Email rackctl@gmail.com with subject [security][eks-agent-platform]. Do not open public issues for security reports.

Acknowledgement target: within 72 hours. Triage target: within 5 business days.

This platform is a tenancy substrate. Its security model assumes:

• The hosting EKS cluster is provisioned by landing-zone with CIS EKS baseline enforced.
• ArgoCD is deployed by aws-eks (CDK) with SSO-only access.
• eks-gitops enforces Pod Security Standards restricted and Kyverno verify-images policies.

• Namespace-per-Platform with ResourceQuota + LimitRange + default-deny NetworkPolicy.
• ArgoCD AppProject scoped to the Platform's namespace and source repos.
• IRSA role per Tenant with policies generated by the operator under a constrained IAM path (/eks-agent-platform/tenants/<platform-id>/).
• Optional hard isolation via vCluster for Platforms that require kernel-level boundaries.

• No long-lived credentials anywhere. Pods get tokens via Workload Identity (IRSA). The operator itself runs with an IRSA role scoped to the tenant IAM path + KMS grant + Bedrock policy attach/detach.
• Tool credentials projected into kagent ToolServer pods via External Secrets Operator (already in eks-gitops), backed by AWS Secrets Manager.

• Two CMKs per Platform — cmk-data and cmk-logs. Auditor role has decrypt on cmk-logs only.
• All S3 buckets enforce SSE-KMS with the Platform's cmk-data.
• CloudWatch log groups encrypted with cmk-logs.

• VPC endpoints for bedrock-runtime, sts, s3, secretsmanager, logs, monitoring.
• WAF on the public-facing agentgateway listener.
• Bedrock invocation logging written to a tamper-evident S3 bucket with Object Lock (governance mode by default, compliance mode for regulated tenants).

• All operator images signed with cosign; verify-images policy in eks-gitops blocks unsigned images cluster-wide.
• SBOM (SPDX) generated with syft on every tagged release.
• Renovate keeps @eks-agent/pricing and dep versions current weekly.

BudgetPolicy breach at ≥120% detaches Bedrock-invoke from the tenant IRSA role and scales AgentRuntimes to zero. Recovery requires SSO permission-set elevation with MFA + approver. No API path back without elevation.

• Bedrock Guardrails coverage varies by model family. The GuardrailPolicy.spec.modelFamilies field reflects current support; the controller refuses to attach an unsupported policy.
• DRA is beta in Kubernetes; behavior depends on the featureGates enabled in your EKS cluster version.
• vCluster as a hard-isolation option is a recommendation, not a default; enabling it changes the operator's reconcile model for that Platform.

This platform does not produce a compliance certification on its own. It exposes the controls needed for:

• SOC 2 Type II — audit trail via Bedrock invocation logging + EventBridge archive, encrypted at rest with CMK, access-logged via CloudTrail.
• HIPAA — requires a BAA with AWS; Platform.spec.compliance.hipaa = true enables stricter defaults (Object Lock compliance mode, no cross-region inference, mandatory Guardrails with PII detection enabled).
• CIS EKS — baseline enforced upstream by landing-zone + eks-gitops.