§03 — Exo Operator

Deploying the manager

The agentkube-manager operator: its namespace, the ServiceAccount and ClusterRole it needs, the Service it exposes, and the admission webhook it self-bootstraps.

5 min read·Set by Exo Editorial·v0.3.0 Beta

The agentkube-manager is a controller-runtime operator. It watches the five agentkube.io CRDs and reconciles them into pods, Services, and Secrets in your cluster. It installs into a fixed namespace, agentkube-system, and ships as a single Deployment plus its RBAC and a self-managed admission webhook.

What gets installed

Namespace agentkube-system.
ServiceAccount, ClusterRole, and ClusterRoleBinding, all named agentkube-manager.
Deployment agentkube-manager (1 replica, leader-elect) and a Service of the same name.
A ValidatingWebhookConfiguration gating pods/exec and Tool operations.

Installing

The simplest path is exo-install; for GitOps use the Helm chart or the raw manifests (see Manual install).

●terminal· bash

1# Installer
2exo-install operator --managed --base-url https://exo.example.com
3 
4# Helm
5helm install agentkube ./agentkube/helm/agentkube \
6  --namespace agentkube-system --create-namespace \
7  --set manager.managed=true --set manager.baseURL=https://exo.example.com

RBAC

The ClusterRole is broad because the operator builds and tears down real workloads. The notable grants:

●ClusterRole agentkube-manager· text

1agentkube.io  agents,mcps,llmgateways,claws,tools (+ /status)  full
2apps          deployments                                              full
3core          services, configmaps, pvcs, pods                         full
4core          pods/log                                                 get     (stream run logs)
5core          pods/exec                                                create  (shell into agent pods)
6core          secrets                                                  full    (credential management)
7core          events                                                   create,patch
8batch         jobs                                                     create  (Tool permission provisioning)
9rbac          clusterroles/bindings, roles/bindings   full + bind,escalate    (Kubernetes Tool policies)
10coordination  leases                                                   full    (leader election)
11admission     validatingwebhookconfigurations                         update  (webhook cert bootstrap)

Service & ports

The agentkube-manager Service exposes four ports:

●Service agentkube-manager· text

1webhook   443 → 9443   admission reviews (TLS; cert self-bootstrapped)
2metrics   8080         Prometheus /metrics
3probes    8081         /healthz, /readyz
4invoke    8082         agent invocation API (in-cluster, or via apiserver proxy)

The invoke port is what the exo CLI's cluster commands proxy to via the kube-apiserver: …/services/http:agentkube-manager:invoke/proxy/….

Admission webhook

On startup the manager mints its own serving cert (signed for agentkube-manager.agentkube-system.svc) and patches the ValidatingWebhookConfiguration with the CA bundle — no cert-manager dependency. The webhook gates pods/exec into Agents and Tool operations. You can disable it (webhook.enabled=false) but it's recommended on.

Verifying

●terminal· bash

1kubectl -n agentkube-system rollout status deploy/agentkube-manager
2kubectl -n agentkube-system logs deploy/agentkube-manager --tail=50
3kubectl get crds | grep agentkube.io

Once it's up, connect it to the control plane (next page) or start authoring CRDs.

Previous · Exo OperatorWhat is Exo Operator Next · Exo Operator Connecting to the control plane