Controllers exposed to the Internet should (at a minimum) be backed by TLS.
How to use an external identity provider
Look into Juju’s internals
Production users benefit from an understanding of how Juju gets its work done. Internally, Juju is a network of a software agents (jujud processes) in a star typology. The central node is the controller.
To create a report of any given agent, juju ssh into the machine, then run juju_engine_report:
$ juju ssh <machine-id>
$ juju_engine_report
Under Kubernetes, juju ssh is unavailable. Use kubectl exec to access the operator pod (which is where the relevant agent is executing). You will also need to include the scripts to your session with source.
The juju_engine_report provides valuable diagnostics. A useful periodic task is to run an engine report for each jujud process on each machine. Some tooling has been developed to help isolate problems and aid debugging: