- Allow only hardened nodes into the Ganeti cluster.
- Restrict RPC and management traffic to private cluster networks.
- Use host-based firewall rules between cluster members.
¶ Access and Privilege
- Limit administrative CLI/API access to bastion hosts.
- Use role separation for operations and infrastructure admins.
- Audit cluster changes and VM lifecycle operations.
¶ Image and Instance Security
- Use signed and trusted VM images only.
- Keep guest templates patched and vulnerability-scanned.
- Disable unnecessary guest services in base images.