Installing the Host Agent on Kubernetes

Supported Versions
Installation methods
- Choosing the proper installation method
- Current versions of installation methods
Install by using the Operator
Install by using the Helm Chart
Install as a DaemonSet
Configure network access for monitored applications
Monitor master nodes
Monitor Kubernetes NGINX Ingress
Secrets
Report to multiple backends
Instana agent security considerations
Example YAML file

Supported Versions

Instana supports the current stable version of Kubernetes. If the current stable version of Kubernetes is 1.26, the Kubernetes sensor is pinned to version 1.24. According to Kubernetes version compatibility guarantee, Instana supports Kubernetes versions 1.22 to 1.26. However, the lowest 2 versions in that range are considered as a soft deprecation.

Installation methods

You can use several available methods to install the Instana agent onto a Kubernetes cluster. If you install the agent on a host manually, only containers and processes are monitored, and Kubernetes data is not collected. You are recommended to install the agent by using the Operator. Alternative methods are the Helm Chart or YAML file (DaemonSet) deployment.

Choosing the proper installation method

The recommended way to deploy the Instana agent into a Kubernetes cluster is to use the Operator or the Helm chart deployment as an alternative. Both ways use all available config options, such as reporting to multiple backends and many more. This will give you full control and even enable some options that are not available in the static YAML file. All available options are described in detail for the Helm chart and these descriptions apply to the operator CRD in the same way.

The YAML file installation is good for quick deployments, although it doesn't have all available configuration options that the Instana agent provides when the agent runs in your Kubernetes cluster. Choose the YAML installation method if you do not need to apply further customization to your Instana agents and rely on manual kubectl handling.

Current versions of installation methods

New versions of the Operator, Helm Chart and YAML file are released fairly frequently. To keep up with the latest updates for fixes, improvements and new features, ensure that you are running the current version of either Operator, Helm Chart or YAML file.

To find the current version of Operator, Helm Chart or YAML file, see the following topics:

Install by using the Operator

Instana provides a Kubernetes operator to install and manage the Instana agent.

For configuration options that you can set by using the Instana Agent Custom Resource Definition and environment variables, see Operator configuration.

Prerequisites

Note: To upgrade the Instana agent CRD from version 1.x of the Instana agent operator automatically, the following prerequisites are needed:

The automatic CRD upgrade from version 1.x of the operator depends on the 3rd party cert-manager operator, which needs to be present in the cluster. For how to install and configure the cert-manager operator properly, see the cert-manager docs.
You must first upgrade the Instana agent to version 2.0.9, which includes a webhook conversion to covert existing agent CRs into the newer format. This webhook is removed after version 2.0.9. You can upgrade the Instana agent again to a newer version once the conversion is complete.

Install Operator manually

Deploy the operator as follows. The latest Operator will be installed, and 1.x CRDs will not be upgraded:
```
kubectl apply -f https://github.com/instana/instana-agent-operator/releases/latest/download/instana-agent-operator.yaml
```
Now the operator should be up and running in the namespace instana-agent, and wait for an instana-agent custom resource to be created. Note that each legacy version 1.x.x of the instana-agent-operator.yaml will reference the same version of the instana/instana-agent-operator container image. The latest tag for the Instana Agent Operator image in DockerHub and the Red Hat Registry are no longer supported. To get a new version of the Instana Agent Operator, you need to update to the latest operator yaml from the Operator's GitHub Releases page as mentioned previously.
Sign in to the Instana user interface, and click More > Agents > Installing Instana Agents > Kubernetes.
From the Technology list, select Operator. This page provides you with the essential configuration values that you need to edit the custom resource yaml file in the following Step 4.
Create the custom resource YAML file by following this YAML template.

