The operator defaults to production mode. CRD validation rejects inline secrets and credentials must be referenced from Kubernetes Secrets via secretKeyFrom, metastore.uriFrom, metastore.passwordFrom, or valkey.passwordFrom. The operator never reads, logs, or stores secret values in ConfigMaps or CRD status fields. The operator runs as a non-root, distroless container with read-only root filesystem, dropped capabilities, and least-privilege RBAC.

Init pod caveat: When an init pod fails, a truncated termination message (max 256 characters) may appear in the SupersetLifecycleTask status and Events. If the init command's error output includes credentials, a fragment could be exposed. This only applies to the init container's own output, not to operator-managed secret references.

Users who can create or modify Superset custom resources are trusted — they can deploy arbitrary containers and Python configuration. Restrict access to Superset CRs using Kubernetes RBAC.

For a detailed description of trust boundaries, security assumptions, and scope, see the Security documentation. If you are unsure whether something crosses the operator's trust boundary, please report it privately and the maintainers will help triage it.

The Apache Superset Kubernetes Operator project follows the Apache Software Foundation vulnerability handling process.

To report a security vulnerability, please email security@apache.org.

Please do not file a public GitHub issue for security vulnerabilities.

This policy covers the Superset Kubernetes Operator and its components:

• CRD definitions and CEL validation rules
• Controller reconciliation logic
• RBAC and resource management
• Helm chart and deployment manifests