Beyond the Cluster: Tensor9's Next-Level Kubernetes Integration for Any-Prem Deployments
We're incredibly excited to announce a major upgrade to how we support Kubernetes with Tensor9. While our Terraform support enabled you to deploy and manage Kubernetes clusters, we wanted to give our customers deeper automation and integration.
Why the renewed focus? Old habits die hard, especially when those habits were forged during our years as Amazonians. We obsess over the customer experience, and we knew we could eliminate significant friction points in managing Kubernetes applications across different customer environments. We wanted to move from "it works" to "it's effortless”.
Tensor9 enables SaaS and AI vendors to deliver their existing products directly into customer-owned environments, including cloud-prem and on-prem. Kubernetes is the de facto universal abstraction for portability, but simply using K8s doesn't solve the hard problems of cross-cloud delivery into customer environments: How do you secure artifacts? How do you distribute secrets? How do you manage day-two operations?
Tensor9’s deeper integration delivers automation across the most complex parts of Kubernetes deployment: Artifacts, Secrets, Ingresses/Load Balancers/DNS, Observability, and Operations.
Seamless Artifact Handling: No More Image Juggling
Dealing with application artifacts (like container images and S3 objects) in a vendor-to-customer, cross-account setup is a major operational headache. Granting the customer's environment continuous read access back to the vendor's source registry forces complex and brittle cross-account IAM configurations.
Tensor9 eliminates this by automatically copying artifacts defined in your Terraform/OpenTofu configurations to a dedicated, secure registry within the customer's appliance account during deployment. This is seamless because Tensor9 automatically rewrites your compiled infrastructure as code to point to the new, local copy. The critical benefit: Only the Vendor Controller ever needs read access to your original artifacts.
Simplifying Secrets Management: Vendor Isolation and Customer Control
Secrets are a cornerstone of security, but distributing them securely across vendor and customer environments is often a manual, risk-prone process. Tensor9 automates this using a powerful, declarative approach built into your Infrastructure as Code (IaC).
Customer-Supplied Secrets (e.g., API keys): We eliminate manual key exchange. The vendor defines the secret's structure and destination using simple HashiCorp Configuration Language (HCL) annotations, and Tensor9's guided workflow prompts the customer to input the value directly into their appliance environment. The vendor never has visibility into the actual secret value, ensuring maximum separation of concerns.
Vendor-Supplied Secrets (Shared Secrets): We securely tunnel vendor-owned secrets (like service credentials) from the vendor's source store and copy them into the customer's dedicated secret store (e.g., AWS Secrets Manager in the appliance account). The application has guaranteed access while the raw value remains protected and decoupled from its original location.
Effortless Networking: Ingresses, Load Balancers, and Custom DNS
Exposing your application shouldn't require deep, cloud-specific networking expertise. Tensor9 simplifies this by treating network resources declaratively within your IaC.
As a vendor, you define the necessary network resources (load balancers, listeners, and DNS records) within your origin stack. Tensor9 then automatically adapts this configuration based on the cloud environment, spinning up the right type of load balancer and producing a custom DNS entry (in either the vendor's or buyer's domain) for that specific customer appliance.
Built-in Observability: Bridging the Visibility Gap
Visibility into the health, performance, and usage of your application in customer environments is non-negotiable. Tensor9 provides two configurable levels of observability:
Enhanced Observation (Telemetry): Tensor9 configures the appliance to securely mirror operational logs, metrics, and key dimensions directly to the vendor's chosen observability sink (e.g., CloudWatch, Grafana, Datadog). This ensures immediate, familiar visibility without ever requiring the vendor to access the customer's cloud account.
Base Observation: Provides core deployment metadata about the resource's state and IaC definition. This is default and always enabled.
Streamlined Operations
Day-two operations, like running administrative commands, often require vendors to access customer environments, which is a high-risk process. Tensor9 brings governance and security to this by formalizing two levels of operational control:
Asynchronous Operations (Ratified Control): For audit-critical, sensitive operations, vendors can issue commands (like kubectl) that are wrapped in an approval workflow from the customer.
Synchronous/Realtime Operations: For interactive or time-critical tasks, synchronous control can be granted via a temporary network tunnel, requiring ahead-of-time customer approval to be enabled.
Putting It Together: Real-World Example
To illustrate the power of this integration, consider the needs of a multi-component security platform like Cerby. Managing their infrastructure in multiple high-security customer environments introduces critical security hurdles. Tensor9 automates this complexity while maintaining isolation:
Securely Tunnel and Isolate Secrets: We manage over a dozen critical, high-value secrets, ensuring shared secrets are automatically mirrored into the customer's dedicated secret store without ever exposing the raw values to the vendor.
Dynamic Network Provisioning: We provision multiple endpoints, including Application Load Balancers (ALBs) and API Gateways, for different services and handle all necessary DNS/TLS configurations on-demand.
Compliance-Ready Observability: We configure all services to stream logs and metrics instantly back to the vendor’s security analysis tools, ensuring Cerby maintains necessary visibility and audit trails.
This integration marks a massive step forward for vendors targeting high-security, regulated, enterprise accounts. By automating five of the most painful elements of K8s delivery (Artifacts, Secrets, Networking, Observability, and Operations), Tensor9 eliminates the bespoke engineering required to deploy and operate every new customer environment. You no longer have to choose between market opportunity and operational complexity. This new level of governance, security, and automation delivers on our core mission: unlocking your next wave of enterprise growth.
See you at Kubecon!
Come talk to the team and see a demo! Find us at KubeCon booth #1770!
