If you discover a security vulnerability in PrivateCloud, please report it responsibly:

1. Do NOT open a public GitHub issue for security vulnerabilities
2. Email the maintainer directly or use GitHub's private vulnerability reporting
3. Include as much detail as possible:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Any suggested fixes (if applicable)

• Acknowledgment within 48 hours
• Regular updates on progress
• Credit in the security advisory (if desired)

When using PrivateCloud:

chmod 600 privatecloud.yaml

Never commit privatecloud.yaml to version control.

Instead of storing secrets in plaintext:

# In privatecloud.yaml
proxmox:
  token_secret: "${PROXMOX_API_TOKEN}"

Set the environment variable before running:

export PROXMOX_API_TOKEN="your-secret-token"
privatecloud install-cluster

Create a token with minimal permissions:

pveum role add PrivateCloudRole -privs "VM.Allocate VM.Config.Disk VM.Config.CPU VM.Config.Memory VM.Config.Network Sys.Audit"
pveum user token add root@pam!privatecloud --privs PrivateCloudRole

• Use VPN or restricted network access for cluster nodes
• Enable TLS verification (avoid --insecure flags in production)
• Firewall cluster nodes appropriately

Terraform state files may contain sensitive data. Store them securely:

• Use Terraform Cloud or S3 with encryption
• Never commit .tfstate files to git
• Enable state encryption at rest

• The tool requires root/SSH access to nodes
• Secrets are transmitted via SSH during K3s installation
• Ensure your SSH connections are secured (key-based auth recommended)