secretName: "zilla-platform-jwt"
management:
db:
host: "zilla-platform-db.xxxxx.us-east-1.rds.amazonaws.com"
port: 5432
database: zilla
ssl:
enabled: true
mode: verify-full
secretName: postgres-credentials
postgres:
enabled: false
control:
kafka:
enabled: false
security:
enabled: true
protocol: SASL_SSL
sasl:
mechanism: SCRAM-SHA-512
secretName: kafka-credentials