Security and Compliance
Identity, secrets, admission policies and data residency in Germany.
gh0stcloud is Germany-first by design: all infrastructure runs in German Hetzner data centers, all data stays in the EU, and every security control is coded — not documented and manually applied.
Security model at a glance
| Domain | Control | Implementation |
|---|---|---|
| Identity | OIDC, PKCE, OAuth2 | Keycloak Organization boundaries |
| Authorization | Capability roles + tenant scope | Keycloak groups + gh0stplane RBAC |
| Secrets | Centralised secrets authority | OpenBao + External Secrets Operator |
| Runtime policy | Admission control + NetworkPolicy | Kyverno admission policies |
| GitOps integrity | Only Flux CD may reconcile | Cluster RBAC: no direct apply access |
| Auditability | Immutable change history | Git commit history + gh0stplane audit log |
Authentication and authorisation
All portal and API access goes through a two-step check:
Step 1 — Authentication: An OIDC token from Keycloak is issued via PKCE flow (no implicit flow) and validated against the Keycloak JWKS endpoint.
Step 2 — Authorisation: Every request is verified against two conditions — the required capability (e.g. reading namespace data) and membership in the correct tenant Organization. There are no global roles without a tenant context.
Secrets and credential lifecycle
- OpenBao is the sole secrets authority. Secrets are managed under tenant-scoped paths.
- ESO syncs secrets tenant-scoped into Kubernetes namespaces — no manual secret creation workflows
- Rotation: Credentials are managed through policy-driven rotation in OpenBao
- No secret plaintext in repositories — only references to secret paths in OpenBao
Kyverno admission control
Kyverno enforces multiple admission policies on every runtime cluster:
- Namespace labels — mandatory labels for telemetry and billing
- Pod security — Restricted PSS for tenant pods (no
privileged, nohostNetwork) - NetworkPolicy baseline — default-deny inter-namespace, explicit allow for intra-namespace
- Resource quotas — tier-dependent CPU/memory limits
- Image registry — allowlist for permitted container registries
- Service account — no automounted token for unused ServiceAccounts
- Ingress scope — tenant ingresses may only use their own hostnames
- Secret access — ESO secrets only from the tenant's own secrets area
Data residency and GDPR
- Infrastructure exclusively in German Hetzner data centres (Nuremberg, Falkenstein)
- No data transfer to third countries outside the EU
- All logs, metrics and traces remain in the Management Plane in Germany
- Data processing agreement (DPA) available per GDPR Art. 28 on request
Shared responsibility
| Area | gh0stservice | Customer |
|---|---|---|
| Platform hardening & patching | ✓ | — |
| Cluster and control-plane lifecycle | ✓ | — |
| Kyverno policies (platform level) | ✓ | — |
| Application code and dependencies | — | ✓ |
| Data governance (application level) | Guidance | ✓ |
| Tenant-owned secrets rotation | Support | ✓ |
Penetration testing and compliance evidence
- Infrastructure-level penetration tests are conducted regularly
- Compliance evidence packages (configuration evidence, audit logs, policy exports) can be provided for Enterprise contracts and audits
- BSI IT-Grundschutz-oriented controls for critical infrastructure components
Questions or ready to get started?
Talk to us