Skip to main content

Security FAQ

What data does OpsWorker collect from my cluster?

Resource metadata (pod specs, deployment configs, service selectors), pod logs, Kubernetes events, and endpoint status. Secret values are never read — only secret metadata (names, labels). See Agent Scope.

Does the agent have write access to my cluster?

No. The agent operates in read-only mode. It can only get, list, and watch resources. It cannot create, update, delete, or execute commands in containers. See Safe Execution Model.

How does the agent communicate with OpsWorker?

Outbound-only via AWS SQS over TLS (HTTPS, port 443). The agent initiates all connections — no inbound ports need to be opened on your cluster. See Clusters.

Is my data isolated from other customers?

Yes. OpsWorker uses organization-level data isolation. Each organization's data is stored in separate database partitions with no cross-organization access possible. See Data Isolation.

Is data encrypted?

Yes. All data is encrypted at rest (AES-256 via AWS-managed encryption) and in transit (TLS 1.2+). See Isolation & Encryption.

Can I restrict which namespaces the agent can access?

Yes. Configure namespace-scoped RBAC (Role/RoleBinding instead of ClusterRole/ClusterRoleBinding) to limit the agent to specific namespaces. See RBAC Configuration.

Does OpsWorker store my cloud provider credentials?

No. The agent authenticates using a cluster token — OpsWorker has no AWS IAM roles, kubeconfig, or cloud credentials for your environment.

What compliance certifications does OpsWorker have?

OpsWorker is on a SOC 2 compliance pathway. For specific compliance documentation, contact the OpsWorker team.

Can OpsWorker auto-execute commands on my cluster?

No. OpsWorker generates recommendations with specific kubectl commands, but they are displayed for human review only. Engineers decide what to execute. The agent is physically unable to perform write operations.

Where is my data stored?

In AWS infrastructure. Contact the OpsWorker team for specific region information.

Yes. PrivateLink is available for supported deployments, routing agent communication through AWS's private network. See PrivateLink Deployment.

Who at OpsWorker can access my data?

Access is limited to essential operations personnel and is audit-logged. Contact the OpsWorker team for details on access controls and audit policies.