///Security

Security posture. Short, specific, testable.

KubeHero sits in the hot path of your cluster's compute budget. These are the guarantees we hold ourselves to — they are engineering commitments, not marketing copy. Each has a runbook an auditor can verify against.

non-negotiable commitments

01·SEC-01

Read-only agent by default.

The DaemonSet has zero write permissions on your cluster. Enforcement requires a separate `RightsizingPolicy` or `CeilingPolicy` CRD that you author and apply yourself. Nothing in KubeHero can mutate your resources unless you arm a policy.

02·SEC-02

No telemetry leaves your cluster.

The collector, control plane, and dashboard all run inside your own network. Even anonymous product analytics require a separate explicit opt-in flag. Air-gap capable — all images mirrorable to your registry.

03·SEC-03

mTLS end-to-end.

Agent ↔ ingest traffic is mutually authenticated via per-cluster certificates. cert-manager rotates weekly by default; manual rotation is one CLI command. Root CA is published for pinning.

04·SEC-04

Every action is reversible within cooldown.

Default cooldown is 10 minutes. Every eviction or HPA cap logs the original spec so `kubehero undo <audit-id>` restores it. Policies with `humanArm: true` (the default) refuse to run until an operator arms them from the dashboard or CLI.

05·SEC-05

Append-only audit log, exportable to any SIEM.

Every policy evaluation, recommendation, and enforcement lands in an append-only Postgres table. Webhook + syslog + S3 dump outputs are first-class — you don't need to scrape our UI to fulfill an audit request.

06·SEC-06

Secrets never cross cloud boundaries.

The agent does not read `Secret` resources. GPU telemetry uses DCGM's read-only unix socket. Pricing lookups happen on the control plane and never touch your cluster.

///Compliance & data residency

Your cluster, your boundary.

DeploymentSelf-hosted in your cluster

Data residencyTelemetry never leaves your network

Audit logAppend-only, export to any SIEM

Air-gapAll images mirrorable to your registry

///Responsible disclosure

Found something? Tell us directly.

Email the security team with reproduction steps. We aim to acknowledge within 2 business days and will keep you updated through to resolution. Public credit where desired, hall of fame on this page once patched.

security@kubehero.ioPGP available on request

please do not open GitHub issues for security-sensitive reports.