Edit the template and replace at least the following values:
- agent.key must be set with your Instana agent key.
- agent.endpointHost must be set with the host agent endpoint.
- agent.endpointPort is the port of your host agent endpoint, and generally the value is "443" (wrapped in quotes).
- cluster.name needs to be set with the name of the Kubernetes cluster that is be displayed in Instana.
- zone.name needs to be set with the name of the Kubernetes cluster that is be displayed in Instana.
- agent.env (optional) can be used to specify environment variables for the agent, such as specifying the proxy configuration for the agent. For more possible environment values, see agent configuration. Here is an example:
```
spec:
    agent:
      env:
        INSTANA_AGENT_TAGS: staging
```
- agent.configuration_yaml can be used to specify a configuration.yaml configuration file. See the following example:
```
spec:
    agent:
      configuration_yaml: |
        # Example of configuration yaml template
        # Host
        com.instana.plugin.host:
          tags:
            - 'dev'
            - 'app1'
```
In case you need to adapt configuration.yaml, view the documentation here.

Apply the edited custom resource:
```
kubectl apply -f instana-agent.customresource.yaml
```
The operator will pick up the configuration from the custom resource and deploy the Instana agent.

Uninstalling the host agent

Uninstall the Instana host agent by removing the custom resource:
```
kubectl delete -f instana-agent.customresource.yaml
```

Uninstall the Operator by running the following command:

kubectl delete -f https://github.com/instana/instana-agent-operator/releases/latest/download/instana-agent-operator.yaml

Operator configuration

Custom resource values

The Instana Agent custom resource supports the exact same configuration as the Instana Helm Chart. For a detailed list of all the configuration parameters, see the Helm Chart configuration.

Setup TLS encryption for agent endpoint

TLS encryption can be added in two ways. Either an existing secret can be provided or a certificate and private key can be used.

Using existing secret

You can use an existing secret of the type kubernetes.io/tls for TLS encryption. But the agent.tls.secretName must be provided in the custom resource yaml file.

Provide certificate and private key

On the other side, a certificate and a private key can be used. The certificate and private key must be base64-encoded.

To use this variant, add the following two parameters to the custom resource yaml file:

agent.tls.certificate
agent.tls.key

Note: If agent.tls.secretName is set, then agent.tls.certificate and agent.tls.key will be ignored.

Install by using the Helm Chart

Via a DaemonSet, the Helm chart adds the Instana agent to all schedulable nodes in your cluster.

Sign in to Instana, click More -> Agents -> Installing Instana Agents -> Kubernetes.

From this page, you'll need your host agent endpoint and your agent key.
From the Technology list, select Helm chart.
Enter the cluster name and (optionally) the agent zone.

The cluster name (INSTANA_KUBERNETES_CLUSTER_NAME) is the customised name of the cluster monitored by this daemonset.

The agent zone (INSTANA_ZONE) is used to customize the zone grouping displayed on the infrastructure map.

All of the other required parameters are pre-populated.

Run the following command with Helm 3:

kubectl create namespace instana-agent && \
helm install instana-agent --namespace instana-agent \
--repo https://agents.instana.io/helm \
--set agent.key='<your agent key - as described above>' \
--set agent.endpointHost='<your host agent endpoint - as described above>' \
--set cluster.name='<your-cluster-name>' \
--set zone.name='<your-cluster-name>' \
instana-agent

To configure the installation, specify the values on the command line using the --set flag, or provide a yaml file with your values using the -f flag.

For a detailed list of all the configuration parameters, see our Instana Helm Chart.

Setting up TLS encryption for agent endpoint

TLS encryption can be added in two ways. Either an existing secret can be provided or a certificate and private key can be used during installation.

Using existing secret

An existing secret of type kubernetes.io/tls is possible to use. Just the secretName must be provided during installation with --set 'agent.tls.secretName=<YOUR_SECRET_NAME>'. The files from the provided secret will then be included in the agent.

Provide certificate and private key

On the other side, a certificate and a private key can be added during the installation. The certificate and private key must be base64 encoded.

