You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: charts/netdata/README.md
+55-8Lines changed: 55 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,11 +14,13 @@ This chart bootstraps a [Netdata](https://github.com/netdata/netdata) deployment
14
14
cluster using the [Helm](https://helm.sh) package manager.
15
15
16
16
By default, the chart installs:
17
+
17
18
- A Netdata child pod on each node of a cluster, using a `Daemonset`
18
19
- A Netdata k8s state monitoring pod on one node, using a `Deployment`. This virtual node is called `netdata-k8s-state`.
19
20
- A Netdata parent pod on one node, using a `Deployment`. This virtual node is called `netdata-parent`.
20
21
21
22
Disabled by default:
23
+
22
24
- A Netdata restarter `CronJob`. Its main purpose is to automatically update Netdata when using nightly releases.
23
25
24
26
The child pods and the state pod function as headless collectors that collect and forward
@@ -35,6 +37,52 @@ Please validate that the settings are suitable for your cluster before using the
35
37
your cluster, on an administrative system.
36
38
- The [Helm package manager](https://helm.sh/) v3.8.0 or newer on the same administrative system.
37
39
40
+
## Required Resources and Permissions
41
+
42
+
Netdata is a comprehensive monitoring solution that requires specific access to host resources to function effectively. By design, monitoring solutions like Netdata need visibility into various system components to collect metrics and provide insights. The following mounts, privileges, and capabilities are essential for Netdata's operation, and applying restrictive security profiles or limiting these accesses may significantly impact functionality or render the monitoring solution ineffective.
43
+
44
+
<details>
45
+
<summary>See required mounts, privileges and RBAC resources</summary>
46
+
47
+
### Required Mounts
48
+
49
+
| Mount | Type | Node | Components & Descriptions |
|`/etc/passwd`, `/etc/group`| hostPath | child | • **apps.plugin**: Monitoring of host system resource usage by each user and user group. |
57
+
|`{{ .Values.child.persistence.hostPath }}/var/lib/netdata`| hostPath (DirectoryOrCreate) | child | • **netdata**: Persistence of Netdata's /var/lib/netdata directory which contains netdata public unique ID and other files that should persist across container recreations. Without persistence, a new netdata unique ID is generated for each child on every container recreation, causing children to appear as new nodes on the Parent instance. |
| Host Network Mode | child | • **proc.plugin**: Host system networking stack monitoring. <br/>• **go.d.plugin**: Monitoring applications running on the host and inside containers. <br/>• **local-listeners**: Discovering local services/applications. Map open (listening) ports to running services/applications. <br/>• **network-viewer.plugin**: Discovering all current network sockets and building a network-map. |
64
+
| Host PID Mode | child | • **cgroups.plugin**: Container network interfaces monitoring. Map virtual interfaces in the system namespace to interfaces inside containers. |
65
+
| SYS_ADMIN | child | • **cgroups.plugin**: Container network interfaces monitoring. Map virtual interfaces in the system namespace to interfaces inside containers. <br/>• **network-viewer.plugin**: Discovering all current network sockets and building a network-map. |
66
+
| SYS_PTRACE | child | • **local-listeners**: Discovering local services/applications. Map open (listening) ports to running services/applications. |
| pods | get, list, watch | • **service discovery**: Used for discovering services. <br/>• **go.d/k8s_state**: Kubernetes state monitoring. <br/>• **netdata**: Used by cgroup-name.sh and get-kubernetes-labels.sh scripts. |
73
+
| services | get, list, watch | • **service discovery**: Used for discovering services. |
74
+
| configmaps | get, list, watch | • **service discovery**: Used for discovering services. |
75
+
| secrets | get, list, watch | • **service discovery**: Used for discovering services. |
| jobs (batch) | get, list, watch | • **go.d/k8s_state**: Kubernetes state monitoring. |
82
+
| namespaces | get | • **go.d/k8s_state**: Kubernetes state monitoring. <br/>• **netdata**: Used by cgroup-name.sh and get-kubernetes-labels.sh scripts. |
83
+
84
+
</details>
85
+
38
86
## Installing the Helm chart
39
87
40
88
You can install the Helm chart via our Helm repository, or by cloning this repository.
@@ -308,11 +356,10 @@ the `parent.configs` or the `child.configs` arrays. Regardless of whether you ad
308
356
under `/etc/netdata` or in a subdirectory such as `/etc/netdata/go.d`, you can use the already provided configurations
309
357
as reference. For reference, the `parent.configs` the array includes an `example` alarm that would get triggered if the
310
358
python.d `example` module was enabled. Whenever you pass the sensitive data to your configuration like the database
311
-
credential you can take an option to put it into the Kubernetes Secret by specifying `storedType: secret` in the
312
-
selected configuration. Default all the configuration will be placed in the Kubernetes configmap.
359
+
credential, you can take an option to put it into the Kubernetes Secret by specifying `storedType: secret` in the
360
+
selected configuration. By default, all the configurations will be placed in the Kubernetes configmap.
313
361
314
-
Note that with the default configuration of this chart, the parent does the health checks and triggers alarms, but does
315
-
not collect much data. As a result, the only other configuration files that might make sense to add to the parent are
362
+
Note that in this chart's default configuration, the parent performs the health checks and triggers alarms but collects little data. As a result, the only other configuration files that might make sense to add to the parent are
316
363
the alarm and alarm template definitions, under `/etc/netdata/health.d`.
317
364
318
365
> **Tip**: Do pay attention to the indentation of the config file contents, as it matters for the parsing of the `yaml` file. Note that the first line under `var: |`
@@ -335,8 +382,8 @@ data for specific PV is lost in case of pod removal.
335
382
node in `netdata.cloud` (due to `./registry/` and `./cloud.d/` being removed).
336
383
337
384
In case of `child` instance it is a bit simpler. By default, hostPath: `/var/lib/netdata-k8s-child` is mounted on child
338
-
in: `/var/lib/netdata`. You can disable it but this option is pretty much required in a real life scenario, as without
339
-
it each pod deletion will result in new replication node for a parent.
385
+
in: `/var/lib/netdata`. You can disable it, but this option is pretty much required in a real life scenario, as without
386
+
it each pod deletion will result in a new replication node for a parent.
340
387
341
388
### Service discovery and supported services
342
389
@@ -440,7 +487,7 @@ $ helm install \
440
487
441
488
## Contributing
442
489
443
-
If you want to contribute, we are humbled!
490
+
If you want to contribute, we’re humbled!
444
491
445
492
- Take a look at our [Contributing Guidelines](https://github.com/netdata/.github/blob/main/CONTRIBUTING.md).
446
493
- This repository is under the [Netdata Code Of Conduct](https://github.com/netdata/.github/blob/main/CODE_OF_CONDUCT.md).
0 commit comments