Security FAQ
You asked:
- How is Optimize Live deployed?
- What data do you collect?
- How do you collect data and where is it stored?
- How long is data stored for?
- Who has access to customer data?
- Can StormForge enable SSO for enterprise identity providers?
- Which StormForge service URLs must be on the organization’s allowlist?
- What metrics does StormForge collect?
How is Optimize Live deployed?
- On your cluster, we deploy the following components:
- StormForge Agent, which reports on new workloads and deploys and configures the Metrics Forwarder. The Metrics Forwarder collects data and ships it to the StormForge backend. The
oci://registry.stormforge.io/library/stormforge-agentHelm chart creates and uses a ServiceAccount calledstormforge-agentand binds it to the KubernetesviewClusterRole, granting read-only permissions to all resources in the cluster. - Applier (optional), which patches workloads with optimized resource utilization recommendations. The
oci://registry.stormforge.io/library/stormforge-applierHelm chart creates and uses a ServiceAccount calledstormforge-applierand binds it to the KuberneteseditClusterRole, granting update and patch permissions to all optimizable workloads (and HPA, if enabled).
- StormForge Agent, which reports on new workloads and deploys and configures the Metrics Forwarder. The Metrics Forwarder collects data and ships it to the StormForge backend. The
- On our instances, we store the data and run machine learning to provide recommendations, which are presented in the StormForge UI.
What data do you collect?
From a targeted instance, we collect:
-
Metadata: cluster name, cluster UID, namespace name, workload name, workload type, node name, node instance type, pod name, and container name.
Note: If you specify an allowNamespaces or a denyNamespaces list, we collect data accordingly. For example, we do not collect data about namespaces that you include in the denyNamespaces list.
-
Metrics: We use the metadata above to build workload and container metrics. For the complete list for metrics, see What metrics does StormForge collect? at the end of this topic.
We do not collect any personal data directly — only via social logins (such as Google or GitHub).
For details, check out our Privacy Policy.
How do you collect data and where is it stored?
The StormForge Metrics Forwarder collects metrics data from a targeted instance via HTTPS requests, and then pushes the metrics to the StormForge SaaS backend. We store the parsed and ingested data in the StormForge cloud. Each customer has their own separate instance, and data is not shared.
How long is it stored for?
By default, we store data for one year. Upon request, we will delete all data that is less than one year of age.
Who has access to customer data?
Access to production data is restricted to privileged StormForge engineers on an as-needed temporary basis and only for the explicit intent of direct customer support.
When our Machine Learning team needs data for product improvement activities, we anonymize data. No external parties have access to customer data.
Can StormForge enable SSO for enterprise identity providers?
Yes. To enable this feature, contact support@stormforge.io.
Which StormForge service URLs must be on the organization’s allowlist?
See the complete list in the StormForge installation prerequisites.
What metrics does StormForge collect?
The following table lists the metrics that StormForge collects from Kubernetes clusters.
- Workload-level metrics are generated by Stormforge using metadata that we collect and are prefixed with sf.
- Container-level metrics are built-in metrics provided by cAdvisor running on the Kubernetes node.
| Metric | Source | Why we collect it |
|---|---|---|
| sf_workload_pod_owner | Consolidated metric for ownership | With this metric, we have pod owner and workload, replacing KSM kube_pod_owner and kube_replicaset_owner |
| sf_workload_spec_replicas | Consolidated metric for desired replicas number | With this metric, we have all desired replica metrics regardless type of pod owner. The pod owner must have the subresource scale. |
| sf_workload_status_replicas | Consolidated metric for observed replicas number | With this metric, we have all observed replica metrics regardless type of pod owner. |
| sf_workload_pod_container_resource_requests | Consolidated pod metric with requests | With this metric, we have all requests metrics in a single metric. |
| sf_workload_pod_container_resource_limits | Consolidated pod metric with limits | With this metric, we have all limits metrics in a single metric. |
| sf_horizontalpodautoscaler_spec_min_replicas | KSM-like/horizontalpodautoscaler-metrics | Track minimum replicas for each HPA |
| sf_horizontalpodautoscaler_spec_max_replicas | KSM-like/horizontalpodautoscaler-metrics | Track maximum replicas for each HPA |
| sf_horizontalpodautoscaler_spec_target_metric | KSM-like/horizontalpodautoscaler-metrics | Track target metric for each HPA |
| container_cpu_usage_seconds_total | cadvisor | Track cpu usage for each container |
| container_memory_working_set_bytes | cadvisor | Track memory usage for each container |
| container_cpu_cfs_throttled_seconds_total | cadvisor | Total time duration the container has been throttled |
| container_memory_max_usage_bytes | cadvisor | Maximum memory usage recorded |
| container_oom_events_total | cadvisor | Count of out of memory events observed for the container |
Source: StormForge Agent Helm chart readme:
helm show readme oci://registry.stormforge.io/library/stormforge-agent