Documentation Index
Fetch the complete documentation index at: https://radarhq.io/docs/llms.txt
Use this file to discover all available pages before exploring further.
Connecting a cluster to Radar Cloud is one Helm command. The chart you install is the same chart Radar OSS uses - just with cloud.enabled=true and a one-time install token. The Radar pod dials api.radarhq.io/agent over an outbound WebSocket; you don’t need any inbound rules on your cluster.
Get the install command
In app.radarhq.io, click Connect a cluster, name it (the underlying ID is opaque cl_...), then Generate install command. The page polls for connection while you run it.
The command looks like:
helm upgrade --install radar oci://ghcr.io/skyhook-io/radar \
--namespace radar --create-namespace \
--set cloud.enabled=true \
--set cloud.url=wss://api.radarhq.io/agent \
--set cloud.token=rhc_xxx... \
--set cloud.clusterName=cl_xxx... \
--set rbac.helm=true \
--set rbac.secrets=true \
--set rbac.podExec=true \
--set rbac.portForward=true
The token is shown once. If you lose it before completing the install, rotate it from Clusters → cluster → Rotate token - this invalidates the unused token.
What each value does
| Value | Effect |
|---|
cloud.enabled=true | Switches the chart to cloud-mode (auth proxy, ClusterRoleBindings for cloud:* groups, hardened listener). |
cloud.url | The WebSocket endpoint to dial. wss://api.radarhq.io/agent for production. |
cloud.token | One-time bearer credential identifying this cluster. SHA-256 hashed at rest by the Hub. |
cloud.clusterName | The opaque cluster ID assigned by the Hub. The Radar pod advertises this on handshake. |
rbac.helm | Enables Helm install / upgrade / rollback / uninstall. Auto-enables rbac.secrets. |
rbac.secrets | Allows the resource browser to show Secrets. |
rbac.podExec | Enables the pod terminal and debug containers. |
rbac.portForward | Enables port forwarding through the UI. |
rbac.* flags to restrict what Radar can do in your cluster - the UI gracefully degrades. See In-cluster deployment for the full list.
What the chart deploys
Namespace: radar
├─ Deployment: radar # the OSS binary in cloud-mode
├─ ServiceAccount: radar
├─ ClusterRole / ClusterRoleBinding (read access + opt-ins)
├─ ClusterRoleBindings:
│ cloud:owner → admin
│ cloud:member → edit
│ cloud:viewer → view
└─ Service / NetworkPolicy (optional)
api.radarhq.io:443. No ingress, no LB, no DNS.
Verify the connection
The install page polls for up to 5 minutes. Once connected, you’ll be redirected into the cluster view. If polling times out:
# Radar pod logs
kubectl logs -n radar deploy/radar
# Look for:
[cloud] connected to wss://api.radarhq.io/agent as cl_xxx...
[cloud] handshake ok, cluster status -> connected
| Symptom | Likely cause |
|---|
401 unauthorized on handshake | Token invalid or rotated. Generate a new install command. |
connection refused | Egress firewall blocking outbound api.radarhq.io:443. |
TLS handshake failure | Outbound proxy doing TLS inspection without the corporate CA injected into the Radar pod’s trust store. |
| Connects then drops | The Radar pod must run on a single replica; check for crash loops via kubectl describe pod. |
Reinstall vs. rotate
- Reinstall - re-run the same Helm command with a fresh token. Used when you’ve lost the original install yaml.
- Rotate token - issues a new token without changing the cluster ID. The previous token stops working immediately. Useful when an operator leaves or you suspect token leak.
See Cluster token rotation for both flows.
Egress requirements
| Destination | Port | Why |
|---|
api.radarhq.io | 443 | The control-plane WebSocket. |
| Container registry that hosts the chart / image | 443 | Pulling the Radar image. Default ghcr.io/skyhook-io/radar. |
Air-gapped clusters
Cloud assumes outbound TLS to api.radarhq.io. Air-gapped environments should run Radar OSS instead - it’s the same UI without the control plane.
See also
