Security
Understand the security controls Kupe applies around every managed cluster.
What’s enforced
Section titled “What’s enforced”Every managed cluster on Kupe Cloud has:
- Workload security policies that block privileged or unsafe pod settings
- Network isolation restricting workload egress to internet only
- Container security contexts requiring non-root, read-only filesystems, dropped capabilities
- Runtime threat monitoring for suspicious process behavior in running workloads
- Continuous vulnerability scanning for CVEs, compliance findings, and SBOMs
- Resource quotas preventing any single cluster from exhausting platform resources
Shared responsibility
Section titled “Shared responsibility”| Kupe manages | You manage |
|---|---|
| Pod security policies (non-root, no privileged) | Application-level authentication |
| Network egress restrictions | Secrets rotation for your workloads |
| Runtime threat detection | Keeping application dependencies updated |
| Vulnerability scanning | Reviewing scan results for your workloads |
| Infrastructure patching | Responding to vulnerability alerts |
How enforcement works
Section titled “How enforcement works”When you deploy a workload, Kupe validates it before it runs. If it violates a required policy, the deployment is rejected with a clear error message explaining what to fix.
For example, deploying a container that runs as root produces:
Error: admission webhook denied the request:Tenant containers must set runAsNonRoot: true and allowPrivilegeEscalation: false.Some checks start in audit mode (violations are logged but allowed) before they become required.
Related pages
Section titled “Related pages”- Cluster Policies — full policy reference
- Network Isolation — egress restrictions
- Container Security — security context requirements
- Vulnerability Scanning — CVE reports, compliance, and SBOMs
- Runtime Protection — runtime threat detection and enforcement
- Image Signing — container image signing and verification