One-Line Install
What the installer creates
The install script applies a single kubectl manifest that creates:- Namespace —
changeguard-agent(isolated from your workloads) - Secret — stores your API key and configuration
- ServiceAccount + RBAC — read-only cluster access
- Deployment — single replica, the agent pod
RBAC Permissions
The agent requests the minimum permissions needed:| Resource | Verbs | Purpose |
|---|---|---|
| Pods, Nodes, Namespaces, Events, Services | get, list, watch | Cluster snapshot |
| Pods/log | get, list | Log collection |
| Deployments, StatefulSets, DaemonSets, ReplicaSets | get, list, watch | Workload status |
| Jobs, CronJobs | get, list, watch | Batch workload status |
| Secrets | get | ArgoCD token discovery only |
| Ingresses, NetworkPolicies, ConfigMaps, PVCs, HPAs, ServiceAccounts | get, list, watch | Full cluster visibility |
| Metrics (metrics.k8s.io) | get, list | CPU/memory utilization |
The agent never writes to your cluster. It is strictly read-only.
Security
- Runs as non-root user (UID 1000)
- Read-only root filesystem
- All capabilities dropped
- No privilege escalation
- Liveness and readiness probes configured
- Resource limits: 250m CPU, 256Mi memory
Manual Install (YAML)
If you prefer to review the manifest before applying:Multi-Cluster
Install the agent independently in each cluster. Each gets its own--cluster name:
Image
The agent image is publicly available:arm64 (Graviton) and amd64.