Use Case

Secure every kubectl command. No cluster agents required.

Hoop governs access to Kubernetes clusters through the gateway. Every kubectl command, every exec session, every log stream passes through the protocol parser, where you apply masking, guardrails, and approval workflows. Deploy once. Cover every cluster.

See Kubernetes controls
hoop

The problem

Kubernetes access is either too open or too slow.

How it works

Read freely. Write with guardrails. No agents on the cluster.

Hoop sits at the network layer. No sidecars, no admission controllers, no cluster agents. The engineer or agent connects through the gateway using their OIDC identity. Every session is recorded. Every command is logged with identity, timestamp, and outcome.

Commands
get, describe, logs, top
Read operations
Pass through

Read operations pass through without friction. Secrets and sensitive configmap values are masked in responses before they reach the engineer or agent.

Commands
apply, patch, scale
Write operations
Evaluated · may require approval

Write operations are evaluated against guardrail rules. Low-risk changes pass through. Production deployments and configuration changes route for human approval.

Commands
delete namespace, drain node, delete pvc
Destructive operations
Blocked or explicit approval required

Destructive operations are blocked outright or require explicit, named approval from a designated approver. Not just any approval, but the right approver for the right resource.

Works with any Kubernetes distribution. No cluster-side installation required. Authentication via OIDC with short-lived tokens.

NATIVE TOOL SUPPORT

Lens, kubectl, helm. Your tools, invisible controls.

Your team keeps using Lens for pod management and kubectl for everything else. Hoop masks sensitive data in log output, blocks destructive commands at the protocol layer, and records every session. No cluster agents. No sidecars.

Lens
Pod Logs · api-server-7d9f8b
productionapi-server-7d9f8b
Streaming
0 events · 0 fields masked · via hoop gateway
Terminal — kubectl
$

ORGANIZATIONAL IMPACT

From cluster governance to compliance evidence.

Every kubectl command, every pod operation flows through the gateway. The result: continuous compliance evidence and organizational risk metrics your security team can report on.

kubectl delete namespace blocked by guardrail
Approval cycles reduced from 47 min to 34 seconds
920 engineering hours returned per month
Approval Workflow ROILast 30 days
Manual Process
Engineer requests access0:00
Slack message to manager...
Manager sees notification+12 min
Escalation to security team+28 min
Manual review & approval+47 min
With Hoop
Command detected by gateway0:00
Slack notification sent+2s
Context + risk level shown+3s
One-click approve/reject+34s
1,200 approval cycles × 46 min saved = 0 hours returned to engineering

What happened in your clusters last month?

Most teams can’t answer that question. Hoop gives you a full session log from day one, without touching a single cluster.

Get a demoGet started free →