Skip to main content
AgentEye is a self-hosted observability and evaluation platform for AI and LLM agents. It captures agent sessions, tool calls, model requests, and errors, turns them into searchable analytics and evaluations, and surfaces the results in a dashboard with an optional read-only AI assistant. In the managed deployment model, you provide a dedicated Kubernetes cluster and Exosphere runs the full platform inside it, deploying, configuring, operating, backing up, and upgrading every component on your behalf. Your team gets the platform’s value (agent visibility, analytics, evaluation, and the optional assistant) without operating databases, certificates, or upgrades. All data stays within your cloud account.

Prerequisites

  • A GitHub PAT for pulling container images and downloading artifacts (see GitHub Token Setup)
  • A dedicated Kubernetes cluster (see requirements below)
  • A storage bucket for database backups
  • Network connectivity: port 443 inbound to the cluster’s load balancer

Step 1: Provision a Dedicated Kubernetes Cluster

Create a Kubernetes cluster dedicated to AgentEye. It should not be shared with other workloads, so the full platform (application services, databases, analytics, and caching) runs in isolation without impacting your existing infrastructure.
RequirementDetails
DistributionAny conformant Kubernetes: EKS, GKE, AKS, or self-managed
Version1.27 or later
Node poolMinimum: 3 nodes, 4 vCPU / 8 GB RAM each (standard general-purpose instances)
StorageA default StorageClass that provisions block volumes (e.g. gp3 on AWS, pd-ssd on GCP)
Load BalancerThe cluster must be able to provision cloud LoadBalancer services (default on EKS, GKE, AKS)
Exosphere installs and manages everything else inside the cluster: ingress controllers, TLS certificates, databases, caching, monitoring, and all application deployments.

Step 2: Grant Access to the AgentEye Team

Exosphere needs cluster-admin access (or equivalent broad RBAC) to manage namespaces, custom resource definitions, ingress controllers, and storage provisioners.
RequirementDetails
Access methodIAM role (preferred for EKS/GKE), kubeconfig, or SSO-based access
VPN / bastionIf the Kubernetes API server is private, provide VPN credentials or bastion access for the Exosphere operations team

Step 3: Configure Network Connectivity

Your network team needs to allow inbound traffic on port 443 to the cluster’s load balancers. The deployment runs two separate load balancers: one for event ingestion (mTLS-protected) and one for the dashboard:
TrafficSourceDestinationSecurity
Event ingestionCollector pods in your clustersIngest LoadBalancer, port 443mTLS (client certificate) + API key
DashboardDeveloper browsersDashboard LoadBalancer, port 443HTTPS on your domain, passwordless email OTP sign-in
The ingest endpoint is protected by mutual TLS; collectors must present a valid client certificate and a valid API key on every request. The dashboard runs on its own load balancer and hostname, with sign-in restricted to your allowlisted email addresses/domains. DNS records (one-time): you create two CNAME records under a domain you control — one for the ingest endpoint and one for the dashboard (e.g. agenteye.your-company.example) — pointing at the load balancer hostnames Exosphere provides. Exosphere then provisions publicly-trusted TLS certificates for both hostnames automatically, including renewals.
Port 80 note: automated certificate issuance and renewal validate over HTTP on port 80 of each load balancer. If your security posture requires restricting the dashboard load balancer to corporate IP ranges, tell Exosphere first — we switch certificate validation to a DNS-based method (one extra DNS record on your side) so renewals keep working behind the restriction.
Outbound: Cluster nodes need internet access to pull container images from ghcr.io. If your network restricts outbound traffic, allowlist ghcr.io or mirror images to your internal registry.

Step 4: Provide a Backup Storage Bucket

Database backups are stored in a cloud storage bucket that you own.
RequirementDetails
ServiceS3 (AWS), GCS (GCP), or Azure Blob Storage
AccessGrant write access to the cluster’s nodes via IAM role for service accounts (IRSA on EKS, Workload Identity on GKE) or provide credentials
RetentionYou control the bucket’s lifecycle policy (retention period, archival rules). Exosphere writes backups; you decide how long to keep them
A single daily backup dumps both PostgreSQL (relational state) and ClickHouse (events and evaluations) into one compressed archive and uploads it to your bucket. Backups also run before every upgrade.

