Starling EX

Self-Hosted · One-Stop DevOps · AI-Native

One DevOps Platform.
One Command.
Your Cluster.

Starling-EX is our hero product—a complete, self-hosted DevOps cockpit that wires up sign-in, serverless functions, database auditing, smart alerts, rate limits, and AI-agent tools in a single Kubernetes install. Verified on GKE, EKS, and AKS.

Explore live dashboard Install in 60s
install.sh 
curl -sSL https://starling-ex.frakma.io/install.sh | bash

Built on cloud-native standards & CNCF graduated projects

The AI-Native Stack Advantage

Starling EX is built from the ground up for agentic operations. It provides the structured wiring AI agents need to understand, inspect, and self-heal your Kubernetes cluster safely.

🤖

Model Context Protocol (MCP)

Built-in MCP server lets AI agents (like Gemini, Claude, or custom SRE LLMs) query your cluster safely through structured tools: list_helm_releases, describe_helm_release, and helm_release_history.

🛡️

Agent Blast-Radius Control

Bound the capacity and cost of autonomous decisions. Redis-backed, per-key rate limits throttle API and tool executions, ensuring a runaway agent script never causes service denial or runaway billing spikes.

🕵️

Agent-Level Audit Logs

Every decision, tool invocation, and latency value is recorded in a tamper-proof Firestore audit database. Analyze exactly *why* your SRE agent triggered a rollback or scaled up a nodepool.

🌀

Self-Healing Loop

Integrates with the Reflexion SRE engine. When a deployment fails or drifts from GitOps specifications, Starling EX automatically initiates root-cause analysis, suggests a patch, and waits for a single-click developer approval.

One-Stop DevOps Cockpit

See all your wiring in one place. Inspect active namespaces, serverless functions, security rules, and audit trails under a unified, glassmorphic UI.

System Health Overview

Cluster: prod-eks-1
Tenants
4
All Active
Functions
12
100% Ready
Alerts
0
Firing
Cloud Cost Saved
35.4%
Via Autoreduce

Active Incidents & Auto-Remediation Logs

Incident ID Source Message Status
INC-492 Reflexion SRE Memory Leak detected in payment-v2. Scaled down pod and triggered warning alert. Remediated
INC-491 Sovereign Compliance Compliance drift: hostPath volume detected in default namespace. Auto-patched to emptyDir. Enforced
INC-488 FinOps Agent Spike warning: ml-inference pool idle capacity over 40%. Scheduled downscale in 10m. Waiting HITL

Active Tenants (Namespaces)

Managed via Dex SSO RBAC
Tenant Namespace Owner Group Age Status
finance-prod finsec-ops@acme.ch 14d Ready
ml-training-dev ml-ops-leads@acme.ch 3d Ready
sovereign-data-holding compliance-sec@acme.ch 28d Ready
shared-ingress-public platform-engineers@acme.ch 45d Ready

Registered StarlingFunctions

Declarative Knative/KServe Backend
Name Trigger Path Image Tag Replicas Status
resize-images /resize ghcr.io/acme/resize:1.4 2 / 2 (autoscale 0→5) Running
nightly-report cron: 0 2 * * * ghcr.io/acme/reporter:v2.1 0 / 0 (scale-to-zero) Sleeping
sentiment-analysis /analyze-sentiment acme/sent:v1.0.3 3 / 3 (autoscale 0→10) Running

Active AlertRules & OTel Tracing

Connected to Slack & PagerDuty

Alerting Rules

Alert Rule Name Condition Target Channel Status
api-5xx-burn HTTP 5xx > 2% for 5m Slack #ops-alerts · PagerDuty Ok
model-drift-warning Feature drift share > 30% Slack #mlops-alerts Ok
cost-spike-limit Daily spend delta > $500 Slack #finops-gov Ok

Active OTel Distributed Trace Flow

[Trace ID: 8a9df2c3e10f92b4]
└─ HTTP POST /resize (gateway-ingress) - 142ms
└─ StarlingFunction/resize-images (knative-pod) - 120ms
└─ Redis rate_limit check (key: client-user) - 4ms
└─ Firestore audit log write (license-api) - 18ms

Firestore-Backed Audit Log

Security & Compliance Trail
Timestamp User / Key Action Target Result
2026-06-14T15:02:11 alice@acme.ch list_helm_releases namespace: default Success (142ms)
2026-06-14T15:02:45 bob@acme.ch describe_helm_release release: backend-api Success (88ms)
2026-06-14T15:03:10 system-agent scale_up_replicas function: resize-images Success (1200ms)
2026-06-14T15:04:33 ci-runner-key apply_crd sentiment-analysis Success (450ms)
2026-06-14T15:05:01 leaked-agent-key describe_helm_release release: payments-v2 RateLimited (403)

FinOps Cost Governance

Cross-Cloud Bill Control

Monthly Saved (Predicted)

$4,250.00 / mo

Underutilized Nodepools

2 pools (GKE custom-8)

Rightsizing Recommendations

Target Workload Current Alloc Suggested Alloc Estimated Saving Action
ml-inference-pool (GCP) 8x n1-standard-8 4x n1-standard-4 (scale-to-zero active) $1,820.00 / mo
backend-api-replicas (EKS) 12 pods (1.0 CPU) 4-8 pods (0.5 CPU request based on CPU history) $450.00 / mo
kube-dns-overprovisioning 4 replicas 2 replicas (autoscaler profiles tuned) $120.00 / mo

Market Comparison: The Open-Source Advantage

Why pay monthly per-seat developer licensing plus heavy data transfer fees to massive SaaS aggregators? Starling EX is open-source (Apache-2.0) at its core, self-hosted in your infrastructure, and keeps your data entirely sovereign.

Feature Starling EX (Self-Hosted) Proprietary SaaS Alternatives The Starling Advantage
Single Sign-on (SSO) Dex OIDC Okta / Auth0 ($$$ + lock-in) Federate GSuite/GitHub for unlimited users for zero additional licensing fee.
Serverless Execution StarlingFunction AWS Lambda / Vercel (egress fees) Zero cold starts, zero egress fees, local cluster security, and custom scaling limits.
Observability Prometheus + OTel Datadog / NewRelic (costly ingestion) Trace requests gateway-to-db locally. No monthly ingestion bill shock.
SRE Alerting Slack / PagerDuty PagerDuty Enterprise (high per-seat) Direct event routing from inside your cluster using simple, version-controlled YAML.
Audit Logging Firestore / JSON CloudTrail / LogQL (extra storage cost) Every CLI or API tool invocation is cleanly audited, structured, and under your ownership.
License Lock-in None (Apache-2.0 code) Complete Vendor Lock-in Fork it, run it offline, modify it—you are never locked into our cloud or billing schedules.

StarlingFunction: One-Stop Wiring

Declarative Serverless For Kubernetes

Managing code deployment on Kubernetes shouldn't require writing 5 different manifests (Deployment, Service, VirtualService, Ingress, RBAC). With StarlingFunction, you configure everything in one structured place.

  • OIDC Auth Protection: Wires directly into Dex SSO to restrict path access by user group.
  • Autoscaling Policy: Leverages Knative co-scaling to scale down to zero or scale up based on concurrency.
  • OTel Tracing Hooks: Requests automatically propagate distributed trace headers.
  • Prometheus Endpoints: Exposes standardized scrapable metric logs out of the box.
resize-images-function.yaml 
apiVersion: starling.frakma.io/v1
kind: StarlingFunction
metadata:
  name: resize-images
  namespace: finance-prod
spec:
  image: ghcr.io/acme/resize:1.4
  trigger:
    http:
      path: /resize
      auth:
        required: true
        allowed_groups: ['finance-devs'] # Auto-wired Dex SSO
  scaling:
    minReplicas: 0 # Scales to zero when idle
    maxReplicas: 5
    targetConcurrency: 10

Starling EX Pitch Deck

Take a quick slide walkthrough of Starling EX's design model, architecture, and value proposition.

Pitch Deck · Slide 1 of 4

One-Stop DevOps Cockpit

Starling EX bundles single sign-on (Dex), serverless code executions (StarlingFunction), structured auditing, and Slack/PagerDuty routing into one simple command. It replaces 5 separate subscription services with a self-hosted alternative that runs on hardware you own.

Pitch Deck · Slide 2 of 4

AI-Native Operations & MCP

Starling-EX installs a local Model Context Protocol (MCP) server on your cluster. AI assistants can now inspect Helm deployments, trace function logs, and diagnose crash loops safely through read-only tools while Redis-backed rate limits protect your cluster's API boundaries.

Pitch Deck · Slide 3 of 4

Open Source Advantage

Under the hood, Starling-EX is built on Kubernetes, Helm, Dex, Prometheus, and OpenTelemetry. Our operator is Apache-2.0 licensed. Self-hosting means zero vendor lock-in, total data residency compliance, and no seat-based monthly billing shock.

Pitch Deck · Slide 4 of 4

Offline JWT Entitlements

All feature gates (like Firestore audits or rate limits) are checked and enforced offline at reconcile time. We issue a signed JWT key after license sign-up—no central database is queried, and the operator never phones home. Your metrics stay inside your network.

Open Full Screen Slideshow

Simple Installation

Works on any conformant Kubernetes 1.27+ cluster in three steps.

  1. 1. Set your cluster context

    kubectl 
    kubectl config use-context my-cluster

  2. 2. Run the installer script

    install.sh 
    curl -sSL https://starling-ex.frakma.io/install.sh | bash

    The installer script checks for kubectl and helm, prompts for your license JWT key (optional; run in free mode if left blank), then deploys the chart components into the starling-ex namespace.

  3. 3. Authenticate and log in

    browser 
    open https://starling-ex.your-cluster.example/

    Log in through Dex using your configured corporate Identity Provider. Default configuration maps user groups to Kubernetes cluster RBAC.

Prefer Helm directly? helm install starling-ex oci://ghcr.io/warble-platform/charts/starling-ex --version 0.4.1 -n starling-ex --create-namespace

Sovereign, Transparent Plans

Deploy locally. Offline JWT license verification. No SaaS metering.

Community

Free

forever, self-hosted

  • Up to 3 users
  • Dex SSO (OIDC/SAML)
  • StarlingFunction CRDs
  • Standard email alerts
  • Community support (GitHub Issues)
Install Free
Hero Offer

Startup

Contact Us

flexible scaling for growing teams

  • Up to 10 users
  • Everything in Community
  • Slack & PagerDuty alerts
  • Per-key API rate limits
  • Basic Firestore-backed audit log
  • Standard email & Discord support
Inquire Startup Tier

Talk to us about early-stage startup discounts.

Growth

Contact Us

advanced controls for scaled clusters

  • Up to 50 users
  • Everything in Startup
  • Full Helm-aware MCP tools
  • Firestore audit log with CSV export
  • OpenTelemetry distributed tracing
  • Priority 8x5 engineer support
Inquire Growth Tier

Ideal for multi-team platform teams.

Enterprise

Talk to Us

unlimited seats · custom SLA

  • Unlimited users
  • Everything in Growth
  • SAML / SIEM audit log export
  • Cross-cluster management keys
  • Optional hosted control plane
  • 24/7 priority support + SLA
Contact Sales

Don't want to host it yourself?

Hosted Starling EX is in private beta — we run the control plane, you point your kubeconfig at it. Email us for early access.