KlusterAlert

Connecting Clusters

The KlusterAlert agent is a lightweight Helm chart that runs inside your cluster. It connects outbound to the SpecLayer ingestion API — no inbound firewall rules required.

How the agent works

The agent runs as a single Deployment in the klusteralert namespace. It uses the Kubernetes Watch API to stream pod, node, and event changes. All traffic goes outbound over HTTPS to api.speclayer.net on port 443. No data is stored on the node — the agent is stateless.

Full Helm values reference

values.yaml
# Required
apiKey: ""                     # SpecLayer API key (use a Kubernetes secret instead)
clusterName: ""                # Display name for this cluster in the dashboard

# Optional
image:
  repository: speclayer/klusteralert-agent
  tag: ""                      # Defaults to chart appVersion
  pullPolicy: IfNotPresent

resources:
  requests:
    cpu: "50m"
    memory: "64Mi"
  limits:
    cpu: "200m"
    memory: "256Mi"

# Store the API key as a Kubernetes secret (recommended for production)
existingSecret: ""             # Name of existing Secret with SPECLAYER_API_KEY key

# Namespaces to watch (empty = watch all namespaces)
watchNamespaces: []
# watchNamespaces:
#   - production
#   - staging

# Node selector and tolerations for the agent pod
nodeSelector: {}
tolerations: []
affinity: {}

# Proxy configuration (if your cluster routes outbound through a proxy)
proxy:
  http: ""
  https: ""
  noProxy: ""

# Metrics server — expose Prometheus-compatible metrics from the agent
metrics:
  enabled: false
  port: 9090

Using a Kubernetes secret for the API key

Avoid passing the API key directly via Helm values. Instead, create a Kubernetes secret:

kubectl create secret generic klusteralert-creds \
  --namespace klusteralert \
  --from-literal=SPECLAYER_API_KEY=your_key_here
Install referencing the secret
helm install klusteralert speclayer/klusteralert \
  --namespace klusteralert \
  --create-namespace \
  --set clusterName=production \
  --set existingSecret=klusteralert-creds

Multi-cluster setup

Install the Helm chart once per cluster. Each installation registers as a separate cluster in your KlusterAlert dashboard. Use a descriptive clusterName:

# Production cluster
helm install klusteralert speclayer/klusteralert \
  --namespace klusteralert --create-namespace \
  --set existingSecret=klusteralert-creds \
  --set clusterName=prod-eu-west-1 \
  --kube-context prod-context

# Staging cluster
helm install klusteralert speclayer/klusteralert \
  --namespace klusteralert --create-namespace \
  --set existingSecret=klusteralert-creds \
  --set clusterName=staging \
  --kube-context staging-context

RBAC requirements

The Helm chart automatically creates a ClusterRole with the following permissions:

ClusterRole (created by Helm chart)
rules:
  - apiGroups: [""]
    resources: [pods, nodes, events, namespaces]
    verbs: [get, list, watch]
  - apiGroups: ["apps"]
    resources: [deployments, daemonsets, statefulsets, replicasets]
    verbs: [get, list, watch]
  - apiGroups: ["batch"]
    resources: [jobs, cronjobs]
    verbs: [get, list, watch]
  - apiGroups: ["metrics.k8s.io"]
    resources: [pods, nodes]
    verbs: [get, list]
The agent never modifies any Kubernetes resources — all permissions are read-only. The metrics.k8s.io group requires the Kubernetes Metrics Server to be installed in your cluster for CPU/memory data.

Upgrading the agent

helm repo update
helm upgrade klusteralert speclayer/klusteralert \
  --namespace klusteralert

Uninstalling

helm uninstall klusteralert --namespace klusteralert
kubectl delete namespace klusteralert
Previous
Quickstart
Next
Alert Rules