Protect your workloads when it matters most.
telark puts a policy shield around your Kubernetes applications during maintenance windows, test runs, and risky changes. Define custom policies, open a time-bounded window, and nothing touches your workloads without your say — enforced at admission, verified against live cluster state.
# Guard checkout during tonight's maintenance windowPOST /v1/protection-plans{"name": "checkout-freeze","scope": { "applications": ["checkout"] },"templates": ["block-deletion", "block-replica-scaling"],"mode": "enforce","startAt": "2026-07-14T22:00:00Z","endAt": "2026-07-15T02:00:00Z"}201 Created{"id": "plan_7c2e91af","status": "scheduled","policies": 2,"activatesIn": "3h 12m"}
A control plane for time-bounded protection plans.
Define the window. Pick the templates. Pin them to discovered applications. telark deploys, watches, and tells you when the cluster drifts.
Protection plans, time-bounded.
Pick policy templates, scope them to apps or namespaces, and open a window. The plan runs only between startAt and endAt.
Scoped to apps, not just namespaces.
Discovery groups workloads into applications in real time. Plans resolve that boundary on activation so policies only touch the workloads you meant.
Cluster-truth health and violations.
telark reads cluster state to decide if your plan is the plan that is running. Drift, missing policies, unexpected policies — all surfaced.
Lock down the workloads. For exactly as long as you need.
A protection plan binds policy templates to a scope and a time range. You pick the templates (block deletes, block image patterns, block replica scaling…), set audit or enforce, and either run it now or schedule a window. The in-cluster controller transitions the plan through scheduled → active → terminated; when active, telark deploys cluster-side admission policies, all labelled by plan ID for clean lifecycle.
- Nine built-in policy templates ship today — block creation, updates, deletion, image patterns, image tags, replica scaling, storage changes, ConfigMap/Secret edits, workload config-mount changes.
- Per-plan mode: audit (log violations) or enforce (reject at admission).
- Time-bounded windows are first-class — set startAt and endAt; the controller activates and terminates on a 31-second tick.
- Lifecycle endpoints cover create, update, cancel, reactivate, duplicate, and a transactional prepare for dry-running scope conflicts.
Block creation
Prevents new resources within the scope.
Block updates
Freezes resource mutations.
Block deletion
Prevents any delete in scope.
Block image patterns
Glob-match container image registries.
Block image tags
Reject specific tags (e.g. latest, snapshot).
Block replica scaling
Pin Deployment/StatefulSet replicas.
Block storage changes
Lock PVC and volume mutations.
Block ConfigMap/Secret changes
Reject updates or deletes.
Block workload config mounts
Freeze mount/env-source references.
Pin the plan to apps. Not just namespaces.
telark discovers applications continuously through Kubernetes informers, coalesced through a Redis stream so a single deploy does not produce a storm. When a plan activates, its resolver translates the application ID into the live list of workloads — Deployments, StatefulSets, DaemonSets, the works — and the policy applier writes admission rules that target exactly that set.
- Scope choice is per-plan: applications, namespaces, or both at once for templates that support it.
- Discovery is multi-replica via Redis leader election; followers process force-sync markers in the consumer group.
- Namespace exclusion is honoured at the listing layer — excluded namespaces never enter any plan's scope.
- Plan resolution is deterministic — re-running it on the same cluster state produces the same workload set.
- Mon 09:00Draft
Plan created (draft)
- Mon 17:30Scheduled
Schedule confirmed (scheduled)
- Mon 20:00Active
Window opens — policies deployed
- Tue 02:14Drift
Drift detected — config edited outside plan
- Tue 06:00Terminated
Window closes — policies removed
Cluster truth. Not the API's word for it.
Health is computed by reading the cluster, not by trusting that the write succeeded. telark lists the admission policies in your cluster labelled by plan ID, checks each declared policy is present, ready, and configured with the failure action your plan demands, and watches for stray labelled policies the plan never declared.
- Healthy — every declared policy present, ready, and matching the plan's mode.
- Drifted — a declared policy missing, an unexpected labelled policy present, or failureAction tampered with.
- Degraded — a policy is present but the engine has not reconciled it yet.
- Unknown — plan not yet active. No false confidence.
plan health · plan_8a3f12
4 declared policies · cluster reconciled 12s ago
- Healthy
checkout-block-deletion-enforce
ns: checkout · action: Enforce · ready
- Healthy
checkout-block-image-patterns-enforce
ns: checkout · action: Enforce · ready
- Degraded
payments-block-replica-scaling-enforce
ns: payments · action: Enforce · not ready
- Drift
checkout-block-config-secret-enforce
ns: checkout · action: — · not ready
Three steps. One Helm release. Lives in your cluster.
Install telark into the cluster you already own. Discovery starts immediately; the first protection plan is one POST away.
- 01
Install once
Helm chart deploys discovery, exporter, auth, and notifier into the cluster. Cluster-admin required to register CRDs and the policy engine.
- 02
Discovery resolves applications
Kubernetes informers group workloads into applications in real time. Namespace exclusion and force-sync are first-class. Multi-replica via Redis.
- 03
Open a protection window
POST a plan with templates, scope, mode, and a time range. The controller activates the plan, the applier deploys cluster-side policies, health and violations stream back.
Your cluster. Your data. Your compliance posture.
telark runs entirely inside your Kubernetes cluster. No data leaves it. Source-available under the Elastic License 2.0 — read it, fork it, run it. The only thing we don’t do is host it for you.
- Single-cluster, single-tenant. No phone-home, no telemetry.
- AI enrichment is optional and disabled by default.
- Licensed under Elastic License 2.0 — no hosting-as-a-service competition.
Free, forever. Self-hosted.
All features included. Run it in your cluster, on your terms.
telark for teams.
We're shaping the next tier. Get on the list and we'll tell you the moment it lands.
Open your first protection window.
Helm install. Discovery picks up your apps. POST one plan. The cluster does the rest.