| 7.1 | Deploy Wazuh | Deploy the Wazuh manager, indexer, and dashboard. Install Wazuh agents on all cluster nodes. Configure the dashboard at wazuh.redactedworld.com behind Traefik. Set up default rulesets for file integrity monitoring, rootkit detection, and K8s audit log ingestion. | Wazuh dashboard loads at the public URL; agents report "Active" for every node; FIM alerts fire when a test file is modified on a node. |
| 7.2 | Deploy GitLab | Deploy GitLab CE (Omnibus or Helm) at gitlab.redactedworld.com with SSO via Keycloak SAML/OIDC, a container registry, and CI/CD runners registered to the K8s cluster. | GitLab loads at the public URL; users authenticate via Keycloak; a test project pipeline runs a CI job on a K8s runner and pushes an image to the registry. |
| 7.3 | K8s network policies for scan isolation | Write and apply NetworkPolicy resources that restrict scan-worker pods to outbound traffic only toward the target domain (by IP or CIDR), DNS resolution, and NATS (for result publishing). All other cluster-internal and external traffic is denied. | A scan worker can reach its target and NATS but cannot reach other services (e.g., PostgreSQL, Keycloak); kubectl exec into a worker and curl an internal service returns connection refused or timeout. |
| 7.4 | Security hardening review | Conduct a review covering: RBAC least-privilege audit, secret management (Sealed Secrets or external-secrets-operator), image scanning (Trivy in CI), pod security standards enforcement, and TLS everywhere. Document findings and remediations. | A written security review document is committed to the repository; all critical findings are resolved; Trivy scans run in CI for every image build. |