Live Workshop: Integrate Google SecOps with Bindplane - Join Us on January 29th at 11 AM ET!Sign Up Now

Kubernetes Node Agent on GKE Auto Pilot

GKE Autopilot is not officially supported on the BindPlane Node Agent at this time. This is due to volume mount restrictions that are in place on auto-pilot clusters.

The BindPlane Node Agent deployment manifest can be modified to deploy to auto-pilot clusters.

Modifications

Follow the Install Kubernetes Agents documentation. After downloading the YAML manifest, open it in your preferred text editor.

Modify the volumes section at spec.template.spec.volumes and comment or remove the following volume definitions:

  • runlog
  • dockerlogs
yaml
1volumes:
2  - name: config
3    emptyDir: {}
4  # - name: runlog
5  #   hostPath:
6  #     path: /run/log/journal
7  - name: varlog
8    hostPath:
9      path: /var/log
10  # - name: dockerlogs
11  #   hostPath:
12  #     path: /var/lib/docker/containers
13  - name: storage
14    hostPath:
15      path: /var/lib/observiq/otelcol/container
16  - name: setup
17    configMap:
18      name: bindplane-node-agent-setup

Modify the storage volume to use an emptyDir volume type.

yaml
1- name: storage
2  emptyDir: {}
3  # hostPath:
4  #   path: /var/lib/observiq/otelcol/container

Modify opentelemetry-collector container's volumeMounts at spec.template.spec.containers and comment or remove the following volume mount definitions:

  • runlog
  • dockerlogs
yaml
1volumeMounts:
2  - mountPath: /etc/otel/config
3    name: config
4  # - mountPath: /run/log/journal
5  #   name: runlog
6  #   readOnly: true
7  - mountPath: /var/log
8    name: varlog
9    readOnly: true
10  # - mountPath: /var/lib/docker/containers
11  #   name: dockerlogs
12  #   readOnly: true
13  - mountPath: /etc/otel/storage
14    name: storage

Apply

Once the modifications have been made, the YAML manifest can be applied to your clusters.

bash
1kubectl apply -f bindplane-agent.yaml
bash
1namespace/bindplane-agent created
2serviceaccount/bindplane-agent created
3clusterrole.rbac.authorization.k8s.io/bindplane-agent created
4clusterrolebinding.rbac.authorization.k8s.io/bindplane-agent created
5service/bindplane-node-agent created
6service/bindplane-node-agent-headless created
7configmap/bindplane-node-agent-setup created
8daemonset.apps/bindplane-node-agent created

Frequently Asked Questions

Q: Will this support Docker-based clusters?

A: No, however, GKE Auto Pilot clusters use the containerd runtime and do not require the docker volume mounts.

Q: Is an emptyDir volume safe for configuration persistence

A: The hostPath volume is used to ensure the agent's configuration is persisted in the unlikely event that the BindPlane agent pod is updated and restarted during a BindPlane control plane outage. GKE Auto Pilot does not allow hostPath volumes, therefore a temporary volume is used to store the configuration pushed by BindPlane to the agent.