About the read-only agent

The CAST AI read-only agent is a crucial component that connects your Kubernetes cluster to our platform, enabling powerful automation, cost monitoring, and optimization features. This guide explains what the agent is, how it works, and why it's essential for reaping the benefits of CAST AI.

What is the CAST AI agent?

The CAST AI agent is a lightweight, open-source component that securely connects your Kubernetes cluster to our platform. Its primary functions are:

  • Collecting essential cluster data for analysis
  • Enabling real-time cost monitoring
  • Facilitating automated optimization recommendations

Key features of the agent:

  • Read-only access: The agent follows the principle of least privilege, ensuring it can't modify your cluster configuration without explicit permission.
  • Open-source: The agent's code is publicly available on CAST AI's GitHub repository, promoting transparency and allowing for community review.
  • Regularly updated: Our team continuously improves the agent, releasing updates to enhance performance and security.
  • Easily removable: You can uninstall the agent and remove all associated resources at any time.

What data can the CAST AI read-only agent access?

The agent needs minimal cluster access to deliver meaningful insights. Once connected, it gathers information on how much storage, memory, and CPU units your cluster needs to run efficiently.

Here are the things the agent can access:

  • Main resources such as nodes, pods, and deployments required for running the Available Savings Report.
  • Environment Variables: pods, deployments, stateful sets, daemon sets.

How CAST AI handles sensitive data

CAST AI is committed to maintaining the highest standards of data security:

  • No access to secrets: The agent cannot access secrets, config maps, or sensitive environment variables.
  • Automatic filtering: Before analysis, we automatically remove environment variables that may contain sensitive information (e.g., passwords, tokens, keys).
  • Encrypted transmission: All data is transmitted using secure, encrypted connections.
  • Compliance certifications: CAST AI is ISO 27001-certified and holds SOC 2 Type II certification, demonstrating our commitment to robust security practices.

How the agent works and how to use it

Step 1: Connect your cluster to CAST AI

First, you need to deploy the agent in your cluster. Start by connecting to the CAST AI Console via HTTPS. This process uses auth0.com as a secure authentication method and CloudFlare for DDoS protection.

The platform uses Identity Aware Proxy to establish a central authorization layer for all applications accessed by HTTPS. This allows you to use an application-level access control model instead of network-level firewalls.

Finally, (JWT) (JSON Web Token) enables an identity provider to pass the identities of authenticated users to CAST AI.

Agent deployment

When you connect your cluster, the agent creates several Kubernetes resources:

  • Namespace: castai-agent
  • Service account, roles, and role bindings
  • Deployments: castai-agent and castai-agent-cpvpa



You can review the YAML file contents before executing the script to understand exactly what will be deployed in your cluster for full transparency.

This is the full list of resources that will be created when you connect the agent to your cluster for the first time:

  • namespace/castai-agent
  • serviceaccount/castai-agent
  • clusterrole.rbac.authorization.k8s.io/castai-agent
  • clusterrolebinding.rbac.authorization.k8s.io/castai-agent
  • role.rbac.authorization.k8s.io/castai-agent
  • rolebinding.rbac.authorization.k8s.io/castai-agent
  • secret/castai-agent
  • configmap/castai-agent-autoscaler
  • deployment.apps/castai-agent
  • deployment.apps/castai-agent-cpvpa

Only metadata about node workload configuration from the Kubernetes scheduler during the process is sent over. Also, the agent accesses YAML files from a node configuration called Snapshots.

Step 2: Run the Available Savings Report

Once you connect your cluster to the CAST AI Console, the platform can analyze your setup and provide insights – check the Available Saving report.

If you are happy with the recommendations, you can implement them automatically. Find out more about Rebalancing.

Step 3: View your cost monitoring and security insights

Once you connect your cluster, you also get free access to the cost monitoring feature and container security report. These tools provide valuable insights into your cluster's performance and security posture.

What’s Next

Find out more about what you can do with CAST AI.