Quickstart: 15 minutes to a protected node

The shortest path from an empty namespace to kernel-enforced QoS with live telemetry and the management dashboard. Nothing here changes your workloads until you assign a PriorityClass in the final step.

Naming note. Binaries, the helm chart, and annotation keys currently ship under the project’s former name (infera); the commands below are what works today. A rename migration is planned.

0. Requirements

RequirementWhy
Kubernetes ≥ 1.33 on standard node poolsAutopilot-style managed modes forbid the privileged DaemonSet.
Node kernel ≥ 6.12 with CONFIG_SCHED_CLASS_EXT=y + BTFsched_ext is the enforcement mechanism. Verified today: GKE ≥1.36 (COS-129), EKS AL2023 + Bottlerocket ≥1.33. See platform support.
helm ≥ 3.8, kubectl, cluster-adminThe chart installs RBAC and PriorityClasses.
A container registry your cluster can pull fromImages are built from source today; a public registry is on the roadmap.

1. Build and push images (once)

Temper ships as source plus Dockerfiles during early access. Build the agent and dashboard images and push them to your registry:

# from the repository root
export REGISTRY=<your-registry>   # e.g. us-central1-docker.pkg.dev/PROJECT/infera
export TAG=$(git rev-parse --short HEAD)

docker build -f docker/agent/Dockerfile     -t $REGISTRY/infera-agent:$TAG .
docker build -f docker/dashboard/Dockerfile -t $REGISTRY/infera-dashboard:$TAG .
docker push $REGISTRY/infera-agent:$TAG
docker push $REGISTRY/infera-dashboard:$TAG

2. Install the chart

helm install infera deploy/helm/infera \
  --namespace infera --create-namespace \
  --set agent.image.repository=$REGISTRY/infera-agent \
  --set-string agent.image.tag=$TAG \
  --set dashboard.enabled=true \
  --set dashboard.image.repository=$REGISTRY/infera-dashboard \
  --set-string dashboard.image.tag=$TAG \
  --set priorityClasses.enabled=true

This deploys the node agent DaemonSet (which loads the kernel scheduler on each node), the management dashboard, RBAC, and the recommended infera-* PriorityClasses. The scheduler plugin, controller, and overcommit webhook are off by default — that is complement mode. Enable them later with scheduler.enabled, controller.enabled, and webhook.enabled.

3. Verify the node is protected

kubectl -n infera get pods        # agent Running on every node
kubectl get node <node> -o jsonpath='{.metadata.annotations.infera\.io/agent-status}'
# "ready" — the scheduler is attached and enforcing

If a node’s kernel lacks sched_ext, the agent says so loudly in its logs and the node simply stays on the stock scheduler — Temper never degrades a node it cannot protect.

4. Protect your first workload

Give one latency-critical workload a PriorityClass and watch it land in a protected tier:

kubectl patch deployment my-service --type merge \
  -p '{"spec":{"template":{"spec":{"priorityClassName":"infera-critical"}}}}'

Then open the dashboard:

TOKEN=$(kubectl -n infera get secret infera-dashboard-token -o jsonpath='{.data.token}' | base64 -d)
kubectl -n infera port-forward svc/infera-dashboard 8090:8090
# → http://localhost:8090 — paste the token at the login page

You get the hierarchy explorer (cluster → node → pod with live perf, logs, and manifests), the savings view, and audit-logged actions. Tour: management plane.

5. The kill switch (know it before you need it)

Fleet-wide instant revert to the stock kernel scheduler:

kubectl annotate node --all infera.io/safe-mode-requested=true

Nodes revert to CFS in milliseconds — it is kernel-native sched_ext behavior, and the failover has been measured under load. Remove the annotation to re-engage.

Where next