Quickstart: 15 minutes to a protected node
The shortest path from an empty namespace to kernel-enforced QoS with live telemetry and the management dashboard. Nothing here changes your workloads until you assign a PriorityClass in the final step.
infera); the commands below are what works today. A rename migration is planned.0. Requirements
| Requirement | Why |
|---|---|
| Kubernetes ≥ 1.33 on standard node pools | Autopilot-style managed modes forbid the privileged DaemonSet. |
Node kernel ≥ 6.12 with CONFIG_SCHED_CLASS_EXT=y + BTF | sched_ext is the enforcement mechanism. Verified today: GKE ≥1.36 (COS-129), EKS AL2023 + Bottlerocket ≥1.33. See platform support. |
helm ≥ 3.8, kubectl, cluster-admin | The chart installs RBAC and PriorityClasses. |
| A container registry your cluster can pull from | Images are built from source today; a public registry is on the roadmap. |
1. Build and push images (once)
Temper ships as source plus Dockerfiles during early access. Build the agent and dashboard images and push them to your registry:
# from the repository root
export REGISTRY=<your-registry> # e.g. us-central1-docker.pkg.dev/PROJECT/infera
export TAG=$(git rev-parse --short HEAD)
docker build -f docker/agent/Dockerfile -t $REGISTRY/infera-agent:$TAG .
docker build -f docker/dashboard/Dockerfile -t $REGISTRY/infera-dashboard:$TAG .
docker push $REGISTRY/infera-agent:$TAG
docker push $REGISTRY/infera-dashboard:$TAG
2. Install the chart
helm install infera deploy/helm/infera \
--namespace infera --create-namespace \
--set agent.image.repository=$REGISTRY/infera-agent \
--set-string agent.image.tag=$TAG \
--set dashboard.enabled=true \
--set dashboard.image.repository=$REGISTRY/infera-dashboard \
--set-string dashboard.image.tag=$TAG \
--set priorityClasses.enabled=true
This deploys the node agent DaemonSet (which loads the kernel scheduler on each node), the
management dashboard, RBAC, and the recommended infera-* PriorityClasses. The
scheduler plugin, controller, and overcommit webhook are off by default — that is
complement mode. Enable them later with
scheduler.enabled, controller.enabled, and webhook.enabled.
3. Verify the node is protected
kubectl -n infera get pods # agent Running on every node
kubectl get node <node> -o jsonpath='{.metadata.annotations.infera\.io/agent-status}'
# "ready" — the scheduler is attached and enforcing
If a node’s kernel lacks sched_ext, the agent says so loudly in its logs and the node simply stays on the stock scheduler — Temper never degrades a node it cannot protect.
4. Protect your first workload
Give one latency-critical workload a PriorityClass and watch it land in a protected tier:
kubectl patch deployment my-service --type merge \
-p '{"spec":{"template":{"spec":{"priorityClassName":"infera-critical"}}}}'
Then open the dashboard:
TOKEN=$(kubectl -n infera get secret infera-dashboard-token -o jsonpath='{.data.token}' | base64 -d)
kubectl -n infera port-forward svc/infera-dashboard 8090:8090
# → http://localhost:8090 — paste the token at the login page
You get the hierarchy explorer (cluster → node → pod with live perf, logs, and manifests), the savings view, and audit-logged actions. Tour: management plane.
5. The kill switch (know it before you need it)
Fleet-wide instant revert to the stock kernel scheduler:
kubectl annotate node --all infera.io/safe-mode-requested=true
Nodes revert to CFS in milliseconds — it is kernel-native sched_ext behavior, and the failover has been measured under load. Remove the annotation to re-engage.
Where next
- QoS tiers — how priorities map to kernel scheduler layers
- Workload profiles — per-thread-group tuning inside a pod
- Density & overcommit — turning protection into capacity
- Safety & rollback — failure modes and the honest disclosures