We would love to hear from you

6 months free!

Contact us to become an early adopter and try all CloudInspector
features 6 months for free. No credit card required. Limited seats available.

icon related to Customer Support

Customer Support

Our dedicated team speaks English and German.

icon related to We value your feedback

We value your feedback

Help us shape the future of CloudInspector.

FAQ

Frequently Asked Questions

Straight answers about CloudInspector

CloudInspector comes with an installer and free installation support.
We offer free support to install the CloudInspect Kubernetes Operator and to keep you up and running. Anything beyond that, like customized installs, trainings etc are billed with an hourly rate.
The standard plan allows installing CloudInspector in 1 Kubernetes cluster with up to 250 nodes. Please contact us if you need more.
You decide where CloudInspector stores data. Your data never leaves your network.
You decide on the retention time of any data that CloudInspector collects from your Kubernetes clusters.
  • The pod has no egress network access.
  • NetworkPolicies enforce default deny.
  • No external endpoints are configured.
  • No DNS resolution is allowed.
No. The ServiceAccount has:
  • No write permissions.
  • No patch permissions.
  • No delete permissions.
Kubernetes RBAC enforces this at the API level.
No. CloudInspector has:
  • No access to mutate resources.
  • No admission controller role.
  • No webhook registration.
  • No operator privileges.
  • No CRD modification rights.
CloudInspector is not an operator.
No. The RBAC role does not include resources and secrets. If secret metadata access is required, it is explicitly limited and documented.
No.
  • Egress is blocked at the CNI level.
  • DNS egress is blocked.
  • No raw socket capabilities.
  • No NET_ADMIN capability.
Options available:
  • Version pinning via image digest.
  • Image signing verification.
  • Admission policy enforcement.
  • Supply chain attestation.
  • Internal artifact registry mirroring.
Deployment can require manual approval for version upgrades.
Yes. Your options are:
  • Enable Kubernetes Audit Logs.
  • Use Falco / runtime detection.
  • Use eBPF monitoring.
  • Monitor network flows.
  • Inspect container logs.
Even in that scenario:
  • No egress = no exfiltration.
  • No write RBAC = no mutation.
  • No privileges = no escalation.
  • No host access = no node compromise.
The blast radius is limited to read-only API access.
No. It works with namespace-scoped, read-only permissions.
Yes. You can:
  • Perform penetration testing.
  • Perform static code review.
  • Validate RBAC via policy tools (OPA/Gatekeeper).
  • Enforce Pod Security Standards (restricted level).
  • Enforce Kyverno policies.
  • Run kube-bench.