Architecture Overview
Saviour uses two lightweight agents installed in your cluster to collect observability data and stream it to the Saviour platform. Nothing runs in our infrastructure inside your cluster — the agents are the only Saviour components on your nodes.
Data flow
Components
Centurion — Kubernetes Cluster Agent
| Property | Value |
|---|---|
| Kind | Deployment (single replica) |
| Namespace | saviour (configurable) |
| Replicas | Always 1 — one agent per cluster |
| Data source | Kubernetes API via informers (watch + cache) |
| Egress | HTTPS :443 to Saviour backend |
| RBAC | ClusterRole — read-only on core Kubernetes resources |
Centurion watches Kubernetes events, builds a resource ownership graph, runs anomaly detection locally, and streams structured results to the Saviour backend. It never modifies cluster state.
Sentinel — Host Agent
| Property | Value |
|---|---|
| Kind | DaemonSet (one pod per node) |
| Namespace | saviour (configurable) |
| Replicas | One per schedulable node |
| Data source | procfs, cgroups, journald, /var/log/pods, optional eBPF |
| Egress | HTTPS :443 to Saviour backend |
| Privileges | hostPID: true; privileged only when eBPF is enabled |
Sentinel reads host telemetry directly from the Linux kernel via procfs and optional eBPF programs. In baseline mode (eBPF disabled) it requires only SYS_PTRACE.
Network requirements
Both agents only need outbound HTTPS to the Saviour backend. No inbound ports need to be opened.
| Direction | Protocol | Port | Destination |
|---|---|---|---|
| Egress | HTTPS | 443 | api.saviourops.com |
| Egress | DNS | 53 (UDP/TCP) | kube-dns (in-cluster) |
If you use a NetworkPolicy, the chart's built-in networkPolicy.enabled=true configures these rules automatically. See the Centurion configuration and Sentinel configuration for details.
Offline resilience
Both agents include an embedded SQLite offline store. If the Saviour backend is unreachable (network partition, maintenance window), events and metrics are buffered locally and replayed automatically when connectivity resumes — up to 72 hours by default (configurable via offlineStore.retentionHours).
Shared ingestion key
Both agents authenticate to the Saviour backend using a single ingestion key stored in a Kubernetes Secret. The chart reads it from global.existingSecret (or creates it from global.apiKey). The key never leaves the cluster in any other way.
saviour-secret (Kubernetes Secret)
└── api-key: sav_xxxxxxxxxxxxxxxxx
├── used by Centurion pod
└── used by Sentinel pods (all nodes)
What Saviour does NOT do
- ❌ Does not run any workloads or jobs in your cluster
- ❌ Does not modify any Kubernetes resources
- ❌ Does not read
SecretorConfigMapvalues (unless you explicitly enablewatchSecrets) - ❌ Does not require inbound network access
- ❌ Does not install any webhooks or admission controllers