Security

Kupe Cloud applies multiple layers of security to every managed cluster. These protections are built in, so you can focus on your workloads without wiring up separate security tooling first.

What’s enforced

Every managed cluster on Kupe Cloud has:

• Workload security policies that block privileged or unsafe pod settings
• Network isolation restricting workload egress to internet only
• Container security contexts requiring non-root, read-only filesystems, dropped capabilities
• Runtime threat monitoring for suspicious process behavior in running workloads
• Continuous vulnerability scanning for CVEs, compliance findings, and SBOMs
• Resource quotas preventing any single cluster from exhausting platform resources

Shared responsibility

Kupe manages	You manage
Pod security policies (non-root, no privileged)	Application-level authentication
Network egress restrictions	Secrets rotation for your workloads
Runtime threat detection	Keeping application dependencies updated
Vulnerability scanning	Reviewing scan results for your workloads
Infrastructure patching	Responding to vulnerability alerts

How enforcement works

When you deploy a workload, Kupe validates it before it runs. If it violates a required policy, the deployment is rejected with a clear error message explaining what to fix.

For example, deploying a container that runs as root produces:

Error: admission webhook denied the request:
Tenant containers must set runAsNonRoot: true and allowPrivilegeEscalation: false.

Some checks start in audit mode (violations are logged but allowed) before they become required.

Related pages

• Cluster Policies — full policy reference
• Network Isolation — egress restrictions
• Container Security — security context requirements
• Vulnerability Scanning — CVE reports, compliance, and SBOMs
• Runtime Protection — runtime threat detection and enforcement
• Image Signing — container image signing and verification