How we handle your cluster data.
Kubesentry runs inside your infrastructure. This page explains what data we process, what leaves your environment, and how we've designed controls for security buyers who need to answer these questions.
Security overview
What data Kubesentry processes
The eBPF agent captures syscall metadata: process names, PIDs, syscall types, container IDs, namespace names, timestamps, and network connection endpoints. It does not capture application payload data, memory contents, environment variables, or file contents. The distinction: we see that curl connected to 192.168.1.1:443, not the content of that connection.
Deployment model and data flow
The Kubesentry DaemonSet runs entirely within your cluster. Syscall events are processed locally by the policy engine. Alert notifications are sent outbound to your configured destination (Slack, PagerDuty, SIEM). Policy updates are delivered from the Kubesentry control plane via TLS 1.3. No raw syscall event stream leaves your cluster by default.
Encryption
Control plane communication uses TLS 1.3 with certificate pinning. Alert events routed to SIEM destinations use the destination's own TLS configuration. Events retained in Kubesentry's managed store are encrypted at rest using AES-256.
Required Linux capabilities
The DaemonSet requires CAP_SYS_ADMIN for eBPF program loading (on Linux kernels <5.8) and CAP_BPF (on kernels 5.8+, narrower scope). These capabilities are required by the kernel for eBPF program verification and loading into the kernel. No other capabilities are requested. We document exactly why each is needed in our technical FAQ.
Compliance posture
Kubesentry is designed with SOC 2 Type II controls in mind — access controls, audit logging, encryption at rest and in transit, and vulnerability management processes are in place. A SOC 2 Type II report is available to Enterprise customers under NDA. We do not claim SOC 2 certification for lower tiers.
Responsible disclosure
We follow coordinated vulnerability disclosure. If you discover a security issue in Kubesentry's agent, control plane, or documentation, email [email protected]. We acknowledge reports within 24 hours, provide an initial assessment within 5 business days, and coordinate disclosure timing with reporters.
Agent permission scope — minimum viable capability set
| Capability | Kernel version | Why required |
|---|---|---|
| CAP_SYS_ADMIN | < 5.8 | Required for BPF syscall on older kernels. CAP_BPF was split from CAP_SYS_ADMIN in 5.8. |
| CAP_BPF | >= 5.8 | Narrower capability for loading eBPF programs; replaces CAP_SYS_ADMIN on supported kernels. |
| CAP_PERFMON | >= 5.8 | Required for perf_event_open() to attach eBPF programs to performance monitoring hooks. |
Security questions before deploying?
Our team answers technical security questions. Enterprise customers can request the SOC 2 report under NDA.