Kubernetes Deployment
Deploy Radar Agent in Kubernetes using Deployments, ConfigMaps, and Secrets for scalable monitoring.
Prerequisites
- Kubernetes cluster (1.19+)
kubectlconfigured to access your cluster- Container image of Radar Agent
Quick Start
1. Create Namespace
# namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: radar-agent
labels:
name: radar-agent
kubectl apply -f namespace.yaml
2. Create Secrets
Store sensitive configuration in Kubernetes Secrets:
# secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: radar-agent-secrets
namespace: radar-agent
type: Opaque
stringData:
api-key: "your-radar-api-key"
redis-password: "your-redis-password"
kubectl apply -f secrets.yaml
3. Create ConfigMap
Store the agent configuration:
# configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: radar-agent-config
namespace: radar-agent
data:
config.yml: |
agent:
id: "radar-agent-k8s-${HOSTNAME}"
hostname: "${HOSTNAME}"
collection_interval: "30s"
server:
grpc_url: "https://api.radar.com:443"
api_key: "${RADAR_API_KEY}"
deployments:
- id: "redis-production"
name: "Production Redis"
deployment_type: "standalone"
redis_url: "redis://radar-agent:${REDIS_PASSWORD}@redis.production.svc.cluster.local:6379"
collection:
interval: "30s"
retry_on_failure: true
max_retries: 3
kubectl apply -f configmap.yaml
4. Create Deployment
Deploy the Radar Agent:
# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: radar-agent
namespace: radar-agent
labels:
app: radar-agent
spec:
replicas: 1
selector:
matchLabels:
app: radar-agent
template:
metadata:
labels:
app: radar-agent
spec:
serviceAccountName: radar-agent
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- name: radar-agent
image: radar-agent:latest # Replace with your image
imagePullPolicy: Always
# Command and arguments
command: ["/app/radar-agent"]
args: ["--config", "/etc/radar-agent/config.yml"]
# Environment variables
env:
- name: HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: RADAR_API_KEY
valueFrom:
secretKeyRef:
name: radar-agent-secrets
key: api-key
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: radar-agent-secrets
key: redis-password
- name: RUST_LOG
value: "info"
# Volume mounts
volumeMounts:
- name