Core Values

Made with in Berlin

The principles behind CloudInspector create a foundation for true partnership.

icon related to Quality & Commitment

Quality & Commitment

We take responsibility for both the details and the results.

icon related to Integrity & Transparency

Integrity & Transparency

No hidden trade-offs, no surprises, and clear expectations.

icon related to Security & Privacy

Security & Privacy

We are developing under European standards that prioritize customer data protection.

FAQ

Frequently Asked Questions

Straight answers about CloudInspector

CloudInspector comes with an installer and free installation support.
We offer free support to install the CloudInspect Kubernetes Operator and to keep you up and running. Anything beyond that, like customized installs, trainings etc are billed with an hourly rate.
The standard plan allows installing CloudInspector in 1 Kubernetes cluster with up to 250 nodes. Please contact us if you need more.
You decide where CloudInspector stores data. Your data never leaves your network.
You decide on the retention time of any data that CloudInspector collects from your Kubernetes clusters.
  • The pod has no egress network access.
  • NetworkPolicies enforce default deny.
  • No external endpoints are configured.
  • No DNS resolution is allowed.
No. The ServiceAccount has:
  • No write permissions.
  • No patch permissions.
  • No delete permissions.
Kubernetes RBAC enforces this at the API level.
No. CloudInspector has:
  • No access to mutate resources.
  • No admission controller role.
  • No webhook registration.
  • No operator privileges.
  • No CRD modification rights.
CloudInspector is not an operator.
No. The RBAC role does not include resources and secrets. If secret metadata access is required, it is explicitly limited and documented.
No.
  • Egress is blocked at the CNI level.
  • DNS egress is blocked.
  • No raw socket capabilities.
  • No NET_ADMIN capability.
Options available:
  • Version pinning via image digest.
  • Image signing verification.
  • Admission policy enforcement.
  • Supply chain attestation.
  • Internal artifact registry mirroring.
Deployment can require manual approval for version upgrades.
Yes. Your options are:
  • Enable Kubernetes Audit Logs.
  • Use Falco / runtime detection.
  • Use eBPF monitoring.
  • Monitor network flows.
  • Inspect container logs.
Even in that scenario:
  • No egress = no exfiltration.
  • No write RBAC = no mutation.
  • No privileges = no escalation.
  • No host access = no node compromise.
The blast radius is limited to read-only API access.
No. It works with namespace-scoped, read-only permissions.
Yes. You can:
  • Perform penetration testing.
  • Perform static code review.
  • Validate RBAC via policy tools (OPA/Gatekeeper).
  • Enforce Pod Security Standards (restricted level).
  • Enforce Kyverno policies.
  • Run kube-bench.
cta-image

Discover your clusters

Begin uncovering the real structure of your Kubernetes environment. CloudInspector gives you an immediate visual understanding of how your applicationss connect and interact.

Get Started