Skip to content

Security

Understand the security controls Kupe applies around every managed cluster.

Every managed cluster on Kupe Cloud has:

  • Workload security policies that block privileged or unsafe pod settings
  • Network isolation restricting workload egress to internet only
  • Container security contexts requiring non-root, read-only filesystems, dropped capabilities
  • Runtime threat monitoring for suspicious process behavior in running workloads
  • Continuous vulnerability scanning for CVEs, compliance findings, and SBOMs
  • Resource quotas preventing any single cluster from exhausting platform resources
Kupe managesYou manage
Pod security policies (non-root, no privileged)Application-level authentication
Network egress restrictionsSecrets rotation for your workloads
Runtime threat detectionKeeping application dependencies updated
Vulnerability scanningReviewing scan results for your workloads
Infrastructure patchingResponding to vulnerability alerts

When you deploy a workload, Kupe validates it before it runs. If it violates a required policy, the deployment is rejected with a clear error message explaining what to fix.

For example, deploying a container that runs as root produces:

Error: admission webhook denied the request:
Tenant containers must set runAsNonRoot: true and allowPrivilegeEscalation: false.

Some checks start in audit mode (violations are logged but allowed) before they become required.