This document details the setup process of mackerel-container-agent for Kubernetes.
Point to note regarding billing
For every one pod, a micro host will be registered in Mackerel. Please note that charges will occur if using a paid plan. For more details, refer to FAQ · Calculating the number of hosts.
Operating conditions
By default, mackerel-container-agent accesses the kubelet read-only-port.
In environments where read-only-port is disabled (--read-only-port=0
), the environment variable and Role configurations described below are required.
Adding the container to the Pod Template
Specify the mackerel-container-agent container in the Pod Template that you would like to monitor.
Item | Value |
---|---|
name | mackerel-container-agent |
image | mackerel/mackerel-container-agent:latest |
imagePullPolicy | Always |
resources.limits.memory | 128Mi |
env | See below |
Environment variable configuration
Definitions for environment variables are required with mackerel-container-agent.
MACKEREL_CONTAINER_PLATFORM
: kubernetesMACKEREL_APIKEY
: Mackerel API keyMACKEREL_KUBERNETES_KUBELET_HOST
:
valueFrom: fieldRef: fieldPath: status.hostIP
MACKEREL_KUBERNETES_NAMESPACE
:
valueFrom: fieldRef: fieldPath: metadata.namespace
MACKEREL_KUBERNETES_POD_NAME
:
valueFrom: fieldRef: fieldPath: metadata.name
The following items are configured arbitrarily.
MACKEREL_KUBERNETES_KUBELET_READ_ONLY_PORT
: Port number- When changing the port number by specifying the --read-only-port flag in kubelet (Default: 10255)
- Setting 0 will stop the use of the kubelet read-only port
MACKEREL_KUBERNETES_KUBELET_PORT
: Port number- When changing the port number by specifying the --port flag in kubelet (Default: 10250)
- When accessing the kubelet API with
/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
as the CA certificate, the content of/var/run/secrets/kubernetes.io/serviceaccount/token
is used as the Bearer token. Please note that this field does not exist when automountServiceAccountToken is configured as false (true by default).
MACKEREL_KUBERNETES_KUBELET_INSECURE_TLS
: Arbitrary value- Certificates are not verified when accessing the kubelet API in
MACKEREL_KUBERNETES_KUBELET_PORT
- Certificates are not verified when accessing the kubelet API in
Manifest example
apiVersion: v1 kind: Pod metadata: name: myapp labels: app: myapp spec: containers: # ... - name: mackerel-container-agent image: mackerel/mackerel-container-agent:latest imagePullPolicy: Always resources: limits: memory: 128Mi env: - name: MACKEREL_CONTAINER_PLATFORM value: kubernetes - name: MACKEREL_APIKEY value: <Mackerel APIKey> - name: MACKEREL_KUBERNETES_KUBELET_HOST valueFrom: fieldRef: fieldPath: status.hostIP - name: MACKEREL_KUBERNETES_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: MACKEREL_KUBERNETES_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name
When using roles or plugins, refer to the "Agent configurations" here.
mackerel-container-api resource reference
The following resources are referred to in mackerel-container-agent.
resource | verb |
---|---|
nodes/proxy | get |
nodes/stats | get |
If authentication is enabled for kubelet, Role configuration for ServiceAccount will be necessary so that mackerel-container-agent can refer to these resources.
For more on kubelet authentication, see the Kubernetes document.
The following is a RBAC configuration example.
--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: mackerel-container-agent-clusterrole rules: - apiGroups: - "" resources: - nodes/proxy - nodes/stats verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: sample-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: mackerel-container-agent-clusterrole subjects: - kind: ServiceAccount name: sample-serviceaccount namespace: default
Start monitoring
Deploy the mackerel-container-agent added manifest and start Pod monitoring.
If this does not work, please refer to the Pod log.