KubeKanvas Logo
FeaturesPricingTemplates
How KubeKanvas worksBlog
FAQsContact
FeaturesPricingTemplates
How KubeKanvas worksBlog
FAQsContact

KubeKanvas - Security by Design

Security remains the cornerstone of any modern Kubernetes deployment. Organizations cannot compromise when it comes to protecting their infrastructure, applications, and data. KubeKanvas has been designed from the ground up with this principle in mind, ensuring that customer environments remain secure while streamlining the process of creating and deploying Kubernetes manifests and Helm charts.

Strong Authentication and Authorization

Access to KubeKanvas resources, including templates and the editor, is strictly controlled. Only authenticated and authorized users can interact with the platform. Whether through the web interface or the CLI, every user must first prove their identity and be authorized before gaining access.
Authentication is managed through Keycloak, an industry-standard identity and access management solution. This ensures that the organization’s existing authentication strategies extend seamlessly into KubeKanvas, giving IT teams confidence that their resources are not exposed to unauthorized access.
Strong Authentication and Authorization

Secure CLI Access with Device Flow

The KubeKanvas CLI is designed to mirror the security guarantees of the web interface. When a user initiates a login from the CLI, it leverages Keycloak’s device flow authentication. The process is simple but highly secure: the CLI generates a login link, the user authenticates through the browser, and upon authorization, the CLI receives a JWT token. This token is stored locally and securely passed to the backend API in every subsequent request.
By relying on Keycloak and JWT-based authentication, KubeKanvas ensures that the CLI never bypasses organizational security controls. Instead, it operates as an extension of the same protected environment as the web application.
Secure CLI Access with Device Flow

Publishing Helm Charts without Credential Exposure

Authenticated web users can publish Helm charts to a Harbor registry directly through KubeKanvas. This process is handled behind the scenes with Helm commands, eliminating the need for KubeKanvas to ever access or store user credentials. The user’s identity and authorization remain intact, while KubeKanvas simply facilitates secure automation of Helm operations.
This design not only enhances security but also reduces operational risk, since credentials remain entirely within the customer’s own environment.
Publishing Helm Charts without Credential Exposure

Leveraging Existing Cluster Security

When deploying applications to Kubernetes clusters via the CLI, KubeKanvas once again avoids handling customer credentials directly. Instead, it relies on the user’s existing `kubectl` configuration and authentication mechanisms. Deployments are executed within the permissions already assigned to the user in their cluster.
This approach ensures that KubeKanvas never circumvents or weakens existing security policies. Organizations retain complete control over cluster authentication, authorization, and role-based access, while still benefiting from the automation KubeKanvas provides.
Leveraging Existing Cluster Security
KubeKanvas Logo
Visual Kubernetes cluster design tool that helps you create, manage, and deploy your applications with ease.

Product

  • Features
  • Pricing
  • Templates

Resources

  • Blog
  • Tutorials

Company

  • About Us
  • Contact
  • Terms of Service
  • Privacy Policy
  • Impressum
XGitHubLinkedIn
© 2025 KubeKanvas. All rights reserved.