Your Sovereignty Journey

Evaluate

Discover secrets, assess risk

Install

Deploy operator + vault

Protect Secrets

Inject into memory

Enforce

eBPF runtime blocking

Encrypt Storage

S3 proxy + DB proxy

Comply

Audit + attestation

Ultimate

Confidential computing

Each stage adds a layer of protection. You can stop at any stage and still have value — or go all the way to Ultimate Protection for hard cryptographic guarantees.

---

1 Evaluate

Discover which workloads use Kubernetes Secrets (stored in etcd, readable by cloud provider). Assess your exposure before changing anything.

No cluster changes

Getting Started CLI: discover CLI: audit

2 Install

Deploy the CloudTaser operator (mutating webhook) and connect to your EU-hosted OpenBao/Vault. The operator watches for annotated pods but changes nothing until you annotate.

Score: +0 (ready state)

Install Operator Helm Values CLI: connect CLI: validate

3 Protect Secrets

Annotate workloads. The webhook injects the wrapper which fetches secrets from EU vault directly into process memory (memfd_secret). Secrets never touch etcd.

Score: up to 55/75

Annotations CloudTaserConfig Migrate from ESO/Sealed/SOPS Memory Protection

4 Enforce

Deploy the eBPF daemonset. It attaches to kernel functions and blocks 19+ attack vectors: /proc reads, ptrace, network exfiltration, kernel module loading, io_uring, and more.

Score: up to 75/75

Install eBPF 19+ Vectors Attack Surface Kernel Matrix

5 Encrypt Storage

Enable S3 proxy for object storage and DB proxy for databases. Data at rest is encrypted with EU-held keys before reaching the cloud provider. The provider stores only ciphertext.

Score: 75/75 + data sovereignty

S3 Proxy S3 Config DB Proxy Search Impact Encryption Protocol

6 Comply

Generate compliance evidence. Protection scores, audit reports, and framework-specific mappings for GDPR, DORA, NIS2, PCI DSS, ISO 27001, and more.

12 frameworks mapped

Regulatory Mapping All Frameworks CLI: audit Protection Score

7 Ultimate Protection

Deploy on confidential computing hardware (AMD SEV-SNP / Intel TDX). VM memory encrypted at CPU level. Combined with CloudTaser: zero access paths remain for the cloud provider.

Score: 105/105 — Hard guarantee

Ultimate Protection Security Model Production Guide

---

Where Are You?

If you are...	Start at	You'll achieve
Exploring whether CloudTaser fits your needs	Stage 1: Evaluate	Understanding of your current exposure
Running a PoC on a staging cluster	Stage 2: Install → Stage 3: Protect	Secrets out of etcd, in process memory
Going to production for the first time	Stage 3 → Stage 4: Enforce	Full runtime protection (score 75/75)
Adding data-at-rest protection	Stage 5: Encrypt Storage	S3 + database encryption with EU keys
Preparing for a DORA/NIS2 audit	Stage 6: Comply	Framework-mapped evidence packages
A bank or government service needing hard guarantees	Stage 7: Ultimate	Cryptographically provable sovereignty

Each stage is independently valuable. You don't need to reach Stage 7 to benefit — Stage 3 alone removes secrets from etcd, which is the single biggest sovereignty risk in most Kubernetes deployments.