Live Workshop: Integrate Google SecOps with Bindplane - Join Us on January 29th at 11 AM ET!Sign Up Now

Install Kubernetes Collectors

Install

Kubernetes Collector installation has a different flow than normal collectors.

Steps

  1. Create a configuration for a Kubernetes platform
    1. Kubernetes Node: Deploys an collector to each node in the cluster using a DaemonSet.
    2. Kubernetes Cluster: Deploys an collector as a single pod Deployment.
    3. Kubernetes Gateway: Deploys a scalable set of collectors using a Deployment or StatefulSet.
    4. OpenShift Daemonset: Deploys an collector to each node in the cluster.
    5. OpenShift Deployment: Deploys an collector as a single pod deployment.
    6. OpenShift Gateway: Deploys a scalable set of collectors as a Deployment. See OpenShift Gateway for special instructions.
  2. Navigate to the collector's page and select "Install Collectors"
  3. Choose a Kubernetes Platform
  4. Select your configuration from step 1
  5. Copy the YAML manifest to a file
  6. Deploy the YAML manifest with kubectl apply -f <file name>

The collectors will be deployed to the cluster in the bindplane-agent namespace and connect to Bindplane automatically.

OpenShift Gateway

Unlike the OpenShift Node and Cluster agent, the Gateway agent does not require additional SecurityContextConstraint configuration nor does it require the same RBAC configuration.

Deploying the OpenShift Gateway is similar to deploying the Kubernetes Gateway, outlined in the steps above. There is one exception.

Create your namespace if it does not already exist. This will also create an OpenShift Project resource.

bash
1oc create namespace bindplane-agent

Determine your uid range by describing the project. Look for the openshift.io/sa.scc.uid-range label.

bash
1oc describe project bindplane-agent
txt
1Name:			bindplane-agent
2Created:		8 minutes ago
3Labels:			kubernetes.io/metadata.name=bindplane-agent
4			pod-security.kubernetes.io/audit=restricted
5			pod-security.kubernetes.io/audit-version=v1.24
6			pod-security.kubernetes.io/warn=restricted
7			pod-security.kubernetes.io/warn-version=v1.24			
8			openshift.io/display-name=bindplane-agent
9			openshift.io/node-selector=
10			openshift.io/sa.scc.mcs=s0:c33,c2
11			openshift.io/sa.scc.supplemental-groups=1001060000/10000
12			openshift.io/sa.scc.uid-range=1001060000/10000
13Display Name:		bindplane-agent
14Description:		<none>
15Status:			Active
16Node Selector:		<none>
17Quota:			<none>
18Resource limits:	<none>

In this example, the openshift.io/sa.scc.uid-range starts at 1001060000. Yours will differ.

Update the YAML manifest downloaded from the Bindplane (Step 2 above). Make the following changes.

  1. Replace all instances of 1000000000 with a UID from your range.
  2. If you used a project name other than bindplane-agent, update all instances of namespace: bindplane-agent to reflect that change.

Apply the YAML manifest to your cluster with oc apply.

txt
1serviceaccount/bindplane-agent created
2role.rbac.authorization.k8s.io/bindplane-gateway-agent created
3rolebinding.rbac.authorization.k8s.io/bindplane-gateway-agent created
4service/bindplane-gateway-agent created
5service/bindplane-gateway-agent-headless created
6deployment.apps/bindplane-gateway-agent created
7horizontalpodautoscaler.autoscaling/bindplane-gateway-agent created

If the pods are running, everything is working.

txt
1$ oc -n bindplane-agent get pod
2
3NAME                                       READY   STATUS    RESTARTS   AGE
4bindplane-gateway-agent-74ff748988-bpzw5   1/1     Running   0          5s
5bindplane-gateway-agent-74ff748988-ptd2x   1/1     Running   0          3s

Example Installation

Create a configuration using a Kubernetes-compatible source. This example uses the Kubernetes Event Logs source.

observIQ docs - Install, Upgrade, and Uninstall Agents - image 1

Once the configuration has been created, navigate to the Collectors page and select "Install Collectors".

Select your Kubernetes platform and configuration. You will be prompted to copy the YAML manifest. Copy it and save it to a file.

observIQ docs - Install, Upgrade, and Uninstall Agents - image 2

Ensure that the OPAMP_ENDPOINTenvironment variable has the correct value for your server. If you did not configure ingress, this value should match your deployment clusterIP service name and namespace. In this example, the service name is "my-bindplane" and the namespace is "default".

text
1- name: OPAMP_ENDPOINT
2  value: "ws://my-bindplane.default.svc.cluster.local:3001/v1/opamp"

If you configured ingress, your OPAMP_ENDPOINT should contain the ingress hostname and port. The port should be 80 for non-TLS ingress, and 443 if ingress TLS is enabled. Similarly, the protocol should be ws (websocket) when TLS is not configured, and wss (secure web socket) when TLS is enabled.

Deploy the YAML manifest with kubectl apply -f <manifest file path>. Once deployed, your collector(s) will appear on the Collectors page, and they will be bound to your configuration.

observIQ docs - Install, Upgrade, and Uninstall Agents - image 3

TLS

Kubernetes agents can be configured to connect to Bindplane using TLS. If the Bindplane TLS certificate is publicly signed, no action is required. If the certificate is signed by an internal certificate authority, the agent can be configured with a custom certificate authority for verifying the Bindplane certificate.

Your certificate authority file (ca.crt) can be added to a secret in the bindplane-agent namespace using the following command.

bash
1kubectl -n bindplane-agent create secret generic my-tls \
2  --from-file ca.crt

Once the secret is created, you can modify your agent YAML manifest. Specifically, you need to append to the volumes, volumeMounts, and env sections of the agent container.

yaml
1spec:
2  template:
3    spec:
4      containers:
5        - name: opentelemetry-collector
6          env:
7+           - name: OPAMP_TLS_CA
8+             value: /opt/tls/ca.crt
9          volumeMounts:
10+           - name: tls
11+             mountPath: /opt/tls
12      volumes:
13+       - name: tls
14+         secret:
15+           secretName: my-tls

Using this example, the CA certificate ca.crt will be mounted to /opt/tls/ca.crt. The OpAMP client will be configured to use this certificate authority when validating CA certificates.

You can learn more about the various OpAMP environment variables here.

Mutual TLS

When using mutual TLS, the same process is used. In this case, a client keypair is provided. This example uses client.crt and client.key.

bash
1kubectl -n bindplane-agent create secret generic my-tls \
2  --from-file ca.crt \
3  --from-file client.crt \
4  --from-file client.key
yaml
1spec:
2  template:
3    spec:
4      containers:
5        - name: opentelemetry-collector
6          env:
7+           - name: OPAMP_TLS_CA
8+             value: /opt/tls/ca.crt
9+           - name: OPAMP_TLS_CERT
10+             value: /opt/tls/client.crt
11+           - name: OPAMP_TLS_KEY
12+             value: /opt/tls/client.key
13          volumeMounts:
14+           - name: tls
15+             mountPath: /opt/tls
16      volumes:
17+       - name: tls
18+         secret:
19+           secretName: my-tls