Security

• Evaluation and security

  Timeout, stack, and concurrency caps on evaluation, and the security model to lock down before exposing the service.

• Network policy

  The opt-in NetworkPolicy the chart ships — pod-scoped allowlists vs. a namespace-wide default-deny, choosing a policy engine, the ingress and egress traffic JaaS needs, and how to tighten each port.

• Production

  A decision-oriented checklist for hardening a JaaS operator install before serving production traffic.

• Service mesh

  The opt-in service-mesh authorization the chart ships — Istio or Linkerd identity-based authorization and mTLS layered over networkPolicy, per-port allowed mesh identities, the non-mesh carve-outs for the apiserver and kubelet, and native passthrough.