Skip to main content

What is the Kestrel Operator?

The Kestrel Operator is a lightweight Kubernetes agent that connects your clusters to the Kestrel AI platform. It streams Kubernetes resource metadata, events, logs, and network traffic telemetry over mTLS to Kestrel Cloud — enabling 24/7 real-time incident detection without requiring any changes to your existing infrastructure or applications.

Key Features

Incident Detection and Response

  • 24/7 real-time incident detection from Kubernetes events, pod logs, node conditions, and network telemetry
  • Event and log ingestion streamed to Kestrel Cloud for automated root cause analysis
  • API and command execution on behalf of AI Agents on Kestrel Cloud for investigation and remediation

Kubernetes Risk Assessments

  • Intelligent AI agent based risk discovery inside your Kubernetes Cluster
  • Actionable fixes for all issues found
  • Highlight attack chains that other tools without Kubernetes context will miss

Cluster Inventory and Traffic Visibility

  • Real-time flow collection from Cilium Hubble, AWS VPC CNI, or Istio service mesh
  • Zero application changes required
  • Automatic workload discovery and inventory management
  • Topology map for service dependency and network traffic visualization

Architecture

The Kestrel Operator consists of several key components:

Stream Client

Maintains a secure gRPC connection to Kestrel Cloud using mTLS authentication. Handles bidirectional streaming for:
  • Sending resource metadata, events, logs, and network flows
  • Receiving and executing read-only API calls and commands from Kestrel Cloud

Network Integrations

  • Cilium Integration: Collects L3/L4 network flows from Hubble Relay
  • Istio Integration: Receives L7 access logs via Envoy Access Log Service

Metrics Integrations

  • OpenTelemetry: Receives metrics from an OTEL Collector via OTLP gRPC
  • Datadog: Queries metrics from in-cluster Datadog agents

Security Model

Authentication

  • mTLS certificates for secure communication with Kestrel Cloud
  • JWT tokens with automatic renewal for service authentication
  • RBAC permissions scoped to minimum required access

Data Protection

  • No sensitive data storage on the operator
  • Encrypted transmission for all communications
  • Certificate rotation for ongoing security

Prerequisites

  • Kubernetes cluster (v1.24+)
  • Cluster admin permissions for installation
  • Network connectivity to grpc.platform.usekestrel.ai:443

Optional Integrations

  • Cilium (for L3/L4 network flow collection)
  • Istio (for L7 access log collection and authorization policies)
  • OpenTelemetry Collector (for receiving Kubernetes and application metrics via OTLP gRPC)
  • Datadog (for querying historical metrics, events, and logs from in-cluster Datadog agents)

Next Steps