How does the read-only CAST AI agent work and what data can it read?

CAST AI
· 3 min read
CAST AI agent

Security is the backbone of CAST AI. After all, our founders have a strong background and years of experience in cybersecurity.

Still, to deliver you meaningful results we need minimal cluster access. We follow the principle of least privilege – the read-only agent does not get any access allowing it to change your cluster configuration or access sensitive data. 

You can jump to the part that interests you the most:

What data can the CAST AI read-only agent access?

The agent code is open-source, you can see it in our GitHub repository.

When you run the “connect your cluster” script for the first time, the following elements are created:

  • namespace/castai-agent 
  • serviceaccount/castai-agent
  • clusterrole.rbac.authorization.k8s.io/castai-agent 
  • clusterrolebinding.rbac.authorization.k8s.io/castai-agent 
  • role.rbac.authorization.k8s.io/castai-agent 
  • rolebinding.rbac.authorization.k8s.io/castai-agent 
  • secret/castai-agent 
  • configmap/castai-agent-autoscaler 
  • deployment.apps/castai-agent 

The content of the YAML file is available prior to executing the script so you can review it easily. 

During the process, only metadata about node workload configuration from the Kubernetes scheduler is sent over. Also, the agent accesses YAML files from a node configuration called Snapshots. 

Here’s what the CAST AI agent can read:

  • Main resources like nodes, pods, deployments, etc., required for running the Savings report
  • Environment Variables on pods, deployments, statefulsets, daemonsets. 

The CAST AI agent doesn’t have access to secrets, config maps, or Environment Variables. Environment Variables that are considered as sensitive by their name (passwords, tokens, keys, secrets) are removed before the resources are sent for analysis. 

How CAST AI handles sensitive data

CAST AI doesn’t access any sensitive data of its users. Regardless of which resources you are using in your Kubernetes cluster, there’s no way we can know its contents or access them. 

All we know is how much storage, memory, and CPU units are needed to run your cluster most efficiently. You can remove our agent and all its legacy resources any time you want.

Note: CAST AI is ISO-certified and we’re well underway to obtaining SOC 2 certification. 

How the CAST AI agent works step by step

Step 1: Connecting to the CAST AI Console

To see potential savings for your cluster, you need to deploy the CAST AI agent in your cluster using a read-only script.

To get started, you get to connect to the CAST AI Console via HTTPS. This process uses auth0.com as a secure authentication method and CloudFlare WAF to address TLS and DDoS.

The platform uses Identity Aware Proxy to establish a central authorization layer for all applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls. Finally, JWT (JSON Web Token) is used to pass the identity of the authenticated users between an identity provider and CAST AI.

Note: The CAST AI Console interacts with AWS EKS API (and APIs of other cloud providers) also via HTTPS (GET, CONNECT, PUT, TRACE).

Step 2: Run the Savings report

Once you connect to the Console, you can run the analysis and see how much you could save up on your cluster. Here’s an example:

You can now continue connecting your cluster here and start saving.

Have a question we didn’t cover?

Read more about data and security in CAST AI, book a demo, ask on our community Slack, Discord, or message us directly via the website chat.

Leave a reply

0 Comments
Inline Feedbacks
View all comments