To set up the Datadog Cluster Agent on your Kubernetes cluster, follow these steps:
The Datadog Cluster Agent needs a proper RBAC to be up and running:
Review the manifests in the Datadog Cluster Agent RBAC folder. Note that when using the Cluster Agent, your node Agents are not able to interact with the Kubernetes API server—only the Cluster Agent is able to do so.
To configure Cluster Agent RBAC permissions, apply the following manifests. (You may have done this already when setting up the node Agent daemonset.)
kubectl apply -f "https://raw.githubusercontent.com/DataDog/datadog-agent/master/Dockerfiles/manifests/rbac/clusterrole.yaml"
kubectl apply -f "https://raw.githubusercontent.com/DataDog/datadog-agent/master/Dockerfiles/manifests/rbac/serviceaccount.yaml"
kubectl apply -f "https://raw.githubusercontent.com/DataDog/datadog-agent/master/Dockerfiles/manifests/rbac/clusterrolebinding.yaml"
This creates the appropriate ServiceAccount
, ClusterRole
, and ClusterRoleBinding
for the Cluster Agent.
Use one of the following options to secure communication between the Datadog Agent and the Datadog Cluster Agent.
Setting the value without a secret results in the token being readable in the PodSpec
.
Run the following command to create a secret token:
echo -n '<ThirtyX2XcharactersXlongXtoken>' | base64
Run this one line command:
kubectl create secret generic datadog-auth-token --from-literal=token=<ThirtyX2XcharactersXlongXtoken>
Alternatively, you can specify the token in the dca-secret.yaml
file located in the manifest/cluster-agent directory.
Refer to this secret with the environment variable DD_CLUSTER_AGENT_AUTH_TOKEN
in the manifests of the Cluster Agent. See Step 3 - Create the Cluster Agent and its service) and Step 2 - Enable the Datadog Cluster Agent.
Run the following command to create a secret token:
echo -n '<ThirtyX2XcharactersXlongXtoken>' | base64
Refer to this secret with the environment variable DD_CLUSTER_AGENT_AUTH_TOKEN
in the manifests of the Cluster Agent and the node-based Agent.
- name: DD_CLUSTER_AGENT_AUTH_TOKEN
value: "<ThirtyX2XcharactersXlongXtoken>"
Run the following command to create a secret token:
echo -n '<ThirtyX2XcharactersXlongXtoken>' | base64
Create your datadog-cluster.yaml
with the variables of your choice within the datadog.yaml
file and create the ConfigMap accordingly:
kubectl create configmap dca-yaml --from-file datadog-cluster.yaml
Note: This needs to be set in the manifest of the Cluster Agent and the node agent.
Download the following manifests:
In the cluster-agent.yaml
manifest, replace <YOUR_API_KEY>
with your Datadog API key:
In the cluster-agent.yaml
manifest, set the token from Step 2 - Secure Cluster-Agent-to-Agent Communication. The format depends on how you set up your secret; instructions can be found in the manifest directly.
Run: kubectl apply -f datadog-cluster-agent_service.yaml
Finally, deploy the Datadog Cluster Agent: kubectl apply -f cluster-agent.yaml
At this point, you should see:
-> kubectl get deploy
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
datadog-cluster-agent 1 1 1 1 1d
-> kubectl get secret
NAME TYPE DATA AGE
datadog-auth-token Opaque 1 1d
-> kubectl get pods -l app=datadog-cluster-agent
datadog-cluster-agent-8568545574-x9tc9 1/1 Running 0 2h
-> kubectl get service -l app=datadog-cluster-agent
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
datadog-cluster-agent ClusterIP 10.100.202.234 none 5005/TCP 1d
Note: If you already have the Datadog Agent running, you may need to apply the rbac-agent.yaml manifest before the Cluster Agent can start running.
After having set up the Datadog Cluster Agent, configure your Datadog Agent to communicate with the Datadog Cluster Agent.
Download the the rbac-agent.yaml manifest. Note: When using the Cluster Agent, your node Agents are not able to interact with the Kubernetes API server—only the Cluster Agent is able to do so.
Run: kubectl apply -f rbac-agent.yaml
Download the agent.yaml manifest.
In the agent.yaml
manifest, replace <YOUR_API_KEY>
with your Datadog API key:
In the agent.yaml
manifest, replace <DD_SITE>
with the Datadog site you are using, i.e. datadoghq.com
or datadoghq.eu
. This value defaults to datadoghq.com
.
In the agent.yaml
manifest, set the token from Step 2 - Secure Cluster-Agent-to-Agent Communication. The format depends on how you set up your secret; instructions can be found in the manifest directly.
Create the DaemonSet with this command: kubectl apply -f agent.yaml
Run:
kubectl get pods | grep agent
You should see:
datadog-agent-4k9cd 1/1 Running 0 2h
datadog-agent-4v884 1/1 Running 0 2h
datadog-agent-9d5bl 1/1 Running 0 2h
datadog-agent-dtlkg 1/1 Running 0 2h
datadog-agent-jllww 1/1 Running 0 2h
datadog-agent-rdgwz 1/1 Running 0 2h
datadog-agent-x5wk5 1/1 Running 0 2h
[...]
datadog-cluster-agent-8568545574-x9tc9 1/1 Running 0 2h
Kubernetes events are beginning to flow into your Datadog account, and relevant metrics collected by your Agents are tagged with their corresponding cluster level metadata.
Additional helpful documentation, links, and articles: