• /
  • EnglishEspañolFrançais日本語한국어Português
  • Log inStart now

Fleet Control Security

Feature Availability

Fleet Control for Kubernetes clusters is generally available (GA). Support for managing agents on Linux and Windows hosts is currently in public preview.

For a complete list of supported agents and their environments, see our agent type compatibility documentation.

The public preview feature is provided pursuant to our pre-release policies.

Fleet Control and its underlying component, Agent Control, are designed with multi-layered security. This page provides an overview of the key security features that apply across all supported environments (Kubernetes clusters, Linux hosts, and Windows hosts).

Diagram showing the Kubernetes-based security architecture of Fleet Control, including the K8s cluster, optional proxy, and New Relic backend services.

Important: Securing Kubernetes Secrets at Rest

This applies to Kubernetes environments only. Kubernetes Secrets are only base64-encoded, which is not a form of encryption. To properly secure sensitive information like private keys, it is critical to ensure that your Kubernetes cluster's etcd datastore is encrypted at rest.

Secure connections and configuration integrity

To protect data in transit and prevent tampering, Fleet Control employs multiple layers of security for all communications.

  • TLS encryption: All communication between Agent Control and the New Relic backend, including the Fleet Control endpoint, is transmitted over secure, TLS-encrypted channels.

  • Cryptographic signing: In addition to TLS, all configurations delivered from Fleet Control to Agent Control are cryptographically signed by New Relic. Agent Control verifies this signature before applying any configuration, ensuring that only authentic and unmodified instructions are executed on your managed entities.

Authentication and authorization

Fleet Control uses distinct authentication mechanisms for its different components to ensure secure and appropriate access.

  • Agent Control authentication: The Agent Control component authenticates with the Fleet Control backend using system-level identities, such as a keypair and token or a client ID and secret. This ensures that only authorized instances of Agent Control can receive management instructions.

  • Agent authentication: The individual agents deployed by Fleet Control (like the Infrastructure agent or OTel collector) authenticate with the New Relic ingest endpoints using your standard New Relic license key.

  • User permissions: All user actions within the Fleet Control UI and API are governed by New Relic's role-based access control. To create or manage fleets, users need the Organization Manager role or a custom role with the equivalent fleet management permissions.

Secure configuration and secrets handling

Fleet Control and Agent Control are designed to ensure that sensitive data, such as passwords and API keys, are never exposed during configuration delivery or execution.

Configuration delivery security

When Fleet Control delivers configurations to Agent Control:

  • Zero Trust Transport: All network traffic is encrypted using TLS 1.2+
  • Secrets never in plain text: Configurations use placeholders or references instead of actual secret values
  • Runtime resolution: Secrets are resolved locally by Agent Control only when needed, never stored in configuration files
  • No network transmission: Secrets don't traverse the network in OpAMP payloads—only placeholder references are transmitted

Secrets management options

Agent Control supports multiple methods for securely managing sensitive data:

  • Environment variable expansion: The primary method, using shell-style placeholders that are resolved at runtime from environment variables
  • HashiCorp Vault integration: Native support for retrieving secrets from Vault (generally available)
  • Kubernetes Secrets: Direct integration with the Kubernetes API for secret retrieval

This multi-layered approach ensures that sensitive information remains secure throughout the configuration lifecycle, from delivery to execution.

For detailed configuration instructions and implementation examples, see the secrets management section in Agent Control configuration.

Proxy support

For environments with restricted network egress, Agent Control provides full support for system-level HTTP and HTTPS proxies. By configuring the standard HTTP_PROXY and HTTPS_PROXY environment variables on your hosts or within your Kubernetes cluster, all outbound communication from Agent Control will be securely routed through your specified proxy.

Access to public repositories

To simplify installation and reduce security friction, all components required for Fleet Control are hosted in public repositories.

  • Helm charts: The Helm charts for installing and managing Agent Control are hosted in a public New Relic repository on GitHub.

  • Container images: The container images for Agent Control and its managed agents are hosted on Docker Hub.

Copyright © 2026 New Relic Inc.
CareersTerms of ServiceDMCA PolicyPatent NoticePrivacy NoticeCookie PolicyUK Slavery Act

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.