The Open Source, Self-Hosted Zero Trust Resource Access Platform

The Open Source Next-Gen Platform for Zero Trust Resource Access

Zero Trust Network Access (ZTNA) Platform

Zero-Config Client-based Access For Humans and Workloads to all your Internal Resources Across All Clouds

A Modern, Self-Hosted, Scalable, FOSS Zero Trust Architecture for Developers, Teams and Enterprises to Provide Secure Secret-less Access with Identity-based Context/Layer-7 Aware Access Control and Visibility for both Humans and Workloads to Dynamic Internal Resources, Microservices, AI Workloads and Publicly Protected SaaS Resources

GitHub Repo Contact US

Octelium is Free and Open Source Software

What is Octelium?What is Zero Trust?How Octelium Works Download CLI Install First Cluster

A Modern, Scalable, Unified Zero Trust Architecture for Secure Access

Authentication

Integrate with OpenID Connect and SAML Identity Providers (IdPs)

Authorization

Scalable, Composable Policy-as-Code with CEL and OPA (Open Policy Agent)

Access

Unified Access Platform for Humans and Workloads

Visibility

OpenTelemetry-ready Visibility in Real-Time

Architecture

A Multi-Mode, Unified Zero Trust Architecture for ZTNA

Seamless Secret-less Access that Eliminates Sharing Layer-7 Credentials

Eliminate the need to expose, manage and share the long-lived and over-privileged L-7 credentials such as API keys, TLS/SSH private keys and passwords

Seamlessly provide secretless access to protected HTTP-based resources, SSH servers, Kubernetes clusters, PostgreSQL and MySQL databases as well as any resource protected by mTLS

Access to Protected Public SaaS APIs without distributing API Keys

Dynamic, Application-layer Aware, Per-Request Access Control

Per-Request, Dynamic, Identity-based, Context-aware Access Control using ABAC and Policy-as-Code via CEL and Open Policy Agent (OPA)

Application-layer (L7) aware Access Control via Scalable Identity-aware Proxies (IAPs) and Policy Decision Points (PDPs) instead of at Layer-3 as in VPNs to Provide Dynamic Least Privilege Access

Dynamic, Identity-based, Context-aware Routing to Upstreams and their Resource-level Credentials on a Per-Request Basis via Policy-as-Code

Zero-Standing Privileges. No Superusers. All Permissions can be Dynamically Limited by Time and Context.


kind: Policy
metadata:
  name: my-policy
spec:
  rules:
  - effect: ALLOW
    condition:
      all:
        of:
        - match: ctx.user.spec.type == "HUMAN"
        - match: "friends" in ctx.user.spec.groups
        - match: ctx.request.http.method in ["GET", "POST"]
        - match: ctx.user.spec.info.email.endsWith("@example.com")
        - match: ctx.request.http.bodyMap.model == "gpt-4o-mini"
        - match: ctx.session.status.authentication.info.aal == "AAL3"
        - any:
            of:
            - match: ctx.request.http.path.startsWith("/api/v1")
            - match: ctx.request.http.path.startsWith("/api/v2")

Much More than just Another Secure Remote Access Solution

Centralized, Declarative and Programmable Management

OpenTelemetry-ready, Application-layer Aware, Structured Access Logs and Audit Metrics Pushed to your OTLP Receiver in Real-Time

Built on top of Kubernetes for Seamless Horizontal Scaling and Availability

Effortless, Password-less, Serverless SSH Access to Hosts with no SSH Servers such as Containers and IoT Devices

Eliminate VPN Routing Problems at Scale. Eliminate the Need for NAT64. Unified Automatic Private DNS Server using Your Own Domain.

octeliumctl apply

User anna created...

Octelium Clusters are designed to be administered like Kubernetes. One command is enough to (re)produce the Cluster state which can be stored in git repos. Furthermore, Furthermore, the Octelium Cluster is fully programmable using gRPC-based APIs.

A Scalable PaaS for Deployment and Hosting Platform, Too

Effortlessly Deploy, Scale and Secure Access to your Containerized Applications like a PaaS

Use Octelium as a Self-Hosted, Scalable PaaS/Hosting Platform to Provide Secure as well as Anonymous Public Access over the Public Internet to your Web Applications and APIs

Provide Secure Client-less BeyondCorp Access for your Web Applications to Humans using only their Browsers as well as All Your HTTP, gRPC and Kubernetes APIs to Workloads using only Standard OAuth2 Client Credentials


kind: Service
metadata:
  name: my-api
spec:
  mode: HTTP
  config:
    upstream:
      container:
        port: 8080
        image: ghcr.io/org/my-api:v1.2.3
        replicas: 3
        credentials:
          usernamePassword:
            username: username
            password:
              fromSecret: ghcr-token
        resourceLimit:
          memory:
            megabytes: 1500

Continuous, Strong Authentication

Seamless Integration with any OpenID Connect and SAML 2.0 SSO Identity Provider (IdP)

OAuth2 Client-Credentials flow for Seamless Client-less BeyondCorp Access for Workloads Written in any Programming Language without having to use Clients or special SDKs

Secret-less OIDC Assertion-based Authentication for Workloads that eliminates Authentication Token Management and Distribution at Scale

Per-User Re-Authentication Periods. Immediately deactivate/delete Sessions and Users without having to wait for mTLS/Access Token Expiry. Integrate Your IdP and Control Access to Sensitive Resources based on NIST SP 800-63 Authenticator Assurance Levels to Force Using Strong MFA via FIDO2 Passkeys/WebAuthn and Phishing Resistant Security Keys.

Okta

Azure AD

OneLogin

Keycloak

Auth0

Google Workspace

Authelia

Generic OpenID Connect IdP