Install the agent

TL;DR

helm install klstr-agent https://app.klstr.dev/install/klstr-agent-chart.tgz \
  --set agent.registrationToken="k8s_reg_XXXX" \
  --namespace klstr-agent \
  --create-namespace

Mint the token from Settings → API Keys in the dashboard. Two pods appear: the agent itself + a cloudflared sidecar that holds the tunnel open.

Chart values

RBAC

The chart installs a ClusterRole the agent needs:

• pods/* (get, list, watch, exec, log, portforward)
• services, endpoints, namespaces, nodes, events
• deployments, statefulsets, daemonsets, replicasets
• ingresses (networking.k8s.io/v1)
• Custom resources via get, list for plug-in detection

TLS

The agent probes the in-cluster API server cert chain at boot. If the chain is not verifiable against the ServiceAccount CA (common on kind, vcluster, ad-hoc clusters), it falls back to rejectUnauthorized: false. Production clusters with valid certs land in the verified branch.

Force strict TLS in production:

--set agent.extraEnv.K8S_DASHBOARD_STRICT_TLS=true

Upgrading

helm upgrade klstr-agent https://app.klstr.dev/install/klstr-agent-chart.tgz \
  --reuse-values \
  --namespace klstr-agent

The agent replays deltas on every boot, so rolling restarts are safe — no data loss.

Uninstall

helm uninstall klstr-agent --namespace klstr-agent

Then delete the cluster in Clusters → ⋯ → Delete. klstr tears down the Cloudflare tunnel + Access service token in the correct order.

Troubleshooting

• Cluster stuck on "Connecting" — check agent pod logs for auth errors. Usually an expired or mistyped registration token.
• Heartbeat stale — the cloudflared sidecar may have lost its tunnel. kubectl logs deploy/klstr-agent -c cloudflared shows it.
• Pod logs missing— verify the agent's ClusterRole bindings include pods/log.
• Still stuck? info@klstr.dev

Next: connect a second cluster.