Step 5: Designate a Point of Contact

Provide one person or Slack/Teams channel on your side for cluster-level issues: node health, cloud account limits, network changes. Day-to-day operations do not involve this contact.

What We Deploy

Once Exosphere has cluster access, the following components are deployed and managed for you:
ComponentRole
AgentEye ServerHTTP API that receives events from collectors, runs analytics, and serves data to the dashboard
DashboardWeb interface for viewing agent sessions, tool calls, model requests, and errors; hosts the optional read-only AI assistant
ClickHouseRequired canonical store for ingested events, analytics, and evaluations
PostgreSQLRelational store for organizations, API keys, users, dashboards, and saved queries
RedisOptional shared cache and rate-limit backend; the platform degrades gracefully if it is unavailable
AI assistant (optional)Internal read-only assistant container; stays disabled until an LLM endpoint is configured
Ingress controllersTwo load balancers (one for mTLS-protected ingest, one for the dashboard) terminating TLS with publicly-trusted, auto-renewed certificates and enforcing mTLS on the ingest endpoint
cert-managerAutomates TLS certificate provisioning and mTLS client-certificate issuance
Certificate monitoringA scheduled job checks certificate expiry and sends alerts (e.g. to Slack) as certificates approach renewal
The managed offering also operates the platform’s evaluation pipeline, which scores agent activity against your evaluation criteria. See Assistant and Evaluation Suite for what these capabilities deliver.

What We Provide to You

After deployment is complete, you receive:
ItemDetails
Dashboard URLA hostname under your domain (e.g. https://agenteye.your-company.example), served with a publicly-trusted, auto-renewed TLS certificate. You create one CNAME to the load balancer hostname we provide; sign-in is passwordless email OTP
Collector endpointThe ingest hostname’s /events path (e.g. https://ingest.your-company.example/events), mTLS-protected
Client certificate bundlePer-cluster: client cert, private key, and CA cert delivered as a Kubernetes Secret manifest. Apply it once per cluster
GitHub PATFor downloading collector binaries and Python SDK packages
Collector API keysScoped keys with events:add permission, one per collector deployment
Installation guidesStep-by-step docs for the collector and Python SDK

What You Do After Setup

Your only ongoing work is on your own agent machines, not the AgentEye cluster:
  1. Install the collector in each Kubernetes cluster running AI agents: mount the client certificate and configure the endpoint URL and API key. See Collector Installation.
  2. Integrate the Python SDK into your agent code. See Python SDK.
  3. Open the dashboard in your browser to view agent activity.
No cluster operations, no database management, no certificate renewals, no upgrades.

Security

  • Data stays in your cloud account. The cluster, storage, and databases all run in your environment. No data leaves your boundary.
  • You control access. The cluster is in your account. You can audit, monitor, or revoke Exosphere’s access at any time. All operations go through your cloud’s audit log (CloudTrail, GCP Audit Logs, etc.).
  • mTLS on event ingestion. Every collector request requires both a valid client certificate and an API key. A leaked key is useless without the cert; a stolen cert is useless without a valid key.
  • Dashboard access control. The dashboard runs on its own load balancer, separate from event ingestion, and sign-in is passwordless email OTP restricted to the email addresses/domains you allowlist. An IP source-range allowlist on the load balancer is available on request; because automated certificate renewal must reach the load balancer, Exosphere pairs the restriction with DNS-based certificate validation so renewals keep working.
  • Per-cluster certificates. Each of your clusters receives its own client certificate. If one cluster is compromised, that certificate is revoked independently without affecting others.

Deployment Timeline

PhaseDurationYour involvement
Cluster provisioning1-2 daysProvision the cluster and grant Exosphere access
Platform setup1 dayNone; Exosphere installs all infrastructure components
Application deployment1 dayNone; Exosphere deploys the server, dashboard, and creates API keys
Collector rollout1-3 daysInstall collectors in your clusters (with guidance from Exosphere)
Production burn-in1 weekNone; Exosphere monitors and tunes
Typical total: ~2 weeks from kickoff to production-ready.

Support

For questions or issues, contact Exosphere at support@exosphere.host.

Next Steps