GRC Platform Integration¶
CloudTaser integrates with Governance, Risk, and Compliance (GRC) platforms to provide automated compliance evidence. This page covers integration with Vanta, Drata, and Secureframe.
Overview¶
CloudTaser pushes protection state and compliance test results to GRC platforms. This provides auditors and compliance teams with continuous evidence that:
- Workloads are protected by CloudTaser (secrets not in etcd)
- eBPF runtime enforcement is active on all nodes
- Protection coverage meets organizational targets
What CloudTaser provides to GRC platforms¶
| Data Type | Description |
|---|---|
| Resources | Kubernetes workloads (Deployments) with protection status (ACTIVE/INACTIVE) |
| Test Results | Automated compliance checks: secrets not in etcd, workload coverage percentage, eBPF enforcement active |
| Audit Logs | Secret fetch events, injection events, rotation events, security violations |
Vanta Integration¶
The operator includes a built-in Vanta sync controller that pushes protection state to Vanta's Connectors API every 5 minutes.
How it works¶
- The operator reads a Vanta API access token from the EU-hosted vault at
secret/data/cloudtaser/integrations/vanta - Every 5 minutes, it scans all non-system namespaces for Deployments
- Each Deployment is pushed to Vanta as a resource with status
ACTIVE(hascloudtaser.io/inject: "true") orINACTIVE - Three compliance tests are pushed:
- Secrets not stored in Kubernetes etcd -- counts orphaned K8s Secrets (excluding ServiceAccount tokens, TLS, Docker config, Helm releases)
- Production workloads protected by CloudTaser -- coverage percentage (PASS when 80%+ of workloads are protected)
- eBPF runtime enforcement active on all nodes -- checks that the eBPF DaemonSet
desiredNumberScheduledequalsnumberReady
Setup¶
Step 1: Store the Vanta access token in Vault¶
The operator reads from this path by default. Override with the VANTA_VAULT_PATH environment variable on the operator.
Step 2: Enable the Vanta sync in operator configuration¶
Set the following environment variables on the operator deployment:
| Variable | Description | Default |
|---|---|---|
VANTA_ENABLED |
Enable Vanta sync | false |
VANTA_SYNC_INTERVAL |
Sync interval | 5m |
VANTA_VAULT_PATH |
Vault path to Vanta tokens | secret/data/cloudtaser/integrations/vanta |
Step 3: Verify sync¶
Check operator logs for sync activity:
Successful syncs log:
Test results pushed to Vanta¶
| Test ID | Display Name | Pass Condition |
|---|---|---|
cloudtaser-secrets-not-in-etcd |
Secrets not stored in Kubernetes etcd | Zero orphaned K8s Secrets |
cloudtaser-workload-coverage |
Production workloads protected by CloudTaser | 80%+ workload coverage |
cloudtaser-ebpf-enforcement |
eBPF runtime enforcement active on all nodes | DaemonSet fully scheduled and ready |
Token refresh¶
The operator uses Vanta's OAuth2 token refresh endpoint to renew expired access tokens. The refresh token, client ID, and client secret must be stored alongside the access token in Vault:
vault kv put secret/cloudtaser/integrations/vanta \
access_token="..." \
refresh_token="..." \
client_id="..." \
client_secret="..."
Token storage security
All GRC platform tokens are stored in the EU-hosted vault, not in Kubernetes Secrets. The operator fetches them using its own vault authentication, ensuring tokens never touch etcd.
Drata Integration¶
Planned
Direct Drata integration is planned. The architecture will follow the same pattern as Vanta: operator reads API tokens from Vault and pushes protection state on a schedule.
Current workaround¶
Use cloudtaser audit -o json to generate machine-readable compliance reports and import them into Drata via their API or manual upload:
# Generate JSON audit report
cloudtaser audit --vault-address https://vault.eu.example.com -o json > audit-report.json
The JSON report includes:
protected_workloads-- list of CloudTaser-injected workloadsunprotected_workloads-- workloads still using K8s Secretsorphaned_secrets-- K8s Secrets that should be migratedebpf_coverage-- per-node eBPF enforcement statusprotection_scores-- per-workload protection scores
Planned Drata features¶
- Push resources via Drata's Connections API
- Map CloudTaser controls to Drata's control framework
- Automated evidence collection for SOC 2 and ISO 27001 controls
Secureframe Integration¶
Planned
Direct Secureframe integration is planned. Same approach: vault-stored tokens, operator-driven sync.
Current workaround¶
Use cloudtaser audit -o json for Secureframe evidence imports:
Planned Secureframe features¶
- Push monitoring data via Secureframe's Integration API
- Map to Secureframe compliance tests
- Automated evidence for GDPR, SOC 2, ISO 27001 frameworks
Compliance Framework Mapping¶
The data pushed to GRC platforms maps to specific compliance requirements:
| GRC Test | GDPR | NIS2 | DORA | ISO 27001 | SOC 2 |
|---|---|---|---|---|---|
| Secrets not in etcd | Art. 32 (encryption) | Art. 21(h) (cryptography) | Art. 9 (protection) | A.8.24 | CC6.1 |
| Workload coverage | Art. 32 (ongoing confidentiality) | Art. 21(a) (risk analysis) | Art. 6 (risk management) | A.8.9 | CC7.3 |
| eBPF enforcement | Art. 32 (ongoing confidentiality) | Art. 21(b) (incident handling) | Art. 10 (detection) | A.8.12 | CC6.6 |
See Compliance and Regulatory Mapping for the full framework mapping.
Manual Audit Reports¶
For GRC platforms that do not have direct API integration, use the CLI to generate reports:
# Text report (human-readable)
cloudtaser audit --vault-address https://vault.eu.example.com
# JSON report (machine-readable, for API import)
cloudtaser audit --vault-address https://vault.eu.example.com -o json
# Scheduled via cron for continuous evidence
# 0 */6 * * * cloudtaser audit -o json > /evidence/cloudtaser-$(date +%Y%m%d-%H%M).json
The audit report covers:
- Total workloads vs. protected workloads (coverage percentage)
- Orphaned Kubernetes Secrets in etcd
- eBPF enforcement coverage per node
- Per-workload protection scores (max 115 points)
- Vault connectivity and health status