Live Workshop: Integrate Google SecOps with Bindplane - Join Us on January 29th at 11 AM ET!Sign Up Now

Install Kubernetes Agents

Install

Kubernetes Agent installation has a different flow than normal agents.

Steps

  1. Create a configuration for a Kubernetes platform
    1. Kubernetes Node: Deploys an agent to each node in the cluster using a DaemonSet.
    2. Kubernetes Cluster: Deploys an agent as a single pod Deployment.
    3. Kubernetes Gateway: Deploys a scalable set of agents using a Deployment or StatefulSet.
    4. OpenShift Daemonset: Deploys an agent to each node in the cluster.
    5. OpenShift Deployment: Deploys an agent as a single pod deployment.
  2. Navigate to the agent's page and select "Install Agents"
  3. Choose a Kubernetes Platform
  4. Select your configuration from step 1
  5. Copy the YAML manifest to a file
  6. Deploy the YAML manifest with kubectl apply -f <file name>

The agents will be deployed to the cluster in the bindplane-agent namespace and connect to BindPlane OP automatically.

Example Installation

Create a configuration using a Kubernetes-compatible source. This example uses the Kubernetes Event Logs source.

observIQ docs - Install, Upgrade, and Uninstall Agents - image 1

Once the configuration has been created, navigate to the Agents page and select "Install Agents".

Select your Kubernetes platform and configuration. You will be prompted to copy the YAML manifest. Copy it and save it to a file.

observIQ docs - Install, Upgrade, and Uninstall Agents - image 2

Ensure that the OPAMP_ENDPOINTenvironment variable has the correct value for your server. If you did not configure ingress, this value should match your deployment clusterIP service name and namespace. In this example, the service name is "my-bindplane" and the namespace is "default".

text
1- name: OPAMP_ENDPOINT
2  value: "ws://my-bindplane.default.svc.cluster.local:3001/v1/opamp"

If you configured ingress, your OPAMP_ENDPOINT should contain the ingress hostname and port. The port should be 80 for non-TLS ingress, and 443 if ingress TLS is enabled. Similarly, the protocol should be ws (websocket) when TLS is not configured, and wss (secure web socket) when TLS is enabled.

Deploy the YAML manifest with kubectl apply -f <manifest file path>. Once deployed, your agent(s) will appear on the Agents page, and they will be bound to your configuration.

observIQ docs - Install, Upgrade, and Uninstall Agents - image 3

TLS

Kubernetes agents can be configured to connect to BindPlane using TLS. If the BindPlane TLS certificate is publicly signed, no action is required. If the certificate is signed by an internal certificate authority, the agent can be configured with a custom certificate authority for verifying the BindPlane certificate.

Your certificate authority file (ca.crt) can be added to a secret in the bindplane-agent namespace using the following command.

bash
1kubectl -n bindplane-agent create secret generic my-tls \
2  --from-file ca.crt

Once the secret is created, you can modify your agent YAML manifest. Specifically, you need to append to the volumes, volumeMounts, and env sections of the agent container.

yaml
1spec:
2  template:
3    spec:
4      containers:
5        - name: opentelemetry-collector
6          env:
7+           - name: OPAMP_TLS_CA
8+             value: /opt/tls/ca.crt
9          volumeMounts:
10+           - name: tls
11+             mountPath: /opt/tls
12      volumes:
13+       - name: tls
14+         secret:
15+           secretName: my-tls

Using this example, the CA certificate ca.crt will be mounted to /opt/tls/ca.crt. The OpAMP client will be configured to use this certificate authority when validating CA certificates.

You can learn more about the various OpAMP environment variables here.

Mutual TLS

When using mutual TLS, the same process is used. In this case, a client keypair is provided. This example uses client.crt and client.key.

bash
1kubectl -n bindplane-agent create secret generic my-tls \
2  --from-file ca.crt \
3  --from-file client.crt \
4  --from-file client.key
yaml
1spec:
2  template:
3    spec:
4      containers:
5        - name: opentelemetry-collector
6          env:
7+           - name: OPAMP_TLS_CA
8+             value: /opt/tls/ca.crt
9+           - name: OPAMP_TLS_CERT
10+             value: /opt/tls/client.crt
11+           - name: OPAMP_TLS_KEY
12+             value: /opt/tls/client.key
13          volumeMounts:
14+           - name: tls
15+             mountPath: /opt/tls
16      volumes:
17+       - name: tls
18+         secret:
19+           secretName: my-tls