physical-ai-toolchain

Security configurations included in this reference architecture and responsibilities for teams operating in production environments.

[!IMPORTANT] This document provides security guidance for informational purposes only. It does not constitute professional security advice and is not a substitute for your own security assessment. This reference architecture is licensed under the MIT License, provided “AS IS” without warranty of any kind. You are solely responsible for the security of your deployment, including configuration, operational practices, and compliance with applicable regulations. The project maintainers accept no liability for security incidents arising from the use of this architecture. Refer to official Azure security documentation for authoritative, current guidance.

Security Configuration Included in This Architecture

This architecture ships with these security configurations enabled by default. They represent a reasonable starting point for development and testing, not a production-ready security posture.

Network Security

Configuration	Default	Reference
Private AKS cluster	Enabled by default (Terraform variable)	AKS private cluster
Azure CNI networking	Enabled	Azure CNI overview
Network policy support	Enabled	AKS network policies
NAT Gateway for egress	Configured	AKS outbound connectivity

Identity and Access

Configuration	Default	Reference
Managed identities	User-assigned for AKS	AKS managed identity
Workload identity	Federated credentials for OSMO	AKS workload identity
Entra ID integration	RBAC enabled	AKS Entra integration

Secret Management

Configuration	Default	Reference
Azure Key Vault	CSI driver configured	Key Vault CSI driver
Terraform state	Local backend (not encrypted)	Terraform Azure backend

Container Security

Configuration	Default	Reference
Microsoft Defender	Configurable (`should_enable_microsoft_defender`)	Defender for Containers
Azure Policy for AKS	Enabled	Azure Policy for AKS

Kubernetes Security

Configuration	Default	Reference
RBAC	Enabled	AKS RBAC
Pod security	Default namespace policies	Pod security standards

Your Deployment Responsibilities

Before Deployment

Conduct a security assessment for your target environment
Review all Terraform variables and override defaults inappropriate for your security posture
Evaluate network topology (private vs. public endpoints) for your requirements
Establish secret management policies (rotation schedules, access controls)
Verify Azure subscription security baselines (Azure Policy, Defender for Cloud)

During Operation

Monitor AKS cluster security events through Azure Monitor
Review Kubernetes RBAC bindings and service account permissions
Manage container image provenance and vulnerability scanning
Maintain network policy definitions appropriate for running workloads

Ongoing Maintenance

Update Terraform provider versions and module references
Patch base container images and NVIDIA runtime components
Review Azure Advisor security recommendations
Reassess security posture when adding workloads or scaling

Security Considerations Checklist

[!NOTE] This checklist highlights common security considerations for Azure and Kubernetes deployments. It is not exhaustive. Your organization’s security requirements, compliance obligations, and threat model determine the complete set of controls you need.

Category	Consideration	Reference
Network	Evaluate private vs. public AKS API server	AKS private cluster
Network	Define Kubernetes network policies for workload isolation	AKS network policies
Identity	Review managed identity permissions and scope	AKS managed identity
Identity	Verify workload identity audience restrictions	Workload identity
Secrets	Configure Key Vault access policies and rotation	Key Vault rotation
Secrets	Migrate Terraform state to a remote encrypted backend	Terraform Azure backend
Compute	Enable Defender for Containers (`should_enable_microsoft_defender`)	Defender for Containers
Compute	Scan container images for vulnerabilities	Container image scanning
Monitoring	Enable diagnostic settings on AKS and Key Vault	AKS diagnostics
Compliance	Review Azure compliance offerings for your industry	Azure compliance

Terraform State Security

This architecture uses a local Terraform state backend by default. Local state stores infrastructure details including resource IDs, network addresses, and configuration values in an unencrypted file on disk.

For team environments or production deployments, consider migrating to a remote backend with encryption. Refer to the Terraform Azure backend documentation for configuration details.

References

Resource	Description
Azure security documentation	Authoritative security guidance for Azure services
AKS baseline architecture	Production-ready AKS security and networking patterns
Azure compliance documentation	Compliance offerings and certifications
Terraform Azure backend	Remote state backend configuration
Threat Model	STRIDE-based threat analysis and remediation roadmap
Contributing security review	Contributor security checklist for pull requests

🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.

This site is open source. Improve this page.