SRExpert Agent
The SRExpert Agent is a lightweight open-source component that runs inside your Kubernetes cluster and connects it to SRExpert. It is the preferred way to onboard clusters — especially those behind firewalls, NAT, or private networks.
Why an Agent
Most monitoring platforms require you to expose your Kubernetes API to the internet, configure VPN tunnels, or open inbound firewall rules. The SRExpert Agent avoids all of that:
- Zero firewall rules — the agent only needs outbound HTTPS (port 443)
- Your API is never exposed — SRExpert does not reach into your cluster, the cluster reaches out
- Works anywhere — corporate firewalls, NAT, cloud VPCs, air-gapped with HTTPS proxy
- One-line install — a single
curl | kubectl applycommand
Architecture
The agent installs as a DaemonSet in the srexpert-system namespace. One pod per node is deployed; leader election (via a Kubernetes Lease) picks a single active pod at any time. Only the active pod performs work — the others stand by for failover.
When it starts, the active pod opens an outbound WebSocket to your SRExpert instance and keeps it alive. SRExpert uses this reverse tunnel to:
- Collect cluster state, metrics, and events
- Run security scans and policy checks
- Execute actions you explicitly request from the UI (scale workloads, apply Helm charts, etc.)
If the tunnel drops, the agent reconnects automatically with exponential backoff.
What Gets Installed
| Resource | Namespace | Purpose |
|---|---|---|
| Namespace | srexpert-system | Isolated namespace for all agent resources |
| ServiceAccount | srexpert-system/srexpert-agent | Identity for the agent |
| ClusterRole | srexpert-agent | Explicit permission allow-list |
| ClusterRoleBinding | srexpert-agent | Binds the ClusterRole to the ServiceAccount |
| Secret | srexpert-system/srexpert-agent-secret | Registration token |
| ConfigMap | srexpert-system/srexpert-agent-config | Backend URL, tuning knobs |
| DaemonSet | srexpert-system/srexpert-agent | The agent itself (one pod per node) |
Nothing else is created. System namespaces (kube-system, kube-public) are never modified — only read for monitoring purposes.
Complete audit of what the agent can and cannot do: see Permissions & Trust.
Security by Default
The agent container runs with a hardened security context:
readOnlyRootFilesystem: trueallowPrivilegeEscalation: falserunAsNonRoot: true- All Linux capabilities dropped
These are enforced at the Pod level and cannot be bypassed from inside the container.
Installing the Agent
The agent is installed automatically when you add a cluster using the Generic Kubernetes import method. See Add Cluster for the full flow.
If you prefer Helm directly, the chart is open source and published in the SRExpert Helm repository.
Uninstalling the Agent
Remove the agent and every permission it had with a single command:
kubectl delete namespace srexpert-systemThis cleans up the DaemonSet, ServiceAccount, ClusterRoleBinding, Secret, and ConfigMap. The ClusterRole is also removed (it’s cluster-scoped but owned by the Helm release). No residual resources or permissions are left behind.
Next Steps
- Permissions & Trust — Full audit of the agent’s RBAC
- Add Cluster — Install the agent on your cluster
- Troubleshooting — Common agent issues