Skip to content

FAQ

What happens while the API is in maintenance mode?

When the API is in maintenance mode, it will: * Return a 200 on GET /load-balancer/health-check * Return a 503 to any other request, with a specified Retry-After header value

How do I put the API into maintenance mode for scheduled or unscheduled maintenance?

In the scripts/maintenance.yaml manifest, the following section allows for configuration of the Retry-After http header:

headers:
    response:
        set*:
        content-type: "application/json"
        "Retry-After": "INPUT RETRY DURATION SECONDS HERE"*

Once modified, apply the rule:

$ kubectl apply -f ./scripts/maintenance-mode

Verify that the rule has taken effect through rising 503 responses in logs or metrics When maintenance has completed, remove the rule via kubectl -

$ kubectl delete -f ./scripts/maintenance-mode

Is Self-Hosted FEDRAMP compliant?

Prefect uses services that are compliant with FEDRAMP requirements.
For specific compliance details on each utilized cloud service, see more here.

Is Self-Hosted PCI-DSS compliant?

What are the options for High Availability?

What are the options for Backups / Disaster Recovery?

Backup options would be cloud native using your desired cloud vendor.
As the product is Self-Managed, backup options would be available through database replication and snapshots (RDS / Aurora, PostgreSQL, etc.)

Sensitive data was accidentally stored - how can I remove it?

The relevant task and flow run logs are stored in Postgres and can be deleted directly out of the table. See here for example syntax.

How can I modify log retention?

The default retention period set in PostgreSQL is determined by the environment variable PREFECT_CLOUD_EVENTS_POSTGRES_MAX_RETENTION_PERIOD which defaults to 30 days.

Is all data encrypted in transit? At rest?

Yes - all data is encrypted between the Prefect clients (both user clients and the Prefect workers) through TLS.
Intra-cluster encryption in transit is supported if a customer chooses to implement in their environment.
All Redis connections can be configured via TLS.
All data at rest (database) can be configured for encryption through the customers cloud vendor via cloud managed or customer managed keys.

Can images be modified from base?

Depending on the requirements for modification. Injecting / re-building images to include security certificates for communication is supported. Replacing packages, alterting entrypoints, and further modifications are not supported.

How are logs collected and stored?

Prefect logs are at the granularity that the customer defines in their flow code (DEBUG through INFO).
Our applications log request access logs from our webservers as well as job consumer activity.
No customer information is exposed in such logs. No database queries are logged. All other logs such as cluster, database, load balancer logs would be at the customers discretion through their cloud provider.

Is there a patching cycle for the application? How often is it reviewed?

The CVE SLA for Prefect Self Managed matches our own internal cadence for Prefect Cloud. A risk matrix determines the risk, severity, and impact of the CVE, and is remediated in a period appropriate for the risk.

What regions / countries are supported?

As the product is self-managed, it can be brought to any region / country that has the requisite infrastructure to implement.

What is your SLA response time?

9x5 with 1 hour response time.

Does Prefect track my usage?

No telemetry is collected for Prefect Self Managed offerings.