Prerequisites

Architect runs as an ordinary in-cluster workload, with no host agent to install. Here is what your cluster and nodes need.

Kubernetes

Kubernetes 1.33 or later.

kubectl version
Client Version: v1.34.3
Kustomize Version: v5.7.1
Server Version: v1.34.3

Tooling

kubectl and helm 3+ on your machine.

Worker nodes

Architect supports these node images out of the box, with nothing to check:

PlatformNode image
Amazon EKSAL2023

Bare metal or a custom image needs:

  • containerd 2.x (not Docker, CRI-O, or containerd 1.7).
  • Linux 6.6+ recommended, with checkpoint/restore support — 5.10+ is partially supported.
  • amd64 or arm64.

Check every node at once:

kubectl get nodes -o wide

-o wide also prints roles, age, version, and node IPs; the columns that matter here are the last three (shown abbreviated):

NAME     STATUS   ...   OS-IMAGE            KERNEL-VERSION                 CONTAINER-RUNTIME
node-1   Ready    ...   Amazon Linux 2023   6.1.112-122.189.amzn2023      containerd://2.1.5
node-2   Ready    ...   Amazon Linux 2023   6.1.112-122.189.amzn2023      containerd://2.1.5

CONTAINER-RUNTIME should read containerd://2.x, and a KERNEL-VERSION of 6.6 or newer is recommended (5.10+ is partially supported). On a custom image, also confirm the kernel was built with checkpoint/restore:

# whichever your distro exposes
grep CHECKPOINT_RESTORE /boot/config-$(uname -r)
zcat /proc/config.gz | grep CHECKPOINT_RESTORE
CONFIG_CHECKPOINT_RESTORE=y

Networking

  • Egress to api.architect.io:443 for authentication at install and heartbeats afterward.
  • Port 1337 between Architect's pods. The daemon and control plane use it for checkpoint transfer. If you enforce pod-to-pod NetworkPolicies, allow it within the architect namespace.

Check egress from inside the cluster:

kubectl run egress-check --rm -it --restart=Never --image=curlimages/curl -- \
  curl -sS -o /dev/null -w '%{http_code}\n' https://api.architect.io/health
200

A 200 confirms DNS and egress to api.architect.io work; a hang or connection error means they are blocked.

S3 (optional)

Only needed for persistent checkpoints. Any S3-compatible store works (AWS S3, Google Cloud Storage, MinIO, Cloudflare R2). You provide the endpoint, region, bucket, and credentials as Helm values.