How Does the Read-Only CAST AI Agent Work and What Data Can It Read?

Security is the backbone of CAST AI. After all, our founders have a strong background and years of experience in cybersecurity.

cast ai agent

Still, to deliver meaningful results we need minimal cluster access. We follow the principle of least privilege – the read-only agent does not get any access allowing it to change your cluster configuration or access sensitive data. 

The agent analyzes your setup to prepare the Available Savings Report. Carry on reading to learn how it works and impacts your cluster and be welcome to visit its documentation at any point.

What data can the CAST AI read-only agent access?

The agent code is open-source, you can see it in our GitHub repository.

When you run the “connect your cluster” script for the first time, the following elements are created:

  • namespace/castai-agent 
  • serviceaccount/castai-agent
  • clusterrole.rbac.authorization.k8s.io/castai-agent 
  • clusterrolebinding.rbac.authorization.k8s.io/castai-agent 
  • role.rbac.authorization.k8s.io/castai-agent 
  • rolebinding.rbac.authorization.k8s.io/castai-agent 
  • secret/castai-agent 
  • configmap/castai-agent-autoscaler 
  • deployment.apps/castai-agent 

The content of the YAML file is available prior to executing the script so you can review it easily. 

During the process, only metadata about node workload configuration from the Kubernetes scheduler is sent over. Also, the agent accesses YAML files from a node configuration called Snapshots. 

Here’s what the CAST AI agent can read:

  • Main resources like nodes, pods, deployments, etc., required for running the Savings Report.
  • Environment Variables on pods, deployments, statefulsets, daemonsets. 

The agent doesn’t have access to secrets, config maps, or sensitive Environment Variables. CAST AI removes such sensitive EVs – like passwords, tokens, keys, secrets – before starting to analyze your resources. 

How CAST AI handles sensitive data

CAST AI doesn’t access any sensitive data of its users. Regardless of which resources you are using in your Kubernetes cluster, there’s no way we can know its contents or access them. 

All we know is how much storage, memory, and CPU units are needed to run your cluster most efficiently. You can remove our agent and all its legacy resources any time you want.

Note: CAST AI is ISO-certified and holds the SOC 2 Type II certification

How the CAST AI agent works step by step

Step 1: Connecting to the CAST AI Console

To see potential savings for your cluster, you need to deploy the CAST AI agent in your cluster using a read-only script.

To get started, you get to connect to the CAST AI Console via HTTPS. This process uses auth0.com as a secure authentication method and CloudFlare WAF to address TLS and DDoS.

The platform uses Identity Aware Proxy to establish a central authorization layer for all applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls. Finally, JWT (JSON Web Token) is used to pass the identity of the authenticated users between an identity provider and CAST AI.

Note: The CAST AI Console interacts with AWS EKS API (and APIs of other cloud providers) also via HTTPS (GET, CONNECT, PUT, TRACE).

Step 2: Run the Savings Report

Once you connect to the Console, you can run the analysis and see how much you could save up on your cluster. Here’s an example:

You can now continue connecting your cluster here and start saving.

Have a question we didn’t cover?

Read more about data and security in CAST AI, book a demo, ask on our community Slack, Discord, or message us directly via the website chat.

Get your FREE
savings report

Free to start, no credit card required, under 5 minutes to run

CAST AI Platform
  • Blog
  • How Does the Read-Only CAST AI Agent Work and What Data Can It Read?
Subscribe

Leave a reply

Notify of
0 Comments
Inline Feedbacks
View all comments

Recent posts