EU Data Sovereignty for Kubernetes¶
Secrets never touch etcd. Cloud providers never hold the keys.
CloudTaser enables EU enterprises to run workloads on US-managed Kubernetes services (GKE, EKS, AKS) with cryptographic guarantees that neither the cloud provider nor any foreign government can access sensitive data. A mutating admission webhook injects a lightweight sidecar into your pods. The sidecar fetches secrets from an EU-hosted OpenBao or HashiCorp Vault instance directly into process memory, bypassing Kubernetes Secrets and etcd entirely.
No secrets on disk. No secrets in the API server. No secrets leaving EU jurisdiction.
Three Layers of Protection¶
-
Injection -- Operator + Wrapper
The CloudTaser operator watches for annotated pods and injects the wrapper binary via an init container. The wrapper authenticates to your EU-hosted vault using Kubernetes service account tokens, fetches secrets, and launches your application with secrets available only in process memory.
-
Encryption -- S3 Proxy
A transparent client-side encryption proxy sits between your application and cloud object storage. Data is encrypted with keys held in your EU vault before it ever reaches the provider. The cloud provider stores only ciphertext.
-
Enforcement -- eBPF Runtime
A daemonset deploys eBPF programs on every node to enforce secret protection at the kernel level. Detects and prevents secret leakage through file writes, network exfiltration, and core dumps at runtime.
How It Works¶
EU Jurisdiction US Cloud Provider
┌──────────────────────────┐ ┌──────────────────────────┐
│ │ │ │
│ OpenBao / Vault │ │ Managed Kubernetes │
│ (secrets at rest) │◄────────►│ │
│ │ mTLS │ ┌──────────────────┐ │
└──────────────────────────┘ │ │ Pod │ │
│ │ ┌──────────────┐│ │
│ │ │ wrapper ││ │
│ │ │ (secrets in ││ │
│ │ │ memory only)││ │
│ │ └──────┬───────┘│ │
│ │ │ │ │
│ │ ┌──────▼───────┐│ │
│ │ │ application ││ │
│ │ └──────────────┘│ │
│ └──────────────────┘ │
│ │
│ etcd: no secrets │
│ disk: no secrets │
└──────────────────────────┘
Quick Links¶
| Getting Started | Deploy CloudTaser on GKE and protect your first workload in under 30 minutes |
| Installation | Production installation for the operator, eBPF daemonset, and S3 proxy |
| Security Model | Trust boundaries, threat model, and what CloudTaser does and does not protect against |
| CLI Reference | cloudtaser CLI commands for discovery, connection, validation, and auditing |
| Configuration | Pod annotations, CRDs, and Helm values |
| Compliance | Mapping to GDPR, NIS2, DORA, and Schrems II supplementary measures |
Who Is This For¶
CloudTaser is built for EU enterprises running regulated workloads on managed Kubernetes. If your organization needs to:
- Use US cloud providers (AWS, GCP, Azure) while maintaining EU data sovereignty
- Comply with GDPR, NIS2, DORA, or Schrems II supplementary measures
- Prove to auditors that secrets and sensitive data never leave EU jurisdiction
- Eliminate Kubernetes Secrets and etcd as attack vectors
then CloudTaser provides the technical controls to make that possible.
Primary target: financial services, healthcare, government, and regulated SaaS
CloudTaser is designed for organizations with 500--10,000 employees running production workloads on GKE, EKS, or AKS. Financial services is the initial focus, followed by healthcare, government, and B2B SaaS.