KostKube KostKube
Start Free Trial
🔒

Security at KostKube

We understand that connecting any external tool to your Kubernetes cluster requires trust. Here is exactly how we earn and protect that trust.

Infrastructure Security

🏢

Cloud Infrastructure

  • Hosted on Amazon Web Services (AWS)
  • Primary region: US-East-1 (Northern Virginia)
  • AWS VPC isolation with private subnets for data services
  • AWS WAF for web application firewall protection
🔐

Encryption

  • TLS 1.3 for all data in transit (Agent to cloud, browser to app)
  • AES-256 encryption for all data at rest
  • Encrypted database volumes (AWS KMS-managed keys)
  • Encrypted backups with key rotation
  • TLS certificate management via AWS Certificate Manager

Agent Security

The KostKube Agent is the only component that runs in your environment. Its security design was our first and highest priority.

RBAC & Permissions

  • Read-only ClusterRole — no write, update, delete, or patch permissions
  • Scoped to only the API resources needed: nodes, pods, namespaces, persistentvolumes
  • Explicitly no access to Secrets, ConfigMaps, or ServiceAccounts
  • Dedicated ServiceAccount with minimal token permissions
  • Deployed in its own namespace (kostkube-system) for isolation

Data Collected by Agent

The Agent collects ONLY:

  • CPU/memory request and usage metrics per pod/node
  • Storage utilization for Persistent Volumes
  • Kubernetes resource names and labels
  • Node instance type and region metadata

The Agent does NOT collect:

  • Secrets, tokens, or credentials of any kind
  • Application logs or container output
  • Network traffic content
  • Environment variable values

Authentication & Access Control

Platform Authentication

  • JWT (JSON Web Tokens) for session management with short expiry
  • Passwords hashed with bcrypt (cost factor 12+)
  • Brute-force protection with rate limiting on login attempts
  • HTTPS-only — all HTTP requests redirected to HTTPS

Data Isolation

  • Logical data isolation per customer in all data queries
  • Customer data partitioned by tenant ID at the database layer
  • No cross-customer data leakage by architectural design
  • Role-based access within your account: Admin, Editor, Viewer
  • Audit log of all user actions within the platform

Compliance & Privacy

🔒

We take data privacy seriously. The KostKube Agent collects only infrastructure metrics — no application data, secrets, or personal information. All data is encrypted in transit and at rest.

For details on what data we collect, how we store it, and your rights, see our Privacy Policy.

For compliance-related questions or to request information about our data handling practices, contact us at support@kostkube.com.

Security Testing & Operations

Incident Response

We maintain a documented incident response plan. In the event of a security incident that may affect your data, we will notify affected customers via email within 72 hours of becoming aware of the incident, consistent with GDPR notification requirements.

Dependency Management

We monitor all third-party dependencies used in the platform and Agent for known CVEs. Critical security patches are applied promptly. Agent releases are versioned and signed.

Employee Access

Access to production systems is restricted to authorized personnel on a need-to-know basis. All production access requires MFA. We maintain access logs for all production system interactions.

Responsible Disclosure

🔎

We take security vulnerabilities seriously and appreciate the work of security researchers who responsibly disclose issues to us. If you have discovered a security vulnerability in KostKube — including the platform, the Agent, or any related infrastructure — please report it to us before publicly disclosing it.

Security Contact

security@kostkube.com

Please use this email for security vulnerability reports only. For general support, use support@kostkube.com.

We commit to: acknowledging your report within 2 business days; keeping you informed of our investigation and remediation progress; not pursuing legal action against researchers who act in good faith; and giving credit to researchers who responsibly disclose valid vulnerabilities (unless you prefer to remain anonymous).

Have Security Questions?

We're happy to answer security questions, provide additional documentation, or arrange a security review call for Enterprise customers.

Contact Us