Kubernetes monitoring for
clusters, Ingresses and Services

Drop one Helm chart into your cluster and Status Harbor auto-discovers every Ingress and Service as a candidate monitor. Probes run from inside the cluster over a single outbound HTTPS connection — no inbound ports, no VPN gateway, no per-service YAML.

Install the Helm chartSee pricing

Why Kubernetes monitoring needs a different approach

External uptime checks tell you what your users see at the edge. They don't tell you whether the payments service can still reach postgres-primary, whether your internal admin-api Ingress is healthy, or whether a stale ClusterIP is silently black-holing traffic between two namespaces.

The usual answers — punching firewall holes, running a reverse VPN tunnel, or wiring up Prometheus blackbox-exporter with a custom Alertmanager pipeline — all add infrastructure you now have to operate. Status Harbor takes the opposite approach: a lightweight Lighthouse agent runs as a pod inside your cluster, opens an outbound HTTPS connection to our control plane, and probes endpoints from where they actually live.

That single design choice — outbound-only, in-cluster — is what lets one product cover your public website and the internal services that never touch the public internet.

How it works

1. Install the Helm chart

One command, one token, no CRDs to maintain:

helm install lighthouse oci://ghcr.io/statusharbor/charts/lighthouse \
  --namespace lighthouse --create-namespace \
  --set token=$STATUS_HARBOR_TOKEN

2. Auto-discovery surfaces candidates

The agent watches the Kubernetes API for Ingresses and externally-facing Services in the namespaces you allow. Each one shows up in the Status Harbor dashboard as a candidate monitor — adopting it is a checkbox, not 50 lines of YAML.

3. Probes run from inside the cluster

HTTP, HTTPS, TCP, UDP, SSL and DNS checks fire from the agent every minute. Status Harbor stamps each result with the agent identity, so when something fails you know whether it's the cluster, the network path, or the endpoint itself.

4. Alerts land where you already work

Slack, Telegram, email or webhook — same as for public monitors. Failed regions, response codes and humanized errors come pre-formatted for incident threads.

What you can monitor

  • Ingresses — every host/path rule the agent sees becomes a candidate. Watch your *.internal.example.com admin panels the same way you watch your public site.
  • Services — ClusterIP, NodePort and LoadBalancer types. Probe the Service VIP directly to catch endpoint-selector regressions before they hit users.
  • Pods by label — point a TCP or HTTP check at a label selector and the agent resolves it at probe time. No stale targets after a redeploy.
  • External dependencies from inside the cluster — third-party APIs your workloads depend on, probed from the cluster's network path so you see what your pods see, not what the public internet sees.
  • SSL certificates on internal Ingresses — cert-manager renewals fail silently more often than anyone admits. SSL monitors warn you weeks before expiry.
  • DNS records, including in-cluster CoreDNS — flag drift the moment a record changes.

What makes it different

One Helm install, not fifty YAML files. Adopting a new monitor is a checkbox in the UI. No GitOps round-trip for every endpoint.

No inbound ports. The agent opens a single outbound TLS connection. Your security team signs off on the same egress rule they already use for any other SaaS.

Per-namespace scope. Give the agent a ServiceAccount scoped to the namespaces it should see. Auto-discovery respects RBAC — it can't surface what it can't list.

The same product for public and private. One dashboard, one alert pipeline, one bill. You don't run a separate "synthetic" tier for the public site and "internal monitoring" for the cluster.

Multi-region confirmation for public endpoints. When the same monitor is probed from both a public region and an in-cluster agent, Status Harbor correlates the results. A failure that only the cluster sees is a routing problem; a failure only public regions see is an edge problem. The alert tells you which.

Pricing for Kubernetes teams

Every plan, including the free one, includes Lighthouse agents — the same component that runs inside your cluster. The Pro plan ($12/month annual) covers 25 monitors and 3 Lighthouse agents, which is enough to monitor a production cluster plus staging and dev. See full pricing.

Frequently asked questions

Does the Lighthouse agent need cluster-admin?

No. It needs read access to Ingresses, Services and Endpoints in the namespaces you want to monitor. A standard ServiceAccount with a namespaced Role is enough. The Helm chart ships a minimal RBAC template you can audit.

Do I need to open any inbound ports on my cluster?

No. The agent initiates a single outbound HTTPS connection to Status Harbor. If your egress allows generic HTTPS to the public internet, the agent works. No NodePorts, no LoadBalancers, no VPN.

Can I run multiple agents across multiple clusters?

Yes. Each agent gets its own token and shows up as a separate Lighthouse in the dashboard. Monitors can be pinned to specific agents or run from any agent in a pool. The Pro plan includes 3 agents; higher plans scale further.

What happens when the agent itself goes down?

Status Harbor heartbeats every agent. If an agent stops reporting, you get an alert on the same channel as your monitor alerts, so a dead agent never silently hides a cluster outage.

Does it work with managed Kubernetes (EKS, GKE, AKS)?

Yes. The Helm chart has no opinionated assumptions about the cloud provider or CNI. It runs on EKS, GKE, AKS, k3s, kind and bare-metal clusters.

How does this compare to Prometheus blackbox-exporter?

Blackbox-exporter is a building block — you still need Prometheus, Alertmanager, a notification router, a status page and a UI. Status Harbor is the full pipeline as a service with auto-discovery built in. Many teams run both: Prometheus for metrics, Status Harbor for uptime and alerting.

Start monitoring your cluster for free

5 monitors, 1 Lighthouse agent, no credit card.

Start monitoring free

Related