Private Kubernetes Deployment for Autonomous Reliability Infrastructure
Run Zof execution-compatible agents in customer-managed Kubernetes clusters. Control plane and execution plane stay separable; Zof does not claim to install a full Kubernetes platform for you.
Customer-managed clusters
Control / execution plane separation
Namespace isolation patterns
Compatible with hybrid and enclave models
Why enterprises require private orchestration
Many teams already standardize on Kubernetes for internal platforms. Zof supports execution placement in those clusters without requiring you to abandon existing orchestration investments.
- -Existing cluster standards and GitOps pipelines
- -Platform team ownership of nodes and networking
- -Need to keep sensitive workloads off multi-tenant SaaS execution
- -Regulated environments with namespace-level isolation
Running execution infrastructure in customer-managed clusters
Execution agents can be deployed as workloads in clusters you operate. Planning and approvals may run in cloud, private cloud, or on-prem control planes depending on policy.
- -Agents scheduled like other internal services
- -Compatible with customer CNI and policy engines
- -No requirement for inbound access to the cluster
- -Supports multi-cluster fleets over time
Separation of control plane and execution plane
The control plane holds policies, graph context, approvals, and scheduling. The execution plane runs signed capsules against applications inside cluster or connected networks.
Private Kubernetes execution
Execution-compatible agents in customer-managed clusters—not a full platform install.
- -Clear security review boundary
- -Sensitive runtime data stays in execution namespaces
- -Control plane APIs do not execute tests against protected apps directly
- -Hybrid splits are common in enterprise rollouts
Kubernetes execution agents
Agents are designed for compatibility with customer Kubernetes—not as a replacement for your platform team. Sizing, HA, and upgrades follow your cluster standards.
- -Deployment via customer-approved manifests or operators
- -Resource limits and pod security policies respected
- -Runner identity and allowlists for execution hosts
- -Staged rollouts per namespace or cluster
Secure execution boundaries
Namespaces, network policies, and service accounts isolate execution from unrelated workloads. Secrets are mounted at runtime—not stored in Zof Cloud.
- -Namespace-scoped RBAC
- -Integration with external secrets managers where supported
- -Optional service mesh alignment
- -Audit of agent lifecycle events
Internal-only application testing
Validate microservices, internal APIs, and admin UIs reachable from cluster networks without exposing them to the public internet.
- -In-cluster service-to-service tests
- -Ingress-only where policy permits
- -Pair with edge runners for off-cluster legacy systems
- -Graph-aware targeting reduces noise
Namespace isolation
Teams map business units or environments to namespaces with distinct policies, retention, and evidence modes.
- -Dev / staging / prod separation
- -Per-team quotas and concurrency caps
- -Evidence stores scoped to namespace
- -Promotion workflows across namespaces
Secret handling
Credentials are brokered at execution time via PAM or cluster secrets integrations. Long-lived secrets are not copied to external SaaS by default.
- -Short-lived tokens preferred
- -PAM-compatible patterns
- -No secret persistence in planning plane without approval
- -Rotation aligned to your standards
Artifact routing
Test artifacts and bundles remain in customer-controlled storage unless you configure sanitized or metadata egress.
Hybrid execution architecture
Cloud orchestration with distributed local execution fleets.
- -S3-compatible, NFS, or on-cluster volumes
- -Retention policies per namespace
- -Checksum and signing for bundles
- -Optional promotion to central evidence catalog
Telemetry boundaries
Metrics and logs from agents can stay in-cluster observability stacks. Central dashboards may receive metadata-only summaries.
- -OpenTelemetry-compatible patterns where supported
- -Redaction before cross-boundary export
- -Correlation IDs for audit
- -No mandatory full log exfiltration
Enterprise governance
Capsule signing, human approval, and remediation gates apply uniformly whether execution is on VMs, bare metal, or Kubernetes.
- -Policy version pinned to runs
- -Approval chains for production paths
- -Integration with ITSM change records
- -Export for GRC and internal audit
Hybrid architecture patterns
Kubernetes execution often coexists with VPC runners, edge sites, and endpoint agents under one control plane.
- -Single graph and fleet orchestration
- -Consistent capsule model across surfaces
- -Per-surface evidence policies
- -Architecture review defines rollout order
On-prem deployment questions
Common questions from infrastructure and security teams.
Discuss secure deployment with Zof
Review segmentation, capsule governance, and runner placement with teams who support regulated enterprises.
