Architecture
How ops0 works under the hood.
Platform Overview
ops0 Platform
Web UI
AI Engine
Workflows
IaC Runtime
Policies
State Storage
↓↓↓
AWS / GCP / Azure
GitHub / GitLab
Kubernetes
Core Components
Web UI & Editor
• Monaco-based code editor
• Real-time resource graph
• Visual workflow builder
AI Engine
• Code authoring from natural language
• Incident analysis & root cause
• Infrastructure Q&A
IaC Runtime
• Terraform, OpenTofu, Oxid (Pulumi upcoming)
• Isolated container execution
• Scoped credentials per run
Policy Engine
• OPA (Open Policy Agent)
• Rego policy language
• Pre-deployment validation
Policy Evaluation Flow
Terraform Plan
→JSON
→OPA + Rego
→Pass / Fail
State Storage
Encrypted
AES-256
Versioned
Full history
Locked
No conflicts
Backed up
Daily
Integrations
Cloud Providers
AWS
IAM Role + cross-account trust
No stored credentials
GCP
Workload Identity Federation
Short-lived tokens
Azure
Service Principal + OIDC
Federated credentials
Kubernetes (Hive Agent)
Your Kubernetes Cluster
Your Pods
Your Pods
Hive Agent
• Watches pods, nodes, events
• Collects logs on demand
• Detects incidents
↓ TLS (outbound only)
ops0 Platform
Outbound only
Read-only access
Namespace scoped
No persistent storage
Git Providers
GitHub / GitLab
← Webhooks (PR, push)
→ Clone, comments, checks
ops0
Security
TLS 1.3 in transit
AES-256 at rest
Short-lived tokens
Isolated containers
Access Control
SSO
SAML, OIDC
RBAC
Role-based
MFA
Enforced
Audit
Full logs
Deployment Options
SaaS
Hosted at brew.ops0.ai
Managed infrastructure
Automatic updates
Single-Tenant
Dedicated instance
Custom domain
Enhanced isolation
Self-Hosted
Your environment
Full data sovereignty
Air-gapped option
Available for Enterprise customers
Self-Hosted and Enterprise
Self-hosted and single-tenant deployments are available for Enterprise customers. These options include full data sovereignty, air-gapped environments, custom domains, and dedicated support. Contact sales to learn more about Enterprise deployment options.