ZeusK8s
Security & RBAC

Access keys baked into images. Over-permissioned roles. The audit will find them before you do.

Most Kubernetes security problems aren't exotic — they're a long-lived key that was supposed to be temporary, a role with permissions nobody scoped down, and a network policy that was never written. Zeus fixes the defaults so you're not discovering these during an incident or an audit.

Cloud IAM

Every service gets its own identity. No static keys.

The standard approach is a long-lived access key in the image, or a shared role every service uses because scoping them individually is too much work. Both are fine until they aren't — a key rotated wrong, a breach that pivots across everything because the blast radius was the whole account.

Zeus wires up workload identity for every service: pods assume IAM roles on AWS via IRSA, or authenticate as GCP service accounts via Workload Identity. Credentials are short-lived, automatically rotated, and scoped to exactly what the service needs. Nothing is baked into the image. Nothing to rotate manually.

You pick the role in the service's Identities tab. Zeus wires the trust relationship and annotations automatically. The whole thing is visible across every cluster in one place — not reconstructed from two cloud consoles.

Zeus · Service identities
Cloud identities
Short-lived credentials · scoped per service · no static keys
Add identity
api-gateway
billing
analytics
worker
report-exporter
image-processor
+ New
api-gateway
AWS · IRSA
IAM Role
arn:aws:iam::123456789012:role/api-gateway-s3-read
Annotation wired by Zeus
eks.amazonaws.com/role-arn:
arn:aws:iam::123456789012:role/api-gateway-s3-read
Trust relationship
Principal:
  Federated: oidc.eks…/id/ABC123
Condition:
  sub: system:serviceaccount:prod:api-gateway
✓ Active · credentials rotate automatically · nothing stored in image
Security controls

The controls that matter, wired in by default.

Least-privilege RBAC, visually

Define ServiceAccounts, Roles, and bindings in a permission matrix instead of hand-writing YAML you'd need a separate tool to audit. See who can do what at a glance.

Hard network boundaries by default

Each cluster and site is isolated by default. Nothing connects until you explicitly allow it. Every grant is one-directional, optionally port-limited, and revocable in a click. The map shown is exactly what's enforced.

Pod hardening out of the box

Run as non-root, read-only root filesystem, dropped capabilities: the security context is part of the service definition, not an afterthought someone adds after a finding.

Image scanning before deploy

Built images land in Harbor and are scanned by Trivy automatically. An unscanned or failing image can't be promoted to production — the gate is in the pipeline, not a manual check.

Compliance

Tag a cluster HIPAA. Zeus enables the controls.

Most compliance work is the same checklist every time: encryption at rest, default-deny networking, audit logging, key rotation, access controls. Zeus turns that checklist into a cluster tag. The controls activate automatically — you get an evidence trail, not a manual implementation project.

HIPAA

Encryption at rest and in transit, access logging, network isolation, and key rotation — enabled when you tag the cluster.

PCI DSS

Default-deny networking, audit trails, image scanning, and pod hardening applied consistently across in-scope clusters.

SOC 2

Audit logging, access controls, network segmentation, and evidence export for your auditor — without building the evidence collection yourself.

Compliance presets are available on the Enterprise plan. They configure the controls — your auditor still reviews the output, which is the point.