///Security— sec

Security posture. Short, specific, testable.

KubeHero sits in the hot path of your cluster's compute budget. These are the guarantees we hold ourselves to — they are engineering commitments, not marketing copy. Each has a runbook a customer auditor can verify against.

non-negotiable commitments

01·SEC-01

Read-only agent by default.

The DaemonSet has zero write permissions on your cluster. Enforcement requires a separate `RightsizingPolicy` or `CeilingPolicy` CRD that you author and apply yourself. We cannot mutate your resources from our cloud.

02·SEC-02

No customer telemetry leaves self-hosted clusters.

On the Self-Hosted tier, the collector, control plane, and dashboard all run inside your network. Even anonymous product analytics require a separate explicit opt-in flag. Air-gap capable — all images mirrorable to your registry.

03·SEC-03

mTLS end-to-end on Cloud.

Agent ↔ ingest traffic is mutually authenticated via per-cluster certificates. cert-manager rotates weekly by default; manual rotation is one CLI command. Root CA is published for pinning.

04·SEC-04

Every action is reversible within cooldown.

Default cooldown is 10 minutes. Every eviction or HPA cap logs the original spec so `kubehero undo <audit-id>` restores it. Policies with `humanArm: true` (the default) refuse to run until an operator arms them from the dashboard or CLI.

05·SEC-05

Append-only audit log, exportable to any SIEM.

Every policy evaluation, recommendation, and enforcement lands in an append-only Postgres table. Webhook + syslog + S3 dump outputs are first-class — you don't need to scrape our UI to fulfill an audit request.

06·SEC-06

Secrets never cross cloud boundaries.

The agent does not read `Secret` resources. GPU telemetry uses DCGM's read-only unix socket. Pricing lookups happen on the control plane and never touch your cluster.

///Compliance roadmap— cmpl

What's shipping and when.

SOC 2 Type IITargeted Q4 2026

HIPAA BAAAvailable on Enterprise

ISO 27001Under consideration for 2027

FedRAMP ModerateIf paying demand justifies

///Responsible disclosure— disc

Found something? Tell us directly.

Email the security team with reproduction steps. We aim to acknowledge within 2 business days and will keep you updated through to resolution. Public credit where desired, hall of fame on this page once patched.

security@kubehero.ioPGP available on request

please do not open GitHub issues for security-sensitive reports.