Prerequisites
- A GitHub PAT for pulling container images and downloading artifacts (see GitHub Token Setup)
- A dedicated Kubernetes cluster (see requirements below)
- A storage bucket for database backups
- Network connectivity: port 443 inbound to the cluster’s load balancer
Step 1: Provision a Dedicated Kubernetes Cluster
Create a Kubernetes cluster dedicated to AgentEye. It should not be shared with other workloads, so the full platform (application services, databases, analytics, and caching) runs in isolation without impacting your existing infrastructure.| Requirement | Details |
|---|---|
| Distribution | Any conformant Kubernetes: EKS, GKE, AKS, or self-managed |
| Version | 1.27 or later |
| Node pool | Minimum: 3 nodes, 4 vCPU / 8 GB RAM each (standard general-purpose instances) |
| Storage | A default StorageClass that provisions block volumes (e.g. gp3 on AWS, pd-ssd on GCP) |
| Load Balancer | The cluster must be able to provision cloud LoadBalancer services (default on EKS, GKE, AKS) |
Exosphere installs and manages everything else inside the cluster: ingress controllers, TLS certificates, databases, caching, monitoring, and all application deployments.
Step 2: Grant Access to the AgentEye Team
Exosphere needs cluster-admin access (or equivalent broad RBAC) to manage namespaces, custom resource definitions, ingress controllers, and storage provisioners.| Requirement | Details |
|---|---|
| Access method | IAM role (preferred for EKS/GKE), kubeconfig, or SSO-based access |
| VPN / bastion | If the Kubernetes API server is private, provide VPN credentials or bastion access for the Exosphere operations team |
Step 3: Configure Network Connectivity
Your network team needs to allow inbound traffic on port 443 to the cluster’s load balancers. The deployment runs two separate load balancers: one for event ingestion (mTLS-protected) and one for the dashboard:| Traffic | Source | Destination | Security |
|---|---|---|---|
| Event ingestion | Collector pods in your clusters | Ingest LoadBalancer, port 443 | mTLS (client certificate) + API key |
| Dashboard | Developer browsers | Dashboard LoadBalancer, port 443 | HTTPS on your domain, passwordless email OTP sign-in |
agenteye.your-company.example) — pointing at the load balancer hostnames Exosphere provides. Exosphere then provisions publicly-trusted TLS certificates for both hostnames automatically, including renewals.
Port 80 note: automated certificate issuance and renewal validate over HTTP on port 80 of each load balancer. If your security posture requires restricting the dashboard load balancer to corporate IP ranges, tell Exosphere first — we switch certificate validation to a DNS-based method (one extra DNS record on your side) so renewals keep working behind the restriction.
Outbound: Cluster nodes need internet access to pull container images fromghcr.io. If your network restricts outbound traffic, allowlistghcr.ioor mirror images to your internal registry.
Step 4: Provide a Backup Storage Bucket
Database backups are stored in a cloud storage bucket that you own.| Requirement | Details |
|---|---|
| Service | S3 (AWS), GCS (GCP), or Azure Blob Storage |
| Access | Grant write access to the cluster’s nodes via IAM role for service accounts (IRSA on EKS, Workload Identity on GKE) or provide credentials |
| Retention | You control the bucket’s lifecycle policy (retention period, archival rules). Exosphere writes backups; you decide how long to keep them |
Step 5: Designate a Point of Contact
Provide one person or Slack/Teams channel on your side for cluster-level issues: node health, cloud account limits, network changes. Day-to-day operations do not involve this contact.What We Deploy
Once Exosphere has cluster access, the following components are deployed and managed for you:| Component | Role |
|---|---|
| AgentEye Server | HTTP API that receives events from collectors, runs analytics, and serves data to the dashboard |
| Dashboard | Web interface for viewing agent sessions, tool calls, model requests, and errors; hosts the optional read-only AI assistant |
| ClickHouse | Required canonical store for ingested events, analytics, and evaluations |
| PostgreSQL | Relational store for organizations, API keys, users, dashboards, and saved queries |
| Redis | Optional shared cache and rate-limit backend; the platform degrades gracefully if it is unavailable |
| AI assistant (optional) | Internal read-only assistant container; stays disabled until an LLM endpoint is configured |
| Ingress controllers | Two load balancers (one for mTLS-protected ingest, one for the dashboard) terminating TLS with publicly-trusted, auto-renewed certificates and enforcing mTLS on the ingest endpoint |
| cert-manager | Automates TLS certificate provisioning and mTLS client-certificate issuance |
| Certificate monitoring | A scheduled job checks certificate expiry and sends alerts (e.g. to Slack) as certificates approach renewal |
What We Provide to You
After deployment is complete, you receive:| Item | Details |
|---|---|
| Dashboard URL | A hostname under your domain (e.g. https://agenteye.your-company.example), served with a publicly-trusted, auto-renewed TLS certificate. You create one CNAME to the load balancer hostname we provide; sign-in is passwordless email OTP |
| Collector endpoint | The ingest hostname’s /events path (e.g. https://ingest.your-company.example/events), mTLS-protected |
| Client certificate bundle | Per-cluster: client cert, private key, and CA cert delivered as a Kubernetes Secret manifest. Apply it once per cluster |
| GitHub PAT | For downloading collector binaries and Python SDK packages |
| Collector API keys | Scoped keys with events:add permission, one per collector deployment |
| Installation guides | Step-by-step docs for the collector and Python SDK |
What You Do After Setup
Your only ongoing work is on your own agent machines, not the AgentEye cluster:- Install the collector in each Kubernetes cluster running AI agents: mount the client certificate and configure the endpoint URL and API key. See Collector Installation.
- Integrate the Python SDK into your agent code. See Python SDK.
- Open the dashboard in your browser to view agent activity.
Security
- Data stays in your cloud account. The cluster, storage, and databases all run in your environment. No data leaves your boundary.
- You control access. The cluster is in your account. You can audit, monitor, or revoke Exosphere’s access at any time. All operations go through your cloud’s audit log (CloudTrail, GCP Audit Logs, etc.).
- mTLS on event ingestion. Every collector request requires both a valid client certificate and an API key. A leaked key is useless without the cert; a stolen cert is useless without a valid key.
- Dashboard access control. The dashboard runs on its own load balancer, separate from event ingestion, and sign-in is passwordless email OTP restricted to the email addresses/domains you allowlist. An IP source-range allowlist on the load balancer is available on request; because automated certificate renewal must reach the load balancer, Exosphere pairs the restriction with DNS-based certificate validation so renewals keep working.
- Per-cluster certificates. Each of your clusters receives its own client certificate. If one cluster is compromised, that certificate is revoked independently without affecting others.
Deployment Timeline
| Phase | Duration | Your involvement |
|---|---|---|
| Cluster provisioning | 1-2 days | Provision the cluster and grant Exosphere access |
| Platform setup | 1 day | None; Exosphere installs all infrastructure components |
| Application deployment | 1 day | None; Exosphere deploys the server, dashboard, and creates API keys |
| Collector rollout | 1-3 days | Install collectors in your clusters (with guidance from Exosphere) |
| Production burn-in | 1 week | None; Exosphere monitors and tunes |
Support
For questions or issues, contact Exosphere atsupport@exosphere.host.
Next Steps
- Getting Started: end-to-end walkthrough
- Collector Installation: install and configure the collector
- Python SDK: instrument your agent code
- API Keys: manage access and permissions
- Troubleshooting: common issues and fixes

