- Lock down Tor MetricsPort with firewall + MetricsPortPolicy. - Add TLS + auth for Grafana, Prometheus, Elasticsearch. - Implement ILM in ES (drop logs older than X days). - Decide if you will hash or anonymize IPs in logs for privacy. Research: - NetworkPolicies in Kubernetes (restrict Prometheus scrape pods). - Setting up TLS with cert-manager in K8s. - Elasticsearch security model (basic auth, API keys). - Privacy regulations in your jurisdiction (GDPR, etc).
Research: