Scan Kubernetes clusters for post-quantum risk
An in-cluster agent inventories the cryptography hiding in your Kubernetes resources — TLS Secrets, cert-manager Certificates, Issuers, Ingress TLS, embedded PEMs, and service-mesh mTLS — and reports findings to PostQ.
- Install with Helm in minutes
- Scans TLS Secrets, cert-manager, Ingress, and mTLS
- Only findings metadata leaves the cluster — never private keys
- Feeds the same readiness report and inventory
What the agent scans
- TLS Secrets (kubernetes.io/tls)
- cert-manager Certificates, Issuers, and ClusterIssuers
- Ingress TLS configurations
- ConfigMaps with embedded PEM material
- Istio mTLS configuration
- Linkerd mTLS configuration
Deploy the agent with Helm
Install into a dedicated namespace with your API key. The agent scans on a schedule and reports findings to the PostQ API.
helm install postq-agent \
oci://ghcr.io/postqdev/charts/postq-agent \
--namespace postq-system --create-namespace \
--set postq.apiKey=pq_live_xxx \
--set postq.endpoint=https://api.postq.devWhat a scan looks like
A summary of cluster cryptography by resource type and severity.
postq-agent scan summary (cluster: prod-eu-1)
─────────────────────────────────────────────
TLS Secrets scanned ............ 142
cert-manager Certificates ...... 38
Ingress TLS configs ............ 21
ConfigMaps with PEMs ........... 6
─────────────────────────────────────────────
CRITICAL 2 RSA-2048 leaf, expired cert
HIGH 27 RSA / ECDSA certificate keys
MEDIUM 9 classical mTLS (Istio)
reporting to https://api.postq.dev/ingest/kubernetesCluster agent → PostQ API → report
In-cluster agent
Reads TLS Secrets, cert-manager, Ingress, mTLS
PostQ API
POST /ingest/kubernetes (findings metadata only)
Dashboard & report
Inventory, readiness score, migration steps
Privacy & security
- • Private keys and Secret values never leave the cluster.
- • The agent transmits algorithm/metadata findings only, over TLS.
- • Runs with read-only RBAC scoped to the resources it inventories.
- • You can delete reported findings from the PostQ dashboard at any time.
Algorithms that need a migration plan
| RSA | Integer factorisation — broken by Shor's algorithm. |
| ECDSA | Elliptic-curve discrete log — broken by Shor's algorithm. |
| DH | Finite-field Diffie-Hellman — quantum-vulnerable key exchange. |
| ECDH | Elliptic-curve Diffie-Hellman — quantum-vulnerable key exchange. |
| X25519 | Modern ECDH curve, still classical and quantum-vulnerable. |
| Ed25519 | Modern EdDSA signature, still classical and quantum-vulnerable. |
| RS256 | JWT RSA-SHA256 signature — quantum-vulnerable public-key signature. |
| ES256 | JWT ECDSA-P256 signature — quantum-vulnerable public-key signature. |
NIST-standardised replacements
| ML-KEM (FIPS 203) | Key encapsulation / key exchange (formerly Kyber). |
| ML-DSA (FIPS 204) | Digital signatures (formerly Dilithium). |
| SLH-DSA (FIPS 205) | Stateless hash-based signatures (formerly SPHINCS+). |
PostQ detects where quantum-vulnerable algorithms are used and reports them. We don’t claim a target algorithm is supported in your stack unless detection confirms it.
Frequently asked questions
What does the Kubernetes agent scan?
It inventories TLS Secrets, cert-manager Certificates, Issuers and ClusterIssuers, Ingress TLS configs, ConfigMaps containing PEM material, and Istio/Linkerd mTLS configuration — classifying the cryptographic algorithms in each.
What data leaves my cluster?
Only findings metadata: algorithm names, key sizes, certificate subjects/issuers, expiry, and resource identifiers. Private keys and secret values never leave the cluster.
How do I install the agent?
Install the Helm chart from oci://ghcr.io/postqdev/charts/postq-agent into a namespace with your PostQ API key. The agent reports to POST /ingest/kubernetes on the PostQ API.
Can I run it read-only?
Yes. The agent only needs read access to the resource types it inventories. It does not modify cluster resources.
Run a free PQC readiness scan
Scan any public domain for quantum-vulnerable TLS, certificate, and key-exchange cryptography. No signup required.
No signup required for the basic TLS scan. We only inspect public metadata.