Install Kubernetes Agents
Install
Kubernetes Agent installation has a different flow than normal agents.
Steps
- Create a configuration for a Kubernetes platform
- Kubernetes Node: Deploys an agent to each node in the cluster using a DaemonSet.
- Kubernetes Cluster: Deploys an agent as a single pod Deployment.
- Kubernetes Gateway: Deploys a scalable set of agents using a Deployment or StatefulSet.
- OpenShift Daemonset: Deploys an agent to each node in the cluster.
- OpenShift Deployment: Deploys an agent as a single pod deployment.
- Navigate to the agent's page and select "Install Agents"
- Choose a Kubernetes Platform
- Select your configuration from step 1
- Copy the YAML manifest to a file
- Deploy the YAML manifest with
kubectl apply -f <file name>
The agents will be deployed to the cluster in the bindplane-agent
namespace and connect to BindPlane OP automatically.
Example Installation
Create a configuration using a Kubernetes-compatible source. This example uses the Kubernetes Event Logs source.
Once the configuration has been created, navigate to the Agents page and select "Install Agents".
Select your Kubernetes platform and configuration. You will be prompted to copy the YAML manifest. Copy it and save it to a file.
Ensure that the OPAMP_ENDPOINT
environment variable has the correct value for your server. If you did not configure ingress, this value should match your deployment clusterIP service name and namespace. In this example, the service name is "my-bindplane" and the namespace is "default".
If you configured ingress, your OPAMP_ENDPOINT
should contain the ingress hostname and port. The port should be 80
for non-TLS ingress, and 443
if ingress TLS is enabled. Similarly, the protocol should be ws
(websocket) when TLS is not configured, and wss
(secure web socket) when TLS is enabled.
Deploy the YAML manifest with kubectl apply -f <manifest file path>
. Once deployed, your agent(s) will appear on the Agents page, and they will be bound to your configuration.
TLS
Kubernetes agents can be configured to connect to BindPlane using TLS. If the BindPlane TLS certificate is publicly signed, no action is required. If the certificate is signed by an internal certificate authority, the agent can be configured with a custom certificate authority for verifying the BindPlane certificate.
Your certificate authority file (ca.crt
) can be added to a secret in the bindplane-agent
namespace using
the following command.
Once the secret is created, you can modify your agent YAML manifest. Specifically, you need to append
to the volumes
, volumeMounts
, and env
sections of the agent container.
Using this example, the CA certificate ca.crt
will be mounted to /opt/tls/ca.crt
. The OpAMP client
will be configured to use this certificate authority when validating CA certificates.
You can learn more about the various OpAMP environment variables here.
Mutual TLS
When using mutual TLS, the same process is used. In this case, a client keypair is provided. This example
uses client.crt
and client.key
.