Security, by design

SRE teams can't adopt a deployment tool they don't trust. Kubestead is designed around a single principle: infrastructure-control software should require less access than what it manages — not more. The controller is not a proxy, not a sidecar, and not in your application's request path. It reads metrics and manages replica counts. That is the full scope of its access.

Security principles

Read-only cluster credentials

The Kubestead controller requires only get, list, and watch verbs on Deployments and ReplicaSets. Rollout actions use a separate RBAC token scoped to update on Deployments only. No cluster-admin access.

TLS 1.3 in transit

All communication between the Kubestead controller, your cluster's API server, and Kubestead cloud uses mutual TLS 1.3. No plaintext channels. Certificate rotation is automatic with a 90-day max validity.

AES-256 at rest

All customer configuration data, metric query definitions, and rollout history are encrypted at rest with AES-256. Encryption keys are managed via AWS KMS and rotated annually. Metric time-series data is never persisted — only threshold evaluation results.

Audit log for every decision

Every canary step advancement, rollback trigger, and manual override is captured in a structured, tamper-evident audit event. Events are available via the Kubestead API and webhook export. Retention: 7 days (Starter), 90 days (Team), 90+ days (Platform).

RBAC and SSO ready

Platform plan includes role-based access control — operators, reviewers, and read-only observers. SSO via SAML 2.0 and OIDC. User provisioning via SCIM 2.0 (available Q3 2026).

Open-source controller

The cluster-side controller is Apache 2.0 open source. You can audit everything the agent does before trusting it with production traffic. Independent security reviews are published on our GitHub security advisory page.

Designed with SOC 2 controls

Kubestead is designed with SOC 2 Type II controls for Change Management, Logical Access, and Availability. Our formal audit is underway. We share our controls documentation with enterprise prospects under NDA.

No egress of workload data

The controller never transmits request payloads, response bodies, or user identifiers to Kubestead cloud. Only metric aggregates, rollout state, and audit events leave your cluster — and only to your configured Kubestead endpoint.

Responsible disclosure

Found a security issue? We take disclosures seriously and respond within 48 hours. Please email [email protected] with your findings.

We do not currently offer a paid bug bounty program. All good-faith researchers who report a valid vulnerability will receive credit in our security advisories.

Questions about our security posture?

Talk to our team. We share detailed controls documentation with evaluating teams.

Contact Us Security Docs