coreweave-security-basics

# CoreWeave Security Basics ## Overview CoreWeave provides bare-metal GPU cloud on Kubernetes. Security concerns center on compute credential management (kubeconfig, deploy tokens), network isolation between inference workloads, secrets for model registry access (HuggingFace, container registries), and protecting sensitive training data on persistent volumes. A compromised namespace can expose GPU resources, model weights, and customer inference data. ## API Key Management ```typescript import { KubeConfig, CoreV1Api } from "@kubernetes/client-node"; function createCoreWeaveClient(): CoreV1Api { const apiKey = process.env.COREWEAVE_API_KEY; if (!apiKey) { throw new Error("Missing COREWEAVE_API_KEY — set via secrets manager"); } const kc = new KubeConfig(); kc.loadFromDefault(); const api = kc.makeApiClient(CoreV1Api); // Never log kubeconfig or API key contents console.log("CoreWeave client initialized for namespace:", process.env.CW_NAMESPACE); return api; } ``` ## Webhook Signature Verification ```typescript import crypto from "crypto"; import { Request, Response, NextFunction } from "express"; function verifyCoreWeaveWebhook(req: Request, res: Response, next: NextFunction): void { const signature = req.headers["x-coreweave-signature"] as string; const secret = process.env.COREWEAVE_WEBHOOK_SECRET!; const expected = crypto.createHmac("sha256", secret).update(req.body).digest("hex"); if (!signature || !crypto.timingSafeEqual(Buffer.from(sig...