To use this variant, execute helm install with the following additional parameters:

--set 'agent.tls.certificate=<YOUR_CERTIFICATE_BASE64_ENCODED>'
--set 'agent.tls.key=<YOUR_PRIVATE_KEY_BASE64_ENCODED>'

If agent.tls.secretName is set, then agent.tls.certificate and agent.tls.key will be ignored.

Instana agent service

Note: The functionality described in this section is available with the Instana Agent Helm chart v1.2.7 and above, and requires Kubernetes 1.17 and above.

The Helm chart has a special configuration option called --set service.create=true. This option creates a Kubernetes Service that exposes the following to the cluster:

the OpenTelemetry endpoint for otlp ingestion over gRPC
the implementation of Prometheus' remote_write API
the Trace Web SDK
and other Agent APIs.

Uninstalling the host agent

To uninstall the Instana host agent that is installed by using the Helm Chart, run the following command:

helm uninstall instana-agent

Then, all the resources that are related to the host agent are removed.

Install as a DaemonSet

To install and configure the Instana agent as a DaemonSet within your Kubernetes cluster, customize the instana-agent.yaml file to create the instana-agent namespace in which the DaemonSet is created. This enables you to tag agents for quick identification or to stop all of them by deleting the namespace.

Sign in to Instana, click More -> Agents -> Installing Instana Agents -> Kubernetes.
From the Technology list, select DaemonSet.
Enter the cluster name and (optionally) the agent zone.

The cluster name (INSTANA_KUBERNETES_CLUSTER_NAME) is the customised name of the cluster monitored by this daemonset.

The agent zone (INSTANA_ZONE) is used to customize the zone grouping displayed on the infrastructure map. It also sets the default name of the cluster.

All of the other required parameters are pre-populated.
Click Copy and save the YAML file.
Edit the YAML file, replacing with actual values the following dangling anchors:
- *agentKey: A base64 encoded Instana key for the cluster to which the generated data should be sent
```
echo YOUR_INSTANA_AGENT_KEY | base64
```
- *endpointHost: The IP address or hostname associated with the installation.
- *endpointPort: The network port associated with the installation.
- *clusterName: The name to be assigned to your cluster in Instana.
- *zoneName: The agent zone to associate with the nodes of your cluster.
To install Instana within your Kubernetes Cluster, run this command:
```
kubectl apply -f instana-agent.yaml
```
Note: Any additional edits you make to the instana-agent.yaml require that the DaemonSet is recreated. To apply changes, run the following commands:
```
kubectl delete -f instana-agent.yaml
kubectl apply -f instana-agent.yaml
```

RBAC

To deploy for Kubernetes versions prior to 1.8 with RBAC enabled, replace rbac.authorization.k8s.io/v1 with rbac.authorization.k8s.io/v1beta1 for RBAC api version.

To grant your user the ability to create authorization roles, for example in GKE, run this command:

kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin --user $(gcloud config get-value account)

If you don't have RBAC enabled, you need to remove the ClusterRole and ClusterRoleBinding from the instana-agent.yaml file.

PodSecurityPolicy

To enable a PodSecurityPolicy for the Instana agent:

Create a PodSecurityPolicy resource as defined in our Helm chart.
Authorize that policy in the instana-agent ClusterRole. Note that RBAC has to be enabled with the ClusterRole and ClusterRoleBinding resources created as defined in the aforementioned instana-agent.yaml file.
Enable the PodSecurityPolicy admission controller on your cluster. For existing clusters, it is recommended that policies are added and authorized before enabling the admission controller.

Pod Security Admission

Instana host agent requires the privileged Pod Security Standard. To enforce the Pod Security Standard with a built-in Pod Security Admission controller, run the following command:

kubectl label --overwrite ns instana-agent pod-security.kubernetes.io/enforce=privileged

Configure network access for monitored applications

Some types of applications need to reach out to the agent first. Currently they are

Node.js
Go
Ruby
Python
.NET Core

Those applications need to know on which IP the agent is listening. As the agent will listen on the host IP automatically, use the following Downward API snippet to pass it in an environment variable to the application pod:

spec:
  containers:
    env:
      - name: INSTANA_AGENT_HOST
        valueFrom:
          fieldRef:
            fieldPath: status.hostIP

Monitor master nodes

Per default, the agent does not get scheduled on Kubernetes master nodes, as the deployment respects the default taint node-role.kubernetes.io/master:NoSchedule that is set on most master nodes. To overwrite these add the following toleration to the agent daemonset:

kind: DaemonSet
metadata:
  name: instana-agent
  namespace: instana-agent
spec:
  template:
  ...
    spec:
      tolerations:
        - key: "node-role.kubernetes.io/master"
          effect: "NoSchedule"
          operator: "Exists"
    ...

For more direct control install the Agent separately on the master nodes. Please contact support on advice for your environment.

Monitor Kubernetes NGINX Ingress

For guidelines on how to configure the Kubernetes NGINX Ingress and our Agent for capturing NGINX metrics, see the Monitoring NGINX page. Tracing of the Kubernetes NGINX Ingress is also possible via the OpenTracing project, see Distributed Tracing for NGINX Ingress on guidelines how to set that up.

Secrets

Kubernetes has built-in support for storing and managing sensitive information. However, if you do not use that built-in capability but still need the ability to redact sensitive data in Kubernetes resources the agent secrets configuration is extended to support that.

To enable sensitive data redaction for selected Kubernetes resources (specifically annotations and container environment variables), set the INSTANA_KUBERNETES_REDACT_SECRETS environment variable to true as shown in the following agent yaml snippet:

spec:
  containers:
      env:
        - name: INSTANA_KUBERNETES_REDACT_SECRETS
          value: "true"

Then configure the agent with the desired list of secrets to match on as described in the agent secrets configuration.

It is important to note that enabling this capability can possibly cause a decrease in performance in the Kubernetes sensor.

Report to multiple backends

To enable reporting to multiple backends from a Kubernetes agent, see the docker agent configuration.

Instana agent security considerations

Since the Instana agent needs to connect to application pods and list/open own ports on bridge networks on the node it is deployed to, it requires host network access and host level process ID lookup for infrastructure correlation. This is equivalent to the permissions granted on Linux & Unix host environments and requires the following flags as set in the DaemonSet deployment:

privileged: true provides full access to /proc without overlay, change UID/GID for JVM attachment and access application namespaces.
hostPID: true provides host level PIDs in /proc, required for infrastructure correlation.
hostNetwork: true provides access to host level & bridge network interfaces.

In addition, when deploying to OpenShift, the Security Context Constraint (SCC) will be set to privileged to grant the afore mentioned permissions.

The following cluster role rules are required by the Kubernetes sensor to detect all resources and applications running in the Kubernetes cluster and making sure its monitored correctly:

rules:
  - nonResourceURLs:
    - "/version"
    - "/healthz"
    verbs: ["get"]- apiGroups: ["batch"]
    resources:
      - "jobs"
      - "cronjobs"
    verbs: ["get", "list", "watch"]
  - apiGroups: ["extensions"]
    resources:
      - "deployments"
      - "replicasets"
      - "ingresses"
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apps"]
    resources:
      - "deployments"
      - "replicasets"
      - "daemonsets"
      - "statefulsets"
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources:
      - "namespaces"
      - "events"
      - "services"
      - "endpoints"
      - "nodes"
      - "pods"
      - "replicationcontrollers"
      - "componentstatuses"
      - "resourcequotas"
      - "persistentvolumes"
      - "persistentvolumeclaims"
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources:
      - "endpoints"
    verbs: ["create", "update", "patch"]
  - apiGroups: ["networking.k8s.io"]
    resources:
      - "ingresses"
    verbs: ["get", "list", "watch"]

Example YAML file

A typical instana-agent.yaml file can be downloaded form Instana public GitHub repository. It gets rendered from the Helm chart with typical defaults. Individual properties are defined as dangling anchors as layed out in the next step.

Download this file and view the latest changelog.