Install
Install
Kubernetes Collector installation has a different flow than normal collectors.
Steps
Create a configuration for a Kubernetes platform
Kubernetes Node: Deploys a collector to each node in the cluster using a DaemonSet.
Kubernetes Cluster: Deploys a collector as a single pod Deployment.
Kubernetes Gateway: Deploys a scalable set of collectors using a Deployment or StatefulSet.
OpenShift Daemonset: Deploys a collector to each node in the cluster.
OpenShift Deployment: Deploys a collector as a single pod deployment.
OpenShift Gateway: Deploys a scalable set of collectors as a Deployment. See OpenShift Gateway for special instructions.
Navigate to the collector's page and select "Install Collectors"
Choose a Kubernetes Platform
Select your configuration from step 1
Copy the YAML manifest to a file
Deploy the YAML manifest with
kubectl apply -f <file name>
The collectors will be deployed to the cluster in the bindplane-agent namespace and connect to Bindplane automatically.
OpenShift Gateway
Unlike the OpenShift Node and Cluster agent, the Gateway agent does not require additional SecurityContextConstraint configuration nor does it require the same RBAC configuration.
Deploying the OpenShift Gateway is similar to deploying the Kubernetes Gateway, outlined in the steps above. There is one exception.
Create your namespace if it does not already exist. This will also create an OpenShift Project resource.
oc create namespace bindplane-agentDetermine your uid range by describing the project. Look for the openshift.io/sa.scc.uid-range
label.
oc describe project bindplane-agentName: bindplane-agent
Created: 8 minutes ago
Labels: kubernetes.io/metadata.name=bindplane-agent
pod-security.kubernetes.io/audit=restricted
pod-security.kubernetes.io/audit-version=v1.24
pod-security.kubernetes.io/warn=restricted
pod-security.kubernetes.io/warn-version=v1.24
openshift.io/display-name=bindplane-agent
openshift.io/node-selector=
openshift.io/sa.scc.mcs=s0:c33,c2
openshift.io/sa.scc.supplemental-groups=1001060000/10000
openshift.io/sa.scc.uid-range=1001060000/10000
Display Name: bindplane-agent
Description: <none>
Status: Active
Node Selector: <none>
Quota: <none>
Resource limits: <none>In this example, the openshift.io/sa.scc.uid-range starts at 1001060000. Yours will differ.
Update the YAML manifest downloaded from the Bindplane (Step 2 above). Make the following changes.
Replace all instances of
1000000000with a UID from your range.If you used a project name other than
bindplane-agent, update all instances ofnamespace: bindplane-agentto reflect that change.
Apply the YAML manifest to your cluster with oc apply.
serviceaccount/bindplane-agent created
role.rbac.authorization.k8s.io/bindplane-gateway-agent created
rolebinding.rbac.authorization.k8s.io/bindplane-gateway-agent created
service/bindplane-gateway-agent created
service/bindplane-gateway-agent-headless created
deployment.apps/bindplane-gateway-agent created
horizontalpodautoscaler.autoscaling/bindplane-gateway-agent createdIf the pods are running, everything is working.
$ oc -n bindplane-agent get pod
NAME READY STATUS RESTARTS AGE
bindplane-gateway-agent-74ff748988-bpzw5 1/1 Running 0 5s
bindplane-gateway-agent-74ff748988-ptd2x 1/1 Running 0 3sExample Installation
Create a configuration using a Kubernetes-compatible source. This example uses the Kubernetes Event Logs source.
Once the configuration has been created, navigate to the Collectors page and select "Install Collectors".
Select your Kubernetes platform and configuration. You will be prompted to copy the YAML manifest. Copy it and save it to a file.
Ensure that the OPAMP_ENDPOINTenvironment variable has the correct value for your server. If you did not configure ingress, this value should match your deployment clusterIP service name and namespace. In this example, the service name is "my-bindplane" and the namespace is "default".
- name: OPAMP_ENDPOINT
value: "ws://my-bindplane.default.svc.cluster.local:3001/v1/opamp"If you configured ingress, your OPAMP_ENDPOINT should contain the ingress hostname and port. The port should be 80 for non-TLS ingress, and 443 if ingress TLS is enabled. Similarly, the protocol should be ws (websocket) when TLS is not configured, and wss (secure web socket) when TLS is enabled.
Deploy the YAML manifest with kubectl apply -f <manifest file path>. Once deployed, your collector(s) will appear on the Collectors page, and they will be bound to your configuration.
TLS
Kubernetes agents can be configured to connect to Bindplane using TLS. If the Bindplane TLS certificate is publicly signed, no action is required. If the certificate is signed by an internal certificate authority, the agent can be configured with a custom certificate authority for verifying the Bindplane certificate.
Your certificate authority file (ca.crt) can be added to a secret in the bindplane-agent namespace using the following command.
kubectl -n bindplane-agent create secret generic my-tls \
--from-file ca.crtOnce the secret is created, you can modify your agent YAML manifest. Specifically, you need to append to the volumes, volumeMounts, and env sections of the agent container.
spec:
template:
spec:
containers:
- name: opentelemetry-collector
env:
+ - name: OPAMP_TLS_CA
+ value: /opt/tls/ca.crt
volumeMounts:
+ - name: tls
+ mountPath: /opt/tls
volumes:
+ - name: tls
+ secret:
+ secretName: my-tlsUsing this example, the CA certificate ca.crt will be mounted to /opt/tls/ca.crt. The OpAMP client will be configured to use this certificate authority when validating CA certificates.
You can learn more about the various OpAMP environment variables here.
Mutual TLS
When using mutual TLS, the same process is used. In this case, a client keypair is provided. This example uses client.crt and client.key.
kubectl -n bindplane-agent create secret generic my-tls \
--from-file ca.crt \
--from-file client.crt \
--from-file client.keyspec:
template:
spec:
containers:
- name: opentelemetry-collector
env:
+ - name: OPAMP_TLS_CA
+ value: /opt/tls/ca.crt
+ - name: OPAMP_TLS_CERT
+ value: /opt/tls/client.crt
+ - name: OPAMP_TLS_KEY
+ value: /opt/tls/client.key
volumeMounts:
+ - name: tls
+ mountPath: /opt/tls
volumes:
+ - name: tls
+ secret:
+ secretName: my-tlsLast updated
Was this helpful?