Security
Security
This guide covers recommended security hardening for production deployments of the Zilla Platform on Kubernetes.
Zilla Platform ships with strong defaults, including Istio-based mutual TLS (mTLS) for internal service communication.
This document outlines additional optional controls commonly required in regulated or high-security environments.
Security Overview
Zilla Platform uses Istio mTLS by default to encrypt and authenticate all pod-to-pod traffic between platform services.
Additional security features can be layered on top depending on your environment and compliance requirements.
| Feature | Purpose | Default |
|---|---|---|
| Istio mTLS | Encrypts all internal service traffic | Enabled |
| Network Policies | Restrict pod-to-pod communication | Enabled (CNI-dependent) |
| PostgreSQL SSL | Encrypts database connections | Optional |
| Kafka SASL | Authenticates Kafka clients | Optional |
| Bootstrap Token Secret | Secures gateway bootstrap credentials | Recommended |
Network Policies
Zilla Platform includes Kubernetes NetworkPolicies to restrict communication between components.
Prerequisites
Your cluster CNI must support NetworkPolicies.
Supported CNIs include:
- Calico
- Cilium
- Weave Net
If your CNI does not support NetworkPolicies, the policies will be ignored safely without causing failures.
Install Calico (if required)
kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.1/manifests/calico.yamlVerify Network Policies
kubectl get networkpolicies -n zilla-platformExternal PostgreSQL with SSL
For production deployments, an external PostgreSQL database with SSL enabled is recommended.
Self-hosted PostgreSQL with SSL
management:
db:
host: postgres.example.com
port: 5432
database: zilla
username: zilla_user
password: YourSecurePassword
ssl:
enabled: true
mode: require
postgres:
enabled: falseExternal Kafka with SASL Authentication
control:
kafka:
enabled: false
security:
enabled: true
protocol: SASL_SSL
sasl:
mechanism: SCRAM-SHA-512
secretName: kafka-credentialsSummary
For production deployments, Zilla Platform recommends defense-in-depth using Istio mTLS, NetworkPolicies, encrypted databases, authenticated Kafka access, and secret-based bootstrap tokens.