Validation clusters per request
Each submitted request can get its own vcluster. Requesters deploy there first; reviewers use kubeconfig access to inspect resources and validate the workload before approval.
AI workload validation before production
Foyre gives IT, platform, and security teams a self-hosted review path for AI workloads. Requesters deploy into an isolated per-request vcluster; admins run configurable validation pipelines before anything is accepted into production.
Connect your own Kubernetes cluster, let Foyre create vcluster environments, and define validation pipelines for inventory, Kubernetes security, image scanning, policy checks, and custom review steps.
Chatbots, RAG services, agents, and inference APIs show up from every direction. Foyre gives IT departments one place to capture the request, score the risk, create a vcluster sandbox, and run validation pipelines against the deployed app before production approval.
Surprises after the fact
External model APIs, regulated data, vector stores, agent actions, GPU needs, and internet egress are captured before the app is reviewed for production.
Reviews without proof
A ticket cannot show pods, services, image names, security settings, scan results, or policy findings. A Foyre validation run can.
Shadow paths
Without a clear front door, teams route around IT. Foyre records the request, risk score, vcluster events, and review state in one request history.
A requester fills out the AI workload form, Foyre classifies risk with human-readable reasons, the requester deploys into a per-request vcluster, and IT runs configurable validation pipelines to turn the live deployment into review evidence.
The requester documents owners, workload type, data classification, external model APIs, vector databases, agent actions, GPU needs, and egress.
Foyre provisions a per-request vcluster on your host Kubernetes cluster and gives the requester scoped access.
Where Foyre differs
The requester deploys the app with kubectl
or Helm. Reviewers run admin-defined validation pipelines against what is actually running.
Pipeline results, findings, artifacts, and approval gates help reviewers approve, reject, or send the request back with a clear reason.
Requester
Intake +risk score
Isolatedvcluster
Approvedor rejected
Key platform feature
Foyre is not just an intake queue. Every request can get its own vcluster, and admins decide which checks must run against that live deployment before reviewers accept it into production.
Deploy the real app into a scoped vcluster. No guessing from a form; reviewers can inspect what actually runs.
Configure reusable pipelines for inventory, Kubernetes posture, image scans, policy checks, and custom logic.
Review pass, warning, and failed checks with findings and evidence artifacts attached to the request.
Block approval on failed validation, allow reasoned overrides, and keep the decision history in one place.
These are the product surfaces Foyre uses to turn an AI app request into a validated Kubernetes deployment.
Each submitted request can get its own vcluster. Requesters deploy there first; reviewers use kubeconfig access to inspect resources and validate the workload before approval.
Admins define reusable checks in YAML: workload inventory, Kubernetes security, image scans, organization policy, inline scripts, or custom containers.
Conditional fields ask about the AI details IT needs: model APIs, enterprise data, vector stores, agent actions, GPU requirements, and internet egress.
Regulated data plus an external model API rates higher. Agents taking user actions rate higher. Missing answers become unknown until the requester fills them in.
Requesters submit and deploy. Admins configure pipelines. Reviewers inspect evidence and decide. Statuses keep the handoff explicit.
Every request keeps comments, status changes, risk evaluations, vcluster events, validation runs, overrides, and teardown events tied to the acting user.
Bcrypt-backed passwords, rotation for admin-created accounts, Fernet-encrypted kubeconfigs at rest, SQLite out of the box with a path to Postgres when you need it.
Tutorials
These walkthroughs will take new users through the full path: deploy Foyre, connect validation infrastructure, submit a workload, prove it in a sandbox, and make a review decision with history attached.
Deploy the application, set required secrets, create the first admin, and confirm the UI is reachable.
Prepare a host cluster, configure RBAC, and connect validation infrastructure to the Foyre admin area.
Fill in the intake form, submit the request, and understand the risk score, validation cluster, and review flow.
Provision an isolated vcluster, download the kubeconfig, deploy your app, and mark it ready for review.
Run checks, author pipeline YAML, automate with the API, and extend validation with custom or built-in steps.
Mid-sized and larger organizations that already take AI seriously—and want one disciplined door before production.
Foyre is internal tooling you self-host—not a consumer app and not a hosted SaaS. Today you sign in with local accounts (LDAP, AD, and OIDC are future extension points, not shipped yet). There are no native integrations for ServiceNow, Jira, Slack, email, or Teams; plan to bridge those yourself if you need them.
Each deployment is aimed at one organization. Backup and DR are whatever you already practice for SQLite or Postgres.
Apache 2.0 means you can run, inspect, and adapt Foyre without a vendor in the middle. Intake data, credentials, and validation clusters stay inside the boundaries you already trust.
Install Foyre into a Kubernetes cluster in a few commands. This quick path uses SQLite and is intended for demos and evaluation. Use Postgres for shared, long-running, or production-style deployments.
helm repo add foyre https://foyre.github.io/foyre/
helm repo update
helm install foyre foyre/foyre \
--namespace foyre \
--create-namespace \
--set seed.admin.password='change-me' \
--set postgresql.enabled=false \
--wait
Evaluation install
This installs Foyre with SQLite. Change the admin password after login, and use Postgres before sharing the environment with a team.
For a local evaluation, port-forward the service and open Foyre in your browser.
kubectl port-forward svc/foyre 8080:80 -n foyre
Then open http://localhost:8080. Initial login:
admin /
change-me.
APP_SECRET_KEY. Requester kubeconfigs are shown once when minted—handle them like any other secret.