Bring Your Own Kubernetes Cluster
Six months in as platform lead and you have a spreadsheet you haven't shown your manager. Eleven Kubernetes clusters. EKS for production. GKE for the ML team. Two on-prem clusters behind the firewall that predate your tenure. A handful of Kind clusters developers spun up locally. Each one has its own deployment pipeline, its own credentials rotation process, its own way of answering "is this service healthy?"
Your team isn't building features anymore. You're maintaining eleven slightly different versions of the same tooling.
astroctl infra k8s register --name my-cluster
What registration actually does
A lightweight agent is deployed into your cluster. It connects back to the platform — outbound only, no firewall changes required. Within seconds, your cluster appears in AstroPulse alongside every other cluster your team manages.
From that point on: deploy applications, view logs, monitor health, manage workloads. The same CLI commands, the same console — whether the cluster was provisioned by AstroPulse or brought in from outside.
You don't rebuild anything. You don't migrate anything. You layer a single consistent interface on top of what already exists.
Three scenarios
The multi-cloud fleet
Your company runs EKS for production, GKE for ML workloads, and AKS for a compliance requirement. Each environment had its own deployment pipeline. Now:
astroctl infra k8s register --name prod-eks
astroctl infra k8s register --name ml-gke
astroctl infra k8s register --name compliance-aks
Three commands. One platform. Every cluster in a single dashboard.
The brownfield migration
You have 50 clusters already running. Rebuilding them through a new provisioner would take months and risk production. With cluster registration, you onboard existing clusters without disruption:
for cluster in $(cat cluster-list.txt); do
astroctl infra k8s register --name "$cluster" --context "$cluster"
done
Your existing workloads keep running. The agent deploys alongside them. No downtime, no migration.
The local development cluster
Your developers run Kind or Minikube locally. They want to test against the same deployment pipeline production uses:
astroctl infra k8s register --name dev-local
astroctl app apply -f my-app.yaml # same command as production
Local clusters get the same application management as production. No special snowflakes.
Registration is cloud-agnostic. Cloud operations aren't.
This is an intentional separation. Registration works the same everywhere because it doesn't need to know your cloud provider. It just needs a Kubernetes API.
When you want cloud-specific operations — version upgrades, node scaling, cost analysis — you connect cloud provider credentials separately:
# Registration (universal)
astroctl infra k8s register --name my-cluster
# Cloud access (provider-specific, done later)
astroctl cloud aws connect --cluster-name my-cluster --account-id 123456789012 --region us-west-2
This means you can register a cluster quickly and figure out cloud provider access later. Or never — if you only need application deployment, registration alone is sufficient.
Enterprise workflows built in
For larger teams, platform and infrastructure teams are often different groups. The --no-install flag supports a split-team workflow:
# Platform team registers the cluster (no cluster access needed)
astroctl infra k8s register --name prod-cluster --no-install
# Infrastructure team installs the agent (has kubectl access)
astroctl infra k8s register agent --cluster-name prod-cluster --context prod-k8s
Need to review what gets deployed before applying? Use --dry-run:
astroctl infra k8s register --name prod-cluster --dry-run
The full manifest is printed to stdout for security review, audit, or manual application.
Zero-trust connectivity, zero inbound access
Most cluster management platforms require you to expose your Kubernetes API to the internet or configure VPN peering. That's a non-starter for security-conscious teams.
AstroPulse takes the opposite approach. The agent deployed in your cluster initiates all connections outbound. The platform never reaches into your network.
No inbound firewall rules. The agent calls home over an encrypted reverse tunnel. Your cluster's API server stays completely private — no public IP, no load balancer, no ingress. If your cluster can make outbound HTTPS connections, it can register with AstroPulse.
Mutual TLS on every connection. Every agent gets a unique cryptographic identity at registration time. The platform and agent authenticate each other on every connection. Certificates rotate automatically before expiry.
Scoped RBAC, not admin access. The agent runs with a dedicated ClusterRole scoped to what the platform needs: deploying applications, reading status, managing workloads. It does not get cluster-admin. Review the exact permissions before deploying with --dry-run.
Isolated per cluster. Each registered cluster has its own encrypted tunnel and its own identity. Compromising one cluster's agent credentials gives zero access to any other cluster.
Resilient by design. If the connection drops — network blip, pod restart, node failure — the agent reconnects automatically. The platform queues operations and delivers them when the tunnel comes back.
What you get — and what you don't
Once registered, a cluster supports application deployment, log streaming, health monitoring, and workload management through the same interface as provisioned clusters.
What registration does not cover: Kubernetes version upgrades, rolling node updates, and node pool management. These lifecycle operations require either a cluster provisioned by AstroPulse, or connected cloud provider credentials — they depend on cloud-specific APIs that the registration agent doesn't have access to.
If your team needs lifecycle management for a registered cluster, connect cloud credentials after registration:
astroctl cloud aws connect --cluster-name my-cluster --account-id 123456789012 --region us-west-2
This unlocks version upgrades, node scaling, and cost analysis without re-registering the cluster.
Get started
Registration is available today. Read the full guide: