You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/src/security/threat-model.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -325,7 +325,7 @@ in `5spot-system`.
325
325
|---|---|
326
326
| Kubernetes ResourceQuota | Limit `ScheduledMachine` count per namespace (e.g., max 50) |
327
327
|`ValidatingAdmissionPolicy` ✅ deployed 2026-04-08 | Validates `bootstrapSpec.apiVersion`, `infrastructureSpec.apiVersion`, `kind` fields, duration format, and day/hour item format at admission time — see `deploy/admission/`|
328
-
| NetworkPolicy | Restrict controller pod egress to Kubernetes API server only|
328
+
| NetworkPolicy | Restrict controller pod egress to the management API server (6443), child/k0smotron-hosted control planes (NodePort apiPort 30443), and DNS — all other egress denied|
329
329
| Audit logging | Enable API server audit log at `RequestResponse` level for `scheduledmachines` resources |
330
330
| RBAC for SM creation | Only grant `create` on `scheduledmachines` to trusted identities; do not grant to end users directly |
331
331
| Secrets for bootstrap data | Move sensitive bootstrap config out of CR spec into Secrets; reference from spec |
0 commit comments