Migration guide

From Radar OSS to Radar Cloud. Ten minutes. One Helm flag.

You already know Radar. Keep everything you've set up. Add multi-cluster, SSO, long-term retention, and team collaboration — without migrating data, changing auth, or touching your existing tooling.

10 min
End-to-end migration
0
Data to migrate
1
Helm flag to flip
The TL;DR

Radar Cloud is the same Radar binary you're already running, with a cloud-sync flag flipped on. Your OSS install keeps working. Radar Cloud adds the multi-cluster, long-retention, SSO, and collaboration layer on top. No data migration. No reconfiguration. No switching cost.

Your existing OSS install is untouched.

The Radar Cloud agent is the same OSS Radar binary with the cloud-sync flag flipped on — your local install keeps working, your CLI, keybindings, and automation scripts all carry over. Migrate one cluster, or all of them. Roll back anytime by flipping the flag off.

The steps

Six steps. Seven minutes. One cluster at a time.

STEP 01

Sign up for a free Radar workspace

30 seconds

Go to app.radarhq.io/signup. No credit card. Use Google, GitHub, or email. You'll land in an empty workspace ready to accept cluster connections.

STEP 02

Generate a cluster connection token

10 seconds

In your Radar workspace, click 'Connect cluster' and name it (e.g. prod-us-west). You'll get a one-time installation token.

# Your workspace generates this:
CLUSTER_TOKEN=rct_7f3a9b2e4d1c6f8a...
STEP 03

Update your existing Helm install

30 seconds per cluster

If you already run Radar OSS via Helm, you just add one flag. The existing install keeps working — we're adding the Radar sync as a sidecar.

# Your existing Radar OSS install:
helm upgrade radar skyhook/radar \
  -n radar \
  --set cloud.enabled=true \
  --set cloud.token=$CLUSTER_TOKEN \
  --set cloud.clusterName=prod-us-west
STEP 04

Watch your cluster appear

Under 60 seconds

The agent opens a secure outbound tunnel to Radar. Topology, events, and resources start syncing immediately. You'll see the cluster in your workspace in under a minute.

STEP 05

Invite your team

2 minutes

Add teammates by email, or connect SSO (Google, GitHub, SAML) and they get access via your existing groups. No kubeconfigs shared, no VPN setup.

STEP 06

Repeat for other clusters

30 sec each

Each cluster gets its own connection token. Same Helm flag, different token. Connect as many as you like — the Free tier is 3 clusters, paid tiers are unlimited.

Before vs after

What stays exactly the same. What gets added.

Unchanged from OSS

Nothing you set up is touched

  • Your local OSS install keeps working exactly as before
  • kubectl, CLI, and web UI remain fully functional locally
  • No data migration required — your cluster is the source of truth
  • MCP integrations you've configured keep working
  • Your existing kubeconfig-based auth is untouched
  • All OSS Radar keyboard shortcuts and workflows unchanged

Added by Radar

What connecting unlocks

  • Multi-cluster fleet view across every connected cluster
  • Event timeline persists 30 days to 1 year (vs session-only in OSS)
  • SAML/OIDC SSO with group-to-namespace RBAC
  • Shareable deep-links + annotations that survive restarts
  • Slack, PagerDuty, MS Teams integrations
  • Audit logs for compliance evidence
Before you flip the flag

What actually leaves your cluster.

We're allergic to surprises. Here's the exact data flow your security team will want to review.

What Radar receives

  • • Kubernetes resource metadata (names, labels, status)
  • • Event metadata (reason, source, count)
  • • Helm release manifests (values, revision history)
  • • Network topology edges (service-to-service)
  • • Node-level metrics (CPU, memory, counts)

What Radar never sees

  • • Container logs or stdout
  • • Secret values (only the existence + name)
  • • ConfigMap contents (only metadata)
  • • Application data or user PII
  • • kubectl exec session contents

The agent is Apache 2.0 and auditable. Read every line on GitHub. Radar itself is SOC 2 Type 2 certified, with an EU region available for Enterprise customers who need it.

Rollback plan

Tried it, didn't work out? Revert in seconds.

Commit to trying Radar with zero switching cost. If it's not a fit, you're back where you started in under a minute.

01

Disconnect cluster from Radar

helm upgrade radar skyhook/radar --set cloud.enabled=false
02

Remove Radar workspace entirely

Settings → Workspace → Delete workspace
03

Your OSS install continues as before

(nothing changes locally)
Migration FAQ

Questions we get before people flip the flag.

Do I have to remove my OSS Radar install to use Radar?
No. Radar's agent is the same OSS Radar binary with the cloud-sync flag flipped on. Your local OSS install keeps working. Some teams even run OSS locally for individual engineer laptops and Radar for the team's shared view — they're interoperable.
Does my cluster data leave my infrastructure?
Only metadata needed to render topology, timelines, and resource views. No container logs, no secret values, no pod stdout. The agent filters at source. For stricter requirements, Enterprise offers BYOC deployment where data never leaves your cloud account.
What happens to my in-cluster events during migration?
Nothing — OSS Radar's events are ephemeral by design. Once you connect to Radar, new events are persisted to managed storage. Events from before the migration aren't retroactively captured (they were never persisted).
Can I migrate one cluster and leave others on OSS?
Yes. Connection is per-cluster. Run Radar-synced Radar in prod, pure OSS in staging. The visual footprint in your workspace is only the clusters you've connected.
How is authentication different?
OSS uses kubeconfig-based auth (or OIDC if you configured it). Radar uses your IdP (Google, GitHub, SAML, OIDC) for dashboard access, while the in-cluster agent still uses a scoped Kubernetes ServiceAccount for reading cluster state. You manage one system, not two.
What if I want to go back to OSS-only?
Flip the Helm flag off, or delete your Radar workspace. Your OSS install keeps running. You can export event history as CSV/JSON before you go. Zero lock-in — we commit to this in our Open Source page.
Is the connection outbound-only?
Yes. The agent initiates a WebSocket over TLS to Radar, authenticated with a per-cluster bearer token — no inbound firewall rules, no VPN, no cluster IP needs to be publicly reachable. Works with EKS, GKE, AKS, and on-prem with restrictive egress (as long as egress to agents.radarhq.io on 443 is allowed).
How do I migrate my OSS user accounts?
OSS Radar doesn't have user accounts (it uses kubeconfig or OIDC). Radar creates its own user directory based on your IdP. If your team all authenticates via Okta/Google today, connecting SSO will auto-provision them on first login.
Next read
OSS vs Radar Cloud comparison
Feature-by-feature matrix
Check pricing
What it costs
Per-cluster, free for one
Get help
Join the community
Slack, GitHub, maintainers

Ten minutes. One Helm flag. No regret policy.

Start with up to 3 clusters — Free forever. Add more when you're ready. Rollback anytime.

Install with HelmStart freeBook a demo

Apache 2.0 OSS · Unlimited clusters self-hosted · Hosted free tier for up to 3 clusters