Skip to main content
This page outlines the Kubernetes security configurations applied by the Poolside Helm chart when you deploy on Amazon EKS. These configurations control access, protect sensitive information, and maintain availability.

Security considerations

  • All service accounts follow the principle of least privilege
  • Secrets are immutable to prevent modification after creation
  • Pod Disruption Budgets ensure high availability during maintenance
  • Deployments use rolling update strategies to prevent service interruptions
  • Clear separation of resources between namespaces

Role-based access control (RBAC)

Poolside uses role-based access control (RBAC) to control access to Kubernetes resources, following the principle of least privilege.

Core API role

Service account: core-api-sa (in poolside)
Role namespace: poolside-models
Permissions:
  • Apps API Group: Create, read, update, and delete deployments
  • Core API Group: Manage pods, services, secrets, configmaps, service accounts, and pod logs
  • Policy API Group: Manage pod disruption budgets
  • Batch API Group: Manage jobs
Purpose: Enables the Core API component to orchestrate model inference deployments and manage associated Kubernetes resources

Role binding

Component: Core API service account
Configuration:
  • Binds the Core API role to the Core API service account
  • Ensures that only the Core API service account can perform the authorized actions
Purpose: Securely associates permissions with the specific service identity

Service accounts

Poolside creates dedicated service accounts for different components to provide identity-based access control.

Inference service account

Component: Inference pods
Namespace: poolside-models
Purpose: Provides identity for model inference pods

Core API service account

Component: Core API pods
Namespace: poolside (core namespace)
Purpose: Provides identity for the Core API component

Web Assistant service account

Component: Web Assistant pods
Namespace: poolside (core namespace)
Purpose: Provides identity for the Web Assistant component

Secret management

Poolside secures sensitive information through Kubernetes Secrets.

Database password secret

Component: Core API
Type: Opaque
Content: PostgreSQL database password
Configuration:
  • Immutable after creation
  • Referenced by environment variables in Core API pods
Purpose: Securely stores the database credentials needed by application components

Availability controls

Poolside uses controls to ensure service availability during voluntary disruptions.

Pod disruption budgets

Component: Core API and Web Assistant
Configuration:
  • Core API: Minimum 75% pods must remain available during disruptions
  • Web Assistant: Minimum 50% pods must remain available during disruptions
Purpose: Prevents cluster maintenance operations from causing service outages by maintaining minimum service availability

Load balancer security

The AWS Load Balancer Controller manages ingress to Kubernetes services. Component: AWS Load Balancer Controller
Implementation: Deployed via Helm chart in dedicated namespace
Authentication: Uses IAM Roles for Service Accounts (IRSA)
Configuration:
  • Service account with limited permissions
  • Integration with the Amazon EKS OpenID Connect (OIDC) provider
  • Cluster-specific configuration
Purpose: Securely manages AWS Application Load Balancers for external traffic

Deployment security measures

Components: Core API and Web Assistant
Configuration:
  • Rolling update strategy (25% max surge, 25% max unavailable)
  • Health checks via liveness and readiness probes
  • Topology spread constraints for high availability
  • Service account identity for each deployment
Purpose: Ensures continuous service availability during updates while maintaining proper access controls