• /
  • EnglishEspañolFrançais日本語한국어Português
  • Inicia sesiónComenzar ahora

Fleet Control Security

Feature Availability

Fleet Control for Kubernetes clusters is generally available (GA). Support for managing agents on hosts is currently in public preview.

For a complete list of supported agents and their environments, see our agent type compatibility documentation.

The public preview feature is provided pursuant to our pre-release policies.

Fleet Control and its underlying component, Agent Control, are designed with multi-layered security. This page provides an overview of the key security features.

Diagram showing the security architecture of Fleet Control, including the K8s cluster, optional proxy, and New Relic backend services.

Important: Securing Data at Rest

Kubernetes Secrets are only base64-encoded, which is not a form of encryption. To properly secure sensitive information like private keys, it is critical to ensure that your Kubernetes cluster's etcd datastore is encrypted at rest.

Secure connections and configuration integrity

To protect data in transit and prevent tampering, Fleet Control employs multiple layers of security for all communications.

  • TLS encryption: All communication between Agent Control and the New Relic backend, including the Fleet Control endpoint, is transmitted over secure, TLS-encrypted channels.

  • Cryptographic signing: In addition to TLS, all configurations delivered from Fleet Control to Agent Control are cryptographically signed by New Relic. Agent Control verifies this signature before applying any configuration, ensuring that only authentic and unmodified instructions are executed on your managed entities.

Authentication and authorization

Fleet Control uses distinct authentication mechanisms for its different components to ensure secure and appropriate access.

  • Agent Control authentication: The Agent Control component authenticates with the Fleet Control backend using system-level identities, such as a keypair and token or a client ID and secret. This ensures that only authorized instances of Agent Control can receive management instructions.

  • Agent authentication: The individual agents deployed by Fleet Control (like the Infrastructure agent or OTel collector) authenticate with the New Relic ingest endpoints using your standard New Relic license key.

  • User permissions: All user actions within the Fleet Control UI and API are governed by New Relic's role-based access control. To create or manage fleets, users need the Organization Manager role or a custom role with the equivalent fleet management permissions.

Proxy support

For environments with restricted network egress, Agent Control provides full support for system-level HTTP and HTTPS proxies. By configuring the standard HTTP_PROXY and HTTPS_PROXY environment variables on your hosts or within your Kubernetes cluster, all outbound communication from Agent Control will be securely routed through your specified proxy.

Access to public repositories

To simplify installation and reduce security friction, all components required for Fleet Control are hosted in public repositories.

  • Helm charts: The Helm charts for installing and managing Agent Control are hosted in a public New Relic repository on GitHub.

  • Container images: The container images for Agent Control and its managed agents are hosted on Docker Hub.

Copyright © 2025 New Relic Inc.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.