This page outlines the Kubernetes security configurations applied by the Poolside Helm chart when you deploy on Amazon EKS. These configurations control access, protect sensitive information, and maintain availability.Documentation Index
Fetch the complete documentation index at: https://docs.poolside.ai/llms.txt
Use this file to discover all available pages before exploring further.
Security considerations
- All service accounts follow the principle of least privilege
- Secrets are immutable to prevent modification after creation
- Pod Disruption Budgets ensure high availability during maintenance
- Deployments use rolling update strategies to prevent service interruptions
- Clear separation of resources between namespaces
Role-based access control (RBAC)
Poolside uses role-based access control (RBAC) to control access to Kubernetes resources, following the principle of least privilege.Core API role
Service account:core-api-sa (in poolside)Role namespace:
poolside-modelsPermissions:
- Apps API Group: Create, read, update, and delete deployments
- Core API Group: Manage pods, services, secrets, configmaps, service accounts, and pod logs
- Policy API Group: Manage pod disruption budgets
- Batch API Group: Manage jobs
Role binding
Component: Core API service accountConfiguration:
- Binds the Core API role to the Core API service account
- Ensures that only the Core API service account can perform the authorized actions
Service accounts
Poolside creates dedicated service accounts for different components to provide identity-based access control.Inference service account
Component: Inference podsNamespace:
poolside-modelsPurpose: Provides identity for model inference pods
Core API service account
Component: Core API podsNamespace:
poolside (core namespace)Purpose: Provides identity for the Core API component
Web Assistant service account
Component: Web Assistant podsNamespace:
poolside (core namespace)Purpose: Provides identity for the Web Assistant component
Secret management
Poolside secures sensitive information through Kubernetes Secrets.Database password secret
Component: Core APIType: Opaque
Content: PostgreSQL database password
Configuration:
- Immutable after creation
- Referenced by environment variables in Core API pods
Availability controls
Poolside uses controls to ensure service availability during voluntary disruptions.Pod disruption budgets
Component: Core API and Web AssistantConfiguration:
- Core API: Minimum 75% pods must remain available during disruptions
- Web Assistant: Minimum 50% pods must remain available during disruptions
Load balancer security
The AWS Load Balancer Controller manages ingress to Kubernetes services. Component: AWS Load Balancer ControllerImplementation: Deployed via Helm chart in dedicated namespace
Authentication: Uses IAM Roles for Service Accounts (IRSA)
Configuration:
- Service account with limited permissions
- Integration with the Amazon EKS OpenID Connect (OIDC) provider
- Cluster-specific configuration
Deployment security measures
Components: Core API and Web AssistantConfiguration:
- Rolling update strategy (25% max surge, 25% max unavailable)
- Health checks via liveness and readiness probes
- Topology spread constraints for high availability
- Service account identity for each deployment