Read-Only by Design
The ChangeGuard agent uses a Kubernetes ClusterRole with strictly read-only permissions. It can only get, list, and watch resources — it cannot create, modify, or delete anything in your cluster.
rules:
- apiGroups: [""]
resources: [pods, namespaces, nodes, events, services]
verbs: [get, list, watch]
- apiGroups: [""]
resources: [pods/log]
verbs: [get, list]
- apiGroups: [""]
resources: [secrets]
verbs: [get] # metadata only — see below
- apiGroups: [apps]
resources: [deployments, statefulsets, daemonsets, replicasets]
verbs: [get, list, watch]
- apiGroups: [networking.k8s.io]
resources: [ingresses, networkpolicies]
verbs: [get, list, watch]
The secrets permission reads metadata only (name, namespace, type, labels). The agent never reads Secret data or stringData fields. Secret values never leave your cluster.
Hardened Container
The agent pod enforces strict security constraints:
| Setting | Value | Purpose |
|---|
runAsNonRoot | true | Never runs as root |
runAsUser | 1000 | Dedicated non-root UID |
readOnlyRootFilesystem | true | Cannot write to container filesystem |
allowPrivilegeEscalation | false | Cannot gain additional privileges |
capabilities.drop | ["ALL"] | All Linux capabilities removed |
seccompProfile | RuntimeDefault | Kernel syscall filtering enabled |
What the Agent Collects
The agent collects Kubernetes metadata — the operational state of your cluster, not your application data.
Collected
- Pod names, status, restart counts, resource usage
- Deployment, StatefulSet, DaemonSet, and Job specifications
- Node names, status, CPU and memory utilization
- Kubernetes events (especially warnings)
- Container image names and tags
- Namespace names and labels
- Service and Ingress configurations
- NetworkPolicy definitions
- ArgoCD application sync status (if ArgoCD is present)
- Pod log lines (only when log collection is explicitly enabled)
Never Collected
- Secret values or environment variable contents
- ConfigMap data fields
- PersistentVolume or PersistentVolumeClaim data
- Application network traffic or payloads
- Application source code or build artifacts
- Credentials, tokens, or certificates
- Container filesystem contents
Network Posture
The agent is outbound-only. It initiates HTTPS connections to api.changeguard.ai:443 and receives responses. It never:
- Opens a listening port
- Creates a LoadBalancer or NodePort Service
- Creates an Ingress resource
- Accepts inbound connections from any source
Firewall Rules
If your cluster restricts egress, allow:
Destination: api.changeguard.ai
Port: 443 (HTTPS)
Protocol: TCP
Direction: Outbound
Dedicated Namespace
The agent installs into its own changeguard-agent namespace with a dedicated ServiceAccount. It does not share a namespace, ServiceAccount, or RBAC role with any of your application workloads.
Default resource requests and limits:
| Resource | Request | Limit |
|---|
| CPU | 50m | 200m |
| Memory | 64Mi | 128Mi |
Graceful Shutdown
The agent handles SIGTERM gracefully — it completes any in-flight push, closes connections cleanly, and exits. No data is lost during rolling updates or node drains.
