An Org serves as a tightly isolated bounded context that encompasses all the resources managed by Control Plane. These resources comprise domains, images, workloads, GVCs, users, groups, service accounts, and more.

It’s possible for a physical organization, to create multiple ‘orgs,’ although this is not mandatory. Creating multiple orgs can be beneficial in order to establish complete isolation between environments, for instance.

Create an Org

Refer to the Create an Org guide.

Multiple Orgs

A user can be a member of one or more Orgs.

  • To switch between Orgs from the console:
    • From the left menu, click on the > to the right of the current org.
    • Search or scroll to the desired org.
    • Click on the desired org.
    • A confirmation modal will be displayed. Click Yes.

External Logs / Logging

Control Plane offers the ability to ship all Org logs to an external provider.

Please click here for additional details and configuration instructions.


OpenTelemetry traces are supported and can be configured with the native Control Plane tracing provider or sent to an OpenTelemetry collector endpoint by using the OpenTelemetry tracing provider.

Control Plane Tracing Provider

The Control Plane tracing provider is the default method for collecting OpenTelemetry traces. They will be accessible for exploration using Grafana by accessing Metrics in the sidebar menu of the Console.

To enable traces using the Console, navigate to your GVC, click on Tracing, and choose Control Plane as the metric provider. Then, configure the sampling percentage and, optionally, the Custom Tags.

Here is an example of a GVC with enabled tracing:

kind: gvc
name: online-boutique
      - //location/aws-eu-central-1
      - //location/azure-eastus2
      - //location/gcp-us-west1
      controlPlane: {}
    customTags: {}
    sampling: 100

OpenTelemetry Tracing Provider

Similarly, traces can be sent to an OTEL collector endpoint using the OpenTelemetry tracing provider.

For details, see the Online Boutique example.


The retention period for logs, metrics and traces defaults to 30 days and can be adjusted for each independently.

Charges apply for combined storage of logs, metrics and traces over 100GB calculated by GB-Month.

Threat Detection

Control Plane provides real-time threat detection and alerting by inspecting syscalls of all running workloads. When enabled, you will receive real-time alerts of possible threats by severity level.

The following list of threats or attempted activities will trigger an alert at the specified severity levels.

Notice severity

  • Packet socket created
  • PTRACE anti-debug
  • SSH Activity
  • Connect to kubernetes api

Info severity

  • Spawned processes with an interactive tty

Warning severity

  • Directory traversal
  • Sensitive file read activity
  • Netcat remote code execution
  • Search for private keys or passwords
  • Log file clearing
  • Remove data from disk
  • Create symlinks\hardlinks to sensitive files
  • Kernel module injection
  • Debugfs activity
  • PTRACE attached
  • Credential search activity
  • Execution from /dev/shm
  • Malicious binaries or script execution

Critical severity

  • Container escape attempts
  • Drop and execute new binary
  • Fileless execution using memfd_create
  • Crypto currency mining activity

Session Timeout - Console UI

The console UI will automatically sign out if inactive for 15 minutes. This timeout duration is the default setting (for PCI compliance) and can be modified.

This timeout setting (in seconds) can be adjusted from the Info page when clicking on the Org link from the left menu.


The permissions below are used to define policies together with one or more of the four principal types:

editModify orgview
execGrantees can execute all commands on the orgexec.echo
exec.echoGrantees can execute the echo command
grafanaAdminGrantees are made Admin in Grafana, otherwise the role ‘Viewer’ is assigned
manageFull accessedit, exec, exec.echo, grafanaAdmin, manage, readLogs, readMetrics, readUsage, view, viewAccessReport
readLogsGrantees can read logs from all workloadsview
readMetricsGrantees can access usage and performance metrics
readUsageGrantees can access usage and billing metrics
viewRead-only view: every org member can view their org
viewAccessReportGrantees can inspect the granted access report on all resources within the org

Access Report

Displays the permissions granted to principals for the Org.


To view the CLI documentation for an Org, click here.