iterion

← docs index · ← cloud-deployment.md · ← cloud-troubleshooting.md

Cloud — public exposure checklist

This page is a pre-flight checklist for opening an iterion deployment to traffic outside your private network (i.e., putting it behind a public Ingress, on the internet, or accessible to users you don’t fully trust). Every item below is a hard prerequisite — skipping any of them is how incidents happen.

If you are running iterion only on a private network (VPN, internal cluster, single-tenant lab), this page is informational. The checklist is geared toward multi-tenant or internet-exposed deployments.

This is not a substitute for a full security review. It is the minimum bar.


1. Authentication is enforced on every public route

How to verify: try curl https://<host>/api/runs with no token — must return 401. Try with an expired token — must return 401. Try with a valid token from tenant A reading tenant B’s run — must return 404 or 403.

2. Multi-tenant isolation is real

How to verify: log in as user A on tenant A, take their JWT, try to call /api/runs/<a-run-id-from-tenant-B> — must return 404 or 403, never 200.

3. Network isolation

How to verify: from a runner pod with sandbox active, attempt curl https://example.com/ — must fail. Attempt curl https://api.anthropic.com/ — must succeed.

4. Secrets management

How to verify: kubectl describe pod <iterion-server-pod> | grep -i secret — env vars must reference valueFrom.secretKeyRef, never literal value:.

5. Image supply chain

How to verify: helm template ./charts/iterion -f values-prod.yaml | grep image: — every image string ends in @sha256:….

6. Observability + alerting

How to verify: kill a runner pod; /api/runs/<id>/events should not stream new events (run hangs); the alert for queue-depth or stale-run should fire within its configured window.

7. Probes + autoscaling

How to verify: kubectl get scaledobject -n <ns> -o yaml | grep consumer shows the parameterised name. Drain a runner node; KEDA recreates pods on a remaining node within ~30s.

8. Resource limits + cost guards

9. Backup + recovery

10. Documentation + runbooks


Sign-off

Role Name Date Notes
Operator (deploys + monitors)      
Security reviewer      
Privacy / legal reviewer      
On-call manager      

A deployment is ready for public exposure when all four sign-offs are present and dated, and every checkbox above is ticked. Half-completed checklists are how incidents are made.

If a box can’t be ticked, do not open the deployment to traffic until it can — or accept the risk explicitly, in writing, with a named owner.