Connect Any Cluster in Minutes
Outbound-only HTTPS tunnel. No VPN, no firewall rules, no exposed ports.
Traditional Cluster Onboarding Is Broken
Every other platform asks you to expose your API server, open ports, whitelist IPs, configure VPNs, and provision long-lived credentials. Each step is a security review. None of it scales.
Inbound Ports
Open 6443 or a custom HTTPS endpoint to the internet — and explain it to your security team.
VPNs & Bastions
Configure private links between networks. Pray that nothing breaks when IPs rotate.
Long-Lived Credentials
Provision a service account with broad cluster permissions. Generate and rotate kubeconfigs forever.
Outbound, Not Inbound
Every cluster on Earth can make outbound HTTPS requests on port 443 — that's how it pulls images and talks to cloud APIs. If your cluster can reach github.com, it can reach SRExpert.
Connect a Cluster in 3 Steps
Import Cluster
In the SRExpert dashboard, click Import Cluster and give it a name. A short-lived install token is generated automatically.
Copy the Command
One kubectl apply line. No DNS, no certificates, no kubeconfig editing. Works on any cluster — managed or self-hosted.
Run It
The agent starts as a DaemonSet, leader election picks one active instance, and the tunnel comes up in ~30 seconds. The cluster appears live in your dashboard.
$ curl -sL https://srexpert.yourdomain.com/api/v1/agent/install/{token} | kubectl apply -f - ✓ Agent installed — tunnel up in ~30s, cluster live in dashboard █
What Becomes Possible
Security teams stop being the blocker
No new ports, no exposed APIs, no rotating credentials. The same outbound HTTPS you already allow for image pulls. Reviews shrink from weeks to minutes.
On-prem & edge get first-class management
Hospitals, factories, government agencies, air-gapped data centers — anywhere outbound HTTPS works, SRExpert works. No more locked-out environments.
Multi-cloud stops being a special case
AWS, GCP, Azure, on-prem — same kubectl apply, four times. The control plane doesn't know or care where the cluster lives.
Try anything in production
Install on a real cluster in 30 seconds, validate, uninstall just as fast. The risk of trying SRExpert collapses to zero.
Bring shadow clusters under management
Every team has Kubernetes environments that never made it onto the central platform because onboarding was too painful. Now it isn't.
Self-healing connections
Tunnel drops? Auto-reconnect with exponential backoff. Backend restart? The agent transparently reconnects to the new instance.
How the Tunnel Works
The agent establishes a TLS-encrypted WebSocket connection to the SRExpert backend. Every Kubernetes API operation is serialized over the tunnel and executed locally by the agent using its in-cluster service account.
TLS End-to-End
Every byte over the tunnel is encrypted. The agent never exposes any ports of its own and cannot be contacted from outside the cluster.
Auto-Reconnect
Exponential backoff (2s → 4s → 8s, capped at 15s). Read operations retry on disconnect; writes fail fast to avoid duplicate state.
No Long-Lived Credentials
Registration uses a short-lived token. The control plane never holds a kubeconfig. Customer credentials never leave the cluster.
Helm + kubectl, Nothing Custom
No proprietary CLI, no bespoke runtime. Inspect every manifest before applying. Uninstall with helm delete. No magic, no lock-in.
Start with SRExpert today
Connect your first cluster in 5 minutes. See every workload, enforce security policies, and let AI handle the noise.
Replace your monitoring stack, alerting tools, and compliance spreadsheets with one platform built for Kubernetes teams.
Free tier available — no credit card needed.