A Compliance-Ready On-Prem Kubernetes Platform

An Indianapolis-area technology company was preparing for SOC 2, HIPAA, HiTrust, and NIST 800-53 audits at the same time. We built an on-premise Kubernetes platform with the compliance controls built into the infrastructure.

Hero
AWS Advanced Tier Services PartnerAWS Advanced Tier Partner★ 4.9/5 on Clutch (9 reviews)Replies within 1 business day
SOC 2 · HIPAA · HiTrust · NIST 800-53Passed readiness assessments

The Challenge

An Indianapolis-area technology company ran sensitive workloads that could not move to public cloud. It had no container platform, and access was managed through individual SSH keys and local accounts.

There was no audit trail for changes and no encryption for internal network traffic. Four compliance frameworks were in scope at once: SOC 2, HIPAA, HiTrust, and NIST 800-53.

What We Built

Hardened Kubernetes on Bare Metal

We deployed RKE2 on bare metal with a 3-node high-availability control plane, managed through Rancher for its hardened defaults and CIS profile support.

Encryption by Default

We used Cilium as the CNI with kube-proxy replacement, enabled WireGuard encryption between pods by default, and added Hubble for network observability that doubles as audit evidence. Network policies default to deny.

SSO on Every Access Path

We enforced Entra ID single sign-on across the Rancher UI, kubectl, and SSH. No local accounts, no shared keys. That was a hard auditor requirement.

GitOps Change History

We ran ArgoCD so every cluster change is tracked in Git and nothing is applied by hand. That gives auditors a complete, reviewable change history.

Storage, Backups, and GPU Workloads

We added Longhorn distributed storage, Velero backups with a tested restore path, and GPU worker nodes through the NVIDIA GPU Operator for machine learning workloads.

Compliance Evidence on Tap

We built Prometheus and Grafana dashboards oriented around audit evidence, and fed alarm coverage into a continuous compliance evidence platform, so the compliance team pulls evidence without engineering time.

The Result

  • The platform passed readiness assessments across all four frameworks.
  • The controls live in the infrastructure itself: encrypted traffic by default, SSO on every access path, Git-based change history, and tested recovery.
  • The compliance team pulls auditor evidence from Grafana and Git without pulling engineering time.

Technology

RKE2RancherCiliumWireGuardHubbleLonghornVeleroArgoCDNVIDIA GPU OperatorPrometheusGrafanaEntra ID SSO

Have a similar project?

Tell us what you are building and we will show you how we would approach it, with a free, no-obligation review.

Book a free consultation