¶ Kubernetes RBAC and Namespace Controls
- Limit Longhorn management access with strict RBAC roles.
- Isolate Longhorn components in a dedicated namespace.
- Enforce network policies between Longhorn and workloads.
¶ UI and API Protection
- Restrict Longhorn UI/API access via ingress auth or VPN.
- Use TLS termination with trusted certificates.
- Disable unauthenticated access paths.
- Encrypt backup destinations (S3/NFS) and restrict credentials.
- Rotate backup keys/secrets and avoid static plaintext configs.
- Validate backup integrity with periodic restore tests.
¶ Node and Volume Hardening
- Run on hardened Kubernetes nodes with minimal host exposure.
- Monitor replica health, rebuild storms, and unexpected detach events.
- Keep Longhorn and Kubernetes versions patched.