Cluster Agent Setup

To set up the Datadog Cluster Agent on your Kubernetes cluster, follow these steps:

Set up the Datadog Cluster Agent.
Configure your Agent to communicate with the Datadog Cluster Agent

Configure the Datadog Cluster Agent

Step 1 - Configure RBAC permissions

The Datadog Cluster Agent needs a proper RBAC to be up and running:

Review the manifests in the Datadog Cluster Agent RBAC folder. Note that when using the Cluster Agent, your node Agents are not able to interact with the Kubernetes API server—only the Cluster Agent is able to do so.
To configure Cluster Agent RBAC permissions, apply the following manifests:

  kubectl apply -f "https://raw.githubusercontent.com/DataDog/datadog-agent/master/Dockerfiles/manifests/rbac/clusterrole.yaml"
  kubectl apply -f "https://raw.githubusercontent.com/DataDog/datadog-agent/master/Dockerfiles/manifests/rbac/serviceaccount.yaml"
  kubectl apply -f "https://raw.githubusercontent.com/DataDog/datadog-agent/master/Dockerfiles/manifests/rbac/clusterrolebinding.yaml"

This creates the appropriate ServiceAccount, ClusterRole, and ClusterRoleBinding for the Cluster Agent.

Step 2 - Secure Cluster-Agent-to-Agent Communication

Use one of the following options to secure communication between the Datadog Agent and the Datadog Cluster Agent.

Create a secret and access it with an environment variable.
Set a token in an environment variable.
Use a ConfigMap to manage your secrets.

Setting the value without a secret results in the token being readable in the PodSpec.

Dropdown

Run the following command to create a secret token:

echo -n '<ThirtyX2XcharactersXlongXtoken>' | base64

Run this one line command:
```
kubectl create secret generic datadog-auth-token --from-literal=token=<ThirtyX2XcharactersXlongXtoken>
```
Alternatively, you can specify the token in the dca-secret.yaml file located in the manifest/cluster-agent directory.
Refer to this secret with the environment variable DD_CLUSTER_AGENT_AUTH_TOKEN in the manifests of the Cluster Agent. See Step 3 - Create the Cluster Agent and its service) and Step 2 - Enable the Datadog Cluster Agent.

Run the following command to create a secret token:

echo -n '<ThirtyX2XcharactersXlongXtoken>' | base64

Refer to this secret with the environment variable DD_CLUSTER_AGENT_AUTH_TOKEN in the manifests of the Cluster Agent and the node-based Agent.
```
          - name: DD_CLUSTER_AGENT_AUTH_TOKEN
            value: "<ThirtyX2XcharactersXlongXtoken>"
```

Run the following command to create a secret token:

echo -n '<ThirtyX2XcharactersXlongXtoken>' | base64

Create your datadog-cluster.yaml with the variables of your choice within the datadog.yaml file and create the ConfigMap accordingly:
```
kubectl create configmap dca-yaml --from-file datadog-cluster.yaml
```

Note: This needs to be set in the manifest of the Cluster Agent and the node agent.

Step 3 - Create the Cluster Agent and its service

Download the following manifests:
- datadog-cluster-agent_service.yaml: The Cluster Agent Service manifest.
- cluster-agent.yaml: Cluster Agent manifest
In the cluster-agent.yaml manifest, replace <DD_API_KEY> with your Datadog API key:
In the cluster-agent.yaml manifest, set the token from Step 2 - Secure Cluster-Agent-to-Agent Communication. The format depends on how you set up your secret; instructions can be found in the manifest directly.
Run: kubectl apply -f datadog-cluster-agent_service.yaml
Finally, deploy the Datadog Cluster Agent: kubectl apply -f cluster-agent.yaml

Step 4 - Verification

At this point, you should see:

-> kubectl get deploy

NAME                    DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
datadog-cluster-agent   1         1         1            1           1d

-> kubectl get secret

NAME                   TYPE                                  DATA      AGE
datadog-auth-token     Opaque                                1         1d

-> kubectl get pods -l app=datadog-cluster-agent

datadog-cluster-agent-8568545574-x9tc9   1/1       Running   0          2h

-> kubectl get service -l app=datadog-cluster-agent

NAME                    TYPE           CLUSTER-IP       EXTERNAL-IP        PORT(S)          AGE
datadog-cluster-agent   ClusterIP      10.100.202.234   none               5005/TCP         1d

Configure the Datadog Agent

After having set up the Datadog Cluster Agent, configure your Datadog Agent to communicate with the Datadog Cluster Agent.

Setup

Step 1 - Set Configure RBAC permissions for node-based Agents

Dowload the the rbac-agent.yaml manifest. Note that when using the Cluster Agent, your node Agents are not able to interact with the Kubernetes API server—only the Cluster Agent is able to do so.
Run: kubectl apply -f rbac-agent.yaml

Step 2 - Enable the Datadog Agent

Dowload the agent.yaml manifest.
In the agent.yaml manifest, replace <DD_API_KEY> with your Datadog API key:
In the agent.yaml manifest, set the token from Step 2 - Secure Cluster-Agent-to-Agent Communication. The format depends on how you set up your secret; instructions can be found in the manifest directly.
Create the DaemonSet with this command: kubectl apply -f agent.yaml

Verification

Run:

kubectl get pods | grep agent

You should see:

datadog-agent-4k9cd                      1/1       Running   0          2h
datadog-agent-4v884                      1/1       Running   0          2h
datadog-agent-9d5bl                      1/1       Running   0          2h
datadog-agent-dtlkg                      1/1       Running   0          2h
datadog-agent-jllww                      1/1       Running   0          2h
datadog-agent-rdgwz                      1/1       Running   0          2h
datadog-agent-x5wk5                      1/1       Running   0          2h
[...]
datadog-cluster-agent-8568545574-x9tc9   1/1       Running   0          2h

Kubernetes events are beginning to flow into your Datadog account, and relevant metrics collected by your Agents are tagged with their corresponding cluster level metadata.