Kasm Workspaces should be configured with strict role separation, image governance, and secure session isolation.
Key areas to configure:
- admin/org roles and RBAC
- agent/zone placement
- workspace image policy and update cadence
- session/network restrictions
Baseline environment values (deployment level):
KASM_URL=https://kasm.example.com
DEFAULT_TIME_ZONE=UTC
KASM_API_HOST=127.0.0.1
¶ Access and identity
- Integrate SSO/LDAP for enterprise user lifecycle.
- Restrict super-admin accounts and audit regularly.
- Enforce MFA at identity provider level.
- Separate tenant organizations when serving multiple teams.
- Approve only trusted workspace images.
- Cap CPU/RAM/GPU per workspace profile.
- Disable persistent profiles if policy requires ephemeral sessions.
- Apply network controls to prevent unrestricted lateral movement.
¶ Backup and recovery
Back up:
- Kasm database and config
- custom workspace images/manifests
- TLS and reverse proxy settings
Recovery test:
- Restore control plane.
- Launch a standard workspace image.
- Validate authentication and file policy behavior.
- Session launch failure alerts enabled.
- Agent node capacity monitored.
- Image update process documented.
- Incident procedure for compromised workspace image available.
Feel free to contact us. Find all contact information on our contact page.