What is Expanso and how does it work?

Expanso is a managed platform for deploying intelligent data pipelines at the edge. It processes data where it's generated - reducing bandwidth, latency, and costs. You deploy lightweight agents on your infrastructure, build pipelines using our visual builder or YAML, and control everything from a central SaaS platform.

Can I run AI/ML models directly in my data pipelines?

Yes! Expanso supports running ONNX, TensorFlow Lite, and other models as native pipeline steps. Execute low-latency inference on streaming data, enrich events with model outputs (like risk scores), and make decisions at the edge without cloud round-trips.

How many pre-built components are available?

Expanso provides 200+ pre-built components including inputs (Kafka, HTTP, files), processors (transformations, filtering, PII masking, aggregations), and outputs (S3, Snowflake, Datadog, Splunk). Browse the complete catalog in our Component Reference.

Do I need to write code to build pipelines?

No - use our drag-and-drop visual pipeline builder to create sophisticated pipelines without code. For advanced use cases, you can also write pipelines in YAML or use the Bloblang transformation language for complex data mappings.

How does Expanso help with data governance and compliance?

Expanso includes built-in governance features: automatic PII detection and masking, policy enforcement at the edge, RBAC, SSO integration, and comprehensive audit trails. Mask sensitive data before it ever leaves your network.

RBAC Setup for Expanso

Configure service accounts and RBAC permissions for Expanso to read cluster data and logs.

Service Account

Create a dedicated service account for Expanso:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: expanso-edge
  namespace: expanso-system

ClusterRole

Define permissions for reading logs and cluster state:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: expanso-edge-reader
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log", "nodes", "namespaces"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources: ["deployments", "daemonsets", "statefulsets"]
  verbs: ["get", "list"]
- apiGroups: ["config.openshift.io"]
  resources: ["clusteroperators"]
  verbs: ["get", "list"]

ClusterRoleBinding

Bind the role to the service account:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: expanso-edge-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: expanso-edge-reader
subjects:
- kind: ServiceAccount
  name: expanso-edge
  namespace: expanso-system

Apply Configuration

Save all three resources to a file and apply:

# Save to expanso-rbac.yaml
cat > expanso-rbac.yaml <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: expanso-edge
  namespace: expanso-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: expanso-edge-reader
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log", "nodes", "namespaces"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources: ["deployments", "daemonsets", "statefulsets"]
  verbs: ["get", "list"]
- apiGroups: ["config.openshift.io"]
  resources: ["clusteroperators"]
  verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: expanso-edge-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: expanso-edge-reader
subjects:
- kind: ServiceAccount
  name: expanso-edge
  namespace: expanso-system
EOF

# Apply all resources
oc apply -f expanso-rbac.yaml

Verify Permissions

Test that the service account has the required permissions:

# Check pod read access
oc auth can-i get pods --all-namespaces \
  --as=system:serviceaccount:expanso-system:expanso-edge

# Check log read access
oc auth can-i get pods/log --all-namespaces \
  --as=system:serviceaccount:expanso-system:expanso-edge

# Check node read access
oc auth can-i get nodes \
  --as=system:serviceaccount:expanso-system:expanso-edge

# Check cluster operator access
oc auth can-i get clusteroperators \
  --as=system:serviceaccount:expanso-system:expanso-edge

All commands should return yes.

Permissions Explained

pods, pods/log: Read pod metadata and logs

Required for log collection
Read-only access across all namespaces

nodes: Read node status and resource usage

Required for health monitoring
No write access

namespaces: List and read namespaces

Required for multi-namespace operations

deployments, daemonsets, statefulsets: Read workload metadata

Optional: for advanced monitoring
Can be removed if not needed

clusteroperators: Read OpenShift operator status

Required for cluster health monitoring
OpenShift-specific resource

Security Considerations

Principle of least privilege: Expanso only has read access, no write permissions

Cluster-wide access: ClusterRole allows reading from all namespaces

Required for comprehensive log collection
Cannot modify any resources

No secrets access: Service account cannot read secrets or configmaps

Audit trail: All actions are logged with the service account identity

Namespace-Scoped Alternative

For single-namespace deployments, use a Role instead of ClusterRole:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: expanso-edge-reader
  namespace: production
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list", "watch"]

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: expanso-edge-reader
  namespace: production
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: expanso-edge-reader
subjects:
- kind: ServiceAccount
  name: expanso-edge
  namespace: expanso-system

Troubleshooting

Permission denied errors:

# Check current permissions
oc describe clusterrolebinding expanso-edge-reader

# Verify service account exists
oc get serviceaccount expanso-edge -n expanso-system

# Check pod is using correct service account
oc get pod -n expanso-system -o yaml | grep serviceAccountName

Next Steps

Deploy Expanso: Use this service account in deployment
Collect Logs: Start collecting with proper permissions
Best Practices: Security recommendations for SNO

Service Account​

ClusterRole​

ClusterRoleBinding​

Apply Configuration​

Verify Permissions​

Permissions Explained​

Security Considerations​

Namespace-Scoped Alternative​

Troubleshooting​

Next Steps​