Runner enrollment is not yet implemented. This page describes the planned model.
Enrollment flow
When enrollment is live, connecting a new runner will follow this flow:
- Install
lynx-runner on your hardware or cluster
- Start the runner with a bootstrap credential (provided by Tetryx during onboarding)
- The runner exchanges the bootstrap credential for short-lived connection credentials
- The runner connects to the Lynx platform and begins polling for jobs
- Credentials refresh automatically — no restarts required
Bootstrap options
| Environment | Bootstrap method |
|---|
| Kubernetes | Kubernetes service account token |
| Bare metal / VM | x509 client certificate or enrollment token |
| Any | One-time enrollment token issued by Tetryx |
Credential lifetime
- Credentials are short-lived (minutes to hours, not months)
- Runners refresh credentials automatically before expiry
- Revoked runners are denied refresh and disconnected cleanly
Revoking a runner
If a runner is compromised or decommissioned, contact Tetryx to revoke its credentials. The runner will be unable to reconnect once revoked.
Capability-based access
Runner credentials are scoped to the capabilities you declare at enrollment. A CPU-only runner will not be issued credentials to pick up GPU-only jobs, and vice versa. This is enforced at the platform level, not just by convention.
