Extract Container ID in cgroupv2 Environments

This document is applicable only if you are not using Cluster Agent. If you are using Cluster Agent, you can extract the container ID based on the following scenarios:

• Applications are auto-instrumented, see Example 3: Enable Auto-Instrumentation for the Cluster Agent.
• Applications are not auto-instrumented, configure the Java Agent application to correlate with Cluster Agent and fetch the container ID. See Manually Configure App Agents to Correlate with the Cluster Agent.

After upgrading to Kubernetes 1.25 or later, Java Agent might fail to properly identify the container ID of the application container. While the discovered container ID has the correct form and syntax, it differs from the actual container ID used by Kubernetes. This discrepancy disrupts the correlation between APM data and infrastructure. To extract the correct container ID in Kubernetes 1.25 or later, you need to query the Kubernetes API Server. 

Extract cgroupv2 Container ID Using Kubernetes API Server

1. Install Java Agent version 23.9.0 or later.
2. Associate the application pod with a service account. Ensure that the service account has GET permission for Kubernetes resource pods. If a service account is already associated with the pod, create a new role and role binding. See Sample YAML. If an IAM role is bound to the service account, create a new policy to allow access. It is required because Kubernetes does not permit access to resource pods without the necessary permissions, and the Java agent cannot extract the cgroupv2 container-ID without this access.
3. Set the following property or environmental variable to kubeapi.

   Element in controller-info.xml: N/A

   System Property: -Dappdynamics.containerinfo.fetch.service

   Environment Variable: APPDYNAMICS_CONTAINERINFO_FETCH_SERVICE

   Type: String

   Default: None

   Example: -Dappdynamics.containerinfo.fetch.service=kubeapi

4. Set the following property or environmental variable to specify the target container name.
   

   Element in controller-info.xml:  N/A

   System Property: -Dappdynamics.container.name

   Environment Variable: APPDYNAMICS_CONTAINER_NAME

   Type: String

   Default: None

   Example: -Dappdynamics.container.name=<target-container-name>

   

   • Prior to version 25.1.0, If Java Agent cannot fetch the container ID after three attempts, it will register with Controller with all zeros (00000) container ID and log an error. Please review the container or agent logs to address the issue.
   • From version 25.1.0 onward, Java Agent assigns the container ID only when it detects a valid container ID. If it fails to retrieve the container ID after 15 attempts (approximately ten minutes), it logs an error and does not register with the Controller. However, the application will start as usual after the default timeout of one minute. In such cases, review the container or agent logs to resolve the issue.
   • From version 25.3.0 onward, you can modify this default behavior by setting either the APPDYNAMICS_AGENT_FAIL_IF_INVALID_CONTAINER_ID environment variable or the appdynamics.agent.fail.if.invalid.container.id system property to false. This allows the Java Agent to register and provide application monitoring even with an invalid container ID.
   

   • Java Agent identifies the Kubernetes API server URL using the environment variables KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT set by Kubernetes. Additionally, the Java Agent depends on the HOSTNAME environment variable, using it as the pod name to query the Cluster Agent. It is important to keep these variables unchanged to accurately extract the container ID.

   • From version 25.3.0 onward, if you change the HOSTNAME environment variable, it's important to set the APPDYNAMICS_POD_NAME environment variable to the pod name. This ensures that the Java agent can successfully extract the container ID.

     You can dynamically set environment variables based on the pod's attributes using the following Kubernetes configuration:

     - name: APPDYNAMICS_POD_NAME
       valueFrom:
         fieldRef:
           fieldPath: metadata.name

     CODE

     
     

   
   

apiVersion: v1
kind: ServiceAccount
metadata:
  name: myserviceaccount
  namespace: mynamespace

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pods-reader
  namespace: mynamespace
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods-namespace
  namespace: mynamespace
subjects:
- kind: ServiceAccount
  name: myserviceaccount
  namespace: mynamespace
roleRef:
  kind: Role
  name: pods-reader
  apiGroup: rbac.authorization.k8s.io