Download PDF
Download page Use Docker Visibility with Kubernetes.
Use Docker Visibility with Kubernetes
This page describes how to set up the Machine Agent with Docker Visibility enabled to run as a DaemonSet
on a Kubernetes cluster.
Container visibility enables you to monitor containerized applications running inside Kubernetes pods and identify container issues that impact application performance. You deploy the Machine Agent as a Kubernetes DaemonSet
in every node of a Kubernetes cluster. Deploying the Machine Agent as a DaemonSet
ensures that every Kubernetes worker node runs the Machine Agent to collect critical resource metrics from the node host and associated Docker containers.
Using Docker Visibility to monitor Kubernetes containers is no longer the preferred option and will be deprecated. Use the Cluster Agent instead as described in Monitor Kubernetes with the Cluster Agent. The Cluster Agent supports Kubernetes container visibility, as well as visibility into cluster health and capacity.
Container Visibility with Kubernetes
Deploy the Machine Agent in Docker-enabled mode. To configure and run the Machine Agent using Docker, see Configure Docker Visibility.
The Machine Agent:
- Identifies the containers managed by Kubernetes.
- Determines if these containers contain app server agents.
- Correlates containers with app server agents with the APM nodes for that application.
This diagram depicts the deployment scenario for container visibility in Kubernetes:
- Install the Machine Agent container () as a
DaemonSet
on each Kubernetes node. - To collect APM metrics from any container in a pod, install the correct App Server Agent () in the container before deploying the pod.
- The Machine Agent collects resource usage metrics for each monitored container (), as well as Machine and Server metrics for the host, and forwards the metrics to the Controller.
- (Optional) Install the Network Agent () as a
DaemonSet
on the node you want to monitor. The Network Agent collects metrics for all network connections between monitored application components and sends these metrics to the Controller.
Before You Begin
Review the requirements for Container Visibility with Kubernetes:
- A Machine Agent must run as a
DaemonSet
on every Kubernetes node you want to monitor. Every node to be monitored must have a Server Visibility license.
Docker Visibility must be enabled on each Machine Agent.
- Both App Server Agents and Machine Agents are registered by the same account and are using the same Controller.
- If you have multiple App Server Agents running in the same pod, register the container ID as the host ID on each App Server Agent and Machine Agent.
Limitations
- Only the Docker Container Runtime is supported.
- Only Pod and ReplicaSet labels are supported.
Procedure
- Enable Container Visibility
- Register the Container ID as the Host ID
- Configure the Cluster Role
- Deploy the Machine Agent on Kubernetes
After the Machine Agent has been deployed on Kubernetes, you can add the App Server Agent into your image:
Enable Container Visibility
Update the Controller to >= 4.4.3.
To enable Kubernetes Visibility in your environment, edit these parameters:
- Controller
sim.machines.tags.k8s.enabled
: The value defaults totrue
. The global tags enabled flag has priority over this.sim.machines.tags.k8s.pollingInterval
: The value defaults to one minute. The minimum value you can set for the polling interval is 30 seconds.
- Machine Agent
k8sTagsEnabled
: The value defaults totrue
and is specified in theServerMonitoring.yml
file.
Continue with Use Docker Visibility with Red Hat OpenShift. You can use the example DaemonSet
, the sample Docker image for Machine Agent, and the sample Docker start script to set up the Machine Agent.
Register the Container ID as the Host ID
Install an app server agent in every container in a Kubernetes pod to collect application metrics. If multiple app server agents are running in the same pod, for example, in the RedHat OpenShift platform, you must register the container ID as the unique host ID, on both the app server agent and the Machine Agent, to collect container-specific metrics from the pod. Kubernetes pods can contain multiple containers and they share the same host ID. The Machine Agent cannot identify different containers running in a pod unless each container ID is registered as the host ID.
To register the container ID as the host ID:
Get the container ID from the
cgroup
.cat /proc/self/cgroup | awk -F '/' '{print $NF}' | head -n 1
CODERegister the app server agents.
-Dappdynamics.agent.uniqueHostId=$(sed -rn '1s#.*/##; 1s/(.{12}).*/\1/p' /proc/self/cgroup)
CODERegister the Machine Agent.
-Dappdynamics.docker.container.containerIdAsHostId.enabled=true
CODE
Configure the Cluster Role
This sample cluster role definition provides read access to various Kubernetes resources. These permissions enable Kubernetes extensions to the Machine Agent and pod metadata collection. The role is called appd-cluster-reader
, but you can rename it. The cluster role definition outlines various API groups that will be available for members of this role. For every API group, we define a list of resources that will be accessed and the access method. Because we need to retrieve information from these API endpoints, we need the read-only access, expressed by "get
", "list
," and "watch
" verbs.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: appd-cluster-reader
rules:
- nonResourceURLs:
- '*'
verbs:
- get
- apiGroups: ["batch"]
resources:
- "jobs"
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources:
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- horizontalpodautoscalers
- horizontalpodautoscalers/status
- ingresses
- ingresses/status
- jobs
- jobs/status
- networkpolicies
- podsecuritypolicies
- replicasets
- replicasets/scale
- replicasets/status
- replicationcontrollers
- replicationcontrollers/scale
- storageclasses
- thirdpartyresources
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources:
- bindings
- componentstatuses
- configmaps
- endpoints
- events
- limitranges
- namespaces
- namespaces/status
- nodes
- nodes/status
- persistentvolumeclaims
- persistentvolumeclaims/status
- persistentvolumes
- persistentvolumes/status
- pods
- pods/binding
- pods/eviction
- pods/log
- pods/status
- podtemplates
- replicationcontrollers
- replicationcontrollers/scale
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
- securitycontextconstraints
- serviceaccounts
- services
- services/status
verbs: ["get", "list", "watch"]
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- replicasets
- replicasets/scale
- replicasets/status
- statefulsets
- statefulsets/scale
- statefulsets/status
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
- customresourcedefinitions/status
verbs:
- get
- list
- watch
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
- apiservices/status
verbs:
- get
- list
- watch
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- get
- list
- watch
Once the role is defined, you must create cluster role bindings to associate the role with a service account. This example of a ClusterRoleBinding spec makes appd-cluster-reader
service account a member of the appd-cluster-reader-role
in the project "myproject
". The naming is purely coincidental. The names of the service account and the cluster role do not have to match.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-reader-role-binding
subjects:
- kind: ServiceAccount
name: appd-cluster-reader
namespace: myproject
roleRef:
kind: ClusterRole
name: appd-cluster-reader
apiGroup: rbac.authorization.k8s.io
Deploy the Machine Agent on Kubernetes
You can deploy the AppDynamics Machine Agent in a single container image without an init container. By default, the Machine Agent is deployed to the cluster as a DaemonSet
and distributes every Agent instance evenly across all cluster nodes. When required, you can configure the DaemonSet
with node affinity rules or node anti-affinity rules to ensure that it is deployed to a desired set of nodes and not across the entire cluster. See Assigning Pods to Nodes to learn about node affinity.
To harvest pod metadata, the service account used to deploy the Machine Agent must have the cluster-reader
role in OpenShift. The cluster-reader
role is also required for the Kubernetes extensions to the Machine Agent.
# assigning cluster-reader role in OpenShift
oc adm policy add-cluster-role-to-user cluster-reader -z appd-account
If you are working with a vanilla Kubernetes distribution, it may not have a pre-built cluster role similar to cluster-reader
in OpenShift. See ClusterRole Configuration.
Instrument Applications with Kubernetes
There are several approaches to instrumenting applications deployed with Kubernetes; the method you choose depends on your particular requirements and DevOps processes. To monitor an application container with AppDynamics, you must include an App Server Agent in that container by:
- Using an appropriate base image which has the App Server Agent pre-installed.
- Loading the App Server Agent dynamically as part of the container startup using an init container.
- Loading the App Server Agent and dynamically attaching it to a running process (where the language runtime supports it).
The third option is usually applicable only to Java-based applications since the JVM supports Dynamic Attach, a standard feature of the AppDynamics Java APM Agent. See Dynamic Java Instrumentation.
For the other options, it is common practice to make use of standard Kubernetes features such as Init Containers, ConfigMaps, and Secrets (as described in Deploying AppDynamics Agents to OpenShift Using Init Containers).
Resource Limits
The main application being monitored should have resource limits defined. Provide 2% padding for CPU and add up to 100 MB of memory.
To support up to 500 containers, you can configure the Machine Agent with the following resource requests and limits: Mem = 400M, CPU = "0.1"
and Mem = 600M, CPU = "0.2"
AppDynamics provides a Kubernetes Snapshot Extension to monitor the health of the Kubernetes Cluster. When deploying this extension, only a single version of the extension should be deployed to the cluster. Do not include it in the DaemonSet
to avoid duplicates and potential cluster overload. Instead, consider deploying the Machine Agent instance with this extension, in addition to the DaemonSet
, as a separate deployment with a single replica for Server Visibility. In this case, you can drop the memory request to 250 M and disable the Machine Agent SIM and Docker.