New:System Graph 2.0See System Graph 2.0
Private Kubernetes

Private Kubernetes Deployment for Autonomous Reliability Infrastructure

Run Zof execution-compatible agents in customer-managed Kubernetes clusters. Control plane and execution plane stay separable; Zof does not claim to install a full Kubernetes platform for you.

Review deployment architectureView deployment hub

Customer-managed clusters

Control / execution plane separation

Namespace isolation patterns

Compatible with hybrid and enclave models

Why private orchestration

Why enterprises require private orchestration

Many teams already standardize on Kubernetes for internal platforms. Zof supports execution placement in those clusters without requiring you to abandon existing orchestration investments.

  • -Existing cluster standards and GitOps pipelines
  • -Platform team ownership of nodes and networking
  • -Need to keep sensitive workloads off multi-tenant SaaS execution
  • -Regulated environments with namespace-level isolation
Customer clusters

Running execution infrastructure in customer-managed clusters

Execution agents can be deployed as workloads in clusters you operate. Planning and approvals may run in cloud, private cloud, or on-prem control planes depending on policy.

  • -Agents scheduled like other internal services
  • -Compatible with customer CNI and policy engines
  • -No requirement for inbound access to the cluster
  • -Supports multi-cluster fleets over time
Plane separation

Separation of control plane and execution plane

The control plane holds policies, graph context, approvals, and scheduling. The execution plane runs signed capsules against applications inside cluster or connected networks.

Private Kubernetes execution

Execution-compatible agents in customer-managed clusters—not a full platform install.

Control plane (customer or Zof)Customer Kubernetes clusterControl planeSignNamespaceExecution agentWorkloadsSecretsArtifactsTelemetry boundary
  • -Clear security review boundary
  • -Sensitive runtime data stays in execution namespaces
  • -Control plane APIs do not execute tests against protected apps directly
  • -Hybrid splits are common in enterprise rollouts
K8s agents

Kubernetes execution agents

Agents are designed for compatibility with customer Kubernetes—not as a replacement for your platform team. Sizing, HA, and upgrades follow your cluster standards.

  • -Deployment via customer-approved manifests or operators
  • -Resource limits and pod security policies respected
  • -Runner identity and allowlists for execution hosts
  • -Staged rollouts per namespace or cluster
Boundaries

Secure execution boundaries

Namespaces, network policies, and service accounts isolate execution from unrelated workloads. Secrets are mounted at runtime—not stored in Zof Cloud.

  • -Namespace-scoped RBAC
  • -Integration with external secrets managers where supported
  • -Optional service mesh alignment
  • -Audit of agent lifecycle events
Internal testing

Internal-only application testing

Validate microservices, internal APIs, and admin UIs reachable from cluster networks without exposing them to the public internet.

  • -In-cluster service-to-service tests
  • -Ingress-only where policy permits
  • -Pair with edge runners for off-cluster legacy systems
  • -Graph-aware targeting reduces noise
Isolation

Namespace isolation

Teams map business units or environments to namespaces with distinct policies, retention, and evidence modes.

  • -Dev / staging / prod separation
  • -Per-team quotas and concurrency caps
  • -Evidence stores scoped to namespace
  • -Promotion workflows across namespaces
Secrets

Secret handling

Credentials are brokered at execution time via PAM or cluster secrets integrations. Long-lived secrets are not copied to external SaaS by default.

  • -Short-lived tokens preferred
  • -PAM-compatible patterns
  • -No secret persistence in planning plane without approval
  • -Rotation aligned to your standards
Artifacts

Artifact routing

Test artifacts and bundles remain in customer-controlled storage unless you configure sanitized or metadata egress.

Hybrid execution architecture

Cloud orchestration with distributed local execution fleets.

Cloud / private cloudCustomer execution estateControlIntelligenceVPC runnerEdge runnerEndpointOn-prem runner
  • -S3-compatible, NFS, or on-cluster volumes
  • -Retention policies per namespace
  • -Checksum and signing for bundles
  • -Optional promotion to central evidence catalog
Telemetry

Telemetry boundaries

Metrics and logs from agents can stay in-cluster observability stacks. Central dashboards may receive metadata-only summaries.

  • -OpenTelemetry-compatible patterns where supported
  • -Redaction before cross-boundary export
  • -Correlation IDs for audit
  • -No mandatory full log exfiltration
Governance

Enterprise governance

Capsule signing, human approval, and remediation gates apply uniformly whether execution is on VMs, bare metal, or Kubernetes.

  • -Policy version pinned to runs
  • -Approval chains for production paths
  • -Integration with ITSM change records
  • -Export for GRC and internal audit
Hybrid patterns

Hybrid architecture patterns

Kubernetes execution often coexists with VPC runners, edge sites, and endpoint agents under one control plane.

  • -Single graph and fleet orchestration
  • -Consistent capsule model across surfaces
  • -Per-surface evidence policies
  • -Architecture review defines rollout order
FAQ

On-prem deployment questions

Common questions from infrastructure and security teams.

No. Execution uses customer-deployed runners inside your network. Zof does not require inbound access to protected segments.
Next step

Discuss secure deployment with Zof

Review segmentation, capsule governance, and runner placement with teams who support regulated enterprises.

Book a secure deployment briefingContact sales
01Het operationele oppervlak

Eén oppervlak voor houding, operaties en wat vervolgens aandacht nodig heeft.

Het Zofhuis is geen marketingdashboard. Het zijn de operationele oppervlaktetechniek-, QA- en SRE-teams die elke dag worden gebruikt, de kwaliteitshouding, de runs tijdens de vlucht, de dekking per module en de acties waar een leider vervolgens naar moet kijken.

OPERATIONELE KPI's

  • Loopt
  • Dekking
  • Risico

Leef in elke omgeving waarnaar u verzendt.

WERK RUGGENTEL

  • Specificaties
  • Tests
  • Schema's

Van specificatie tot geplande regressie.

BESCHERMINGEN

  • RBAC
  • SSO
  • audit

Elke actie die kan worden toegeschreven aan een met name genoemde mens.

STAGING · LIVE/home
Het Zof AI-thuiscommandocentrum toont 12 runs met een score van 94%, 3 openstaande kritieke problemen, 84% dekking, vier traceerbaarheidsbalken voor modules, de specificatiepijplijn, komende schema's en aanbevolen volgende acties met een zijbalk voor actieve runs.
Homeweergave · Afrekenservice · Staging · Live vastgelegd van het product.
  • 01 · RUNS · 24H

    94% pass

    12 runs across staging

  • 02 · COVERAGE

    84%

    Across four modules

  • 03 · ACTIVE RUNS

    3 running

    Live on this branch

  • 04 · NEXT ACTIONS

    Recommended

    Triage gaps, new spec

Private Kubernetes Deployment for Autonomous Reliability | Zof AI