To set up the Datadog Cluster Agent on your Kubernetes cluster, follow these steps:
The Datadog Cluster Agent needs a proper RBAC to be up and running:
Review the manifests in the Datadog Cluster Agent RBAC folder. Note that when using the Cluster Agent, your node Agents are not able to interact with the Kubernetes API server—only the Cluster Agent is able to do so.
To configure Cluster Agent RBAC permissions, apply the following manifests. (You may have done this already when setting up the node Agent daemonset.)
kubectl apply -f "https://raw.githubusercontent.com/DataDog/datadog-agent/master/Dockerfiles/manifests/cluster-agent/rbac/rbac-agent.yaml"
kubectl apply -f "https://raw.githubusercontent.com/DataDog/datadog-agent/master/Dockerfiles/manifests/cluster-agent/rbac/rbac-cluster-agent.yaml"This creates the appropriate ServiceAccount, ClusterRole, and ClusterRoleBinding for the Cluster Agent.
If you are using Azure Kubernetes Service (AKS), you may require extra permissions. See the RBAC for DCA on AKS FAQ.
Use one of the following options to secure communication between the Datadog Agent and the Datadog Cluster Agent.
Setting the value without a secret results in the token being readable in the PodSpec.
Run the following command to create a secret token:
echo -n '<ThirtyX2XcharactersXlongXtoken>' | base64Run this one line command:
kubectl create secret generic datadog-auth-token --from-literal=token=<ThirtyX2XcharactersXlongXtoken>Alternatively, modify the value of the secret in the dca-secret.yaml file located in the manifest/cluster-agent directory or create it with:
kubectl create -f Dockerfiles/manifests/cluster-agent/dca-secret.yaml
Refer to this secret with the environment variable DD_CLUSTER_AGENT_AUTH_TOKEN in the manifests of the Cluster Agent. See Step 3 - Create the Cluster Agent and its service) and Step 2 - Enable the Datadog Cluster Agent.
Run the following command to create a secret token:
echo -n '<ThirtyX2XcharactersXlongXtoken>' | base64Refer to this secret with the environment variable DD_CLUSTER_AGENT_AUTH_TOKEN in the manifests of the Cluster Agent and the node-based Agent.
- name: DD_CLUSTER_AGENT_AUTH_TOKEN
value: "<ThirtyX2XcharactersXlongXtoken>"Run the following command to create a secret token:
echo -n '<ThirtyX2XcharactersXlongXtoken>' | base64Create your datadog-cluster.yaml with the variables of your choice within the datadog.yaml file and create the ConfigMap accordingly:
kubectl create configmap dca-yaml --from-file datadog-cluster.yamlNote: This needs to be set in the manifest of the Cluster Agent and the node agent.
Download the following manifests:
In the cluster-agent.yaml manifest, replace <YOUR_API_KEY> with your Datadog API key:
In the cluster-agent.yaml manifest, set the token from Step 2 - Secure Cluster-Agent-to-Agent Communication. The format depends on how you set up your secret; instructions can be found in the manifest directly.
Run: kubectl apply -f datadog-cluster-agent_service.yaml
Finally, deploy the Datadog Cluster Agent: kubectl apply -f cluster-agent.yaml
At this point, you should see:
-> kubectl get deploy
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
datadog-cluster-agent 1 1 1 1 1d
-> kubectl get secret
NAME TYPE DATA AGE
datadog-auth-token Opaque 1 1d
-> kubectl get pods -l app=datadog-cluster-agent
datadog-cluster-agent-8568545574-x9tc9 1/1 Running 0 2h
-> kubectl get service -l app=datadog-cluster-agent
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
datadog-cluster-agent ClusterIP 10.100.202.234 none 5005/TCP 1dNote: If you already have the Datadog Agent running, you may need to apply the rbac-agent.yaml manifest before the Cluster Agent can start running.
After having set up the Datadog Cluster Agent, configure your Datadog Agent to communicate with the Datadog Cluster Agent.
Download the the rbac-agent.yaml manifest. Note: When using the Cluster Agent, your node Agents are not able to interact with the Kubernetes API server—only the Cluster Agent is able to do so.
Run: kubectl apply -f rbac-agent.yaml
Download the agent.yaml manifest.
In the agent.yaml manifest, replace <YOUR_API_KEY> with your Datadog API key:
In the agent.yaml manifest, replace <DD_SITE> with the Datadog site you are using, i.e. datadoghq.com or datadoghq.eu. This value defaults to datadoghq.com.
In the agent.yaml manifest, set the token from Step 2 - Secure Cluster-Agent-to-Agent Communication. The format depends on how you set up your secret; instructions can be found in the manifest directly.
In the agent.yaml manifest, add the environment variable DD_CLUSTER_AGENT_ENABLED and set it to true.
Create the DaemonSet with this command: kubectl apply -f agent.yaml
Run:
kubectl get pods | grep agentYou should see:
datadog-agent-4k9cd 1/1 Running 0 2h
datadog-agent-4v884 1/1 Running 0 2h
datadog-agent-9d5bl 1/1 Running 0 2h
datadog-agent-dtlkg 1/1 Running 0 2h
datadog-agent-jllww 1/1 Running 0 2h
datadog-agent-rdgwz 1/1 Running 0 2h
datadog-agent-x5wk5 1/1 Running 0 2h
[...]
datadog-cluster-agent-8568545574-x9tc9 1/1 Running 0 2hKubernetes events are beginning to flow into your Datadog account, and relevant metrics collected by your Agents are tagged with their corresponding cluster level metadata.
On this Page
