About the read-only agent

CAST AI provides cluster-specific savings recommendations and cost monitoring within minutes from connecting your Kubernetes cluster.

To do so, it uses a read-only agent that connects, reads, and analyzes your setup. This article describes how the CAST AI agent works, where to find it, and how to use it.

What is the CAST AI agent, and where to find it?

The CAST AI agent is a component that connects your Kubernetes cluster to our platform to enable automation, cost monitoring, and optimization features.

It is read-only and follows the principle of least privilege. That means its access to your data is strictly limited, and it can’t change your cluster configuration without your explicit permission.

The agent code is open-source. You can see it in CAST AI's GitHub repository. In addition, the team regularly releases updates of the agent.

You can remove the CAST AI agent and all its resources at anytime.

What data can the CAST AI read-only agent access?

The agent needs minimal cluster access to deliver meaningful insights. Once connected, it gathers information on how much storage, memory, and CPU units your cluster needs to run efficiently.

Here are the things the agent can access:

  • Main resources such as nodes, pods, and deployments required for running the Available Savings Report.
  • Environment Variables: pods, deployments, stateful sets, daemon sets.

How CAST AI handles sensitive data

CAST AI doesn’t access any sensitive data of the user. This means that:

  • It doesn’t have access to secrets, config maps, or sensitive environment variables (e.g. containing secrets).
  • Before starting the analysis process, it removes environment variables considered sensitive by their name (passwords, tokens, keys, secrets).

No matter the type of resources your Kubernetes cluster stores, the agent can’t see its contents or access them.

Note: CAST AI is ISO 27001-certified and holds the SOC 2 Type II certification.

How the agent works and how to use it

Step 1: Connect your cluster to CAST AI

First, you need to deploy the agent in your cluster. Start by connecting to the CAST AI Console via HTTPS. This process uses auth0.com as a secure authentication method and CloudFlare for DDoS protection.

The platform uses Identity Aware Proxy to establish a central authorization layer for all applications accessed by HTTPS. That’s why you can use an application-level access control model instead of network-level firewalls.

Finally, JWT (JSON Web Token) enables passing the identity of the authenticated users between an identity provider and CAST AI.



When you connect your cluster for the first time, the agent will create the following elements:

  • namespace/castai-agent
  • serviceaccount/castai-agent
  • clusterrole.rbac.authorization.k8s.io/castai-agent
  • clusterrolebinding.rbac.authorization.k8s.io/castai-agent
  • role.rbac.authorization.k8s.io/castai-agent
  • rolebinding.rbac.authorization.k8s.io/castai-agent
  • secret/castai-agent
  • configmap/castai-agent-autoscaler
  • deployment.apps/castai-agent

The content of the YAML file is available before the execution of the script so that you can review it easily.

Only metadata about node workload configuration from the Kubernetes scheduler during the process is sent over. Also, the agent accesses YAML files from a node configuration called Snapshots.

Step 2: Run the Available Savings Report

Once you connect your cluster to the CAST AI Console, the platform can analyze your setup and provide insights – check the Available Saving report.

If you are happy with the recommendations, you can implement them automatically. Find out more about Rebalancing.

Step 3: View your cost monitoring and security insights

Once you connect your cluster, you also get free access to the cost monitoring feature and container security report.

What’s Next

Find out more about what you can do with CAST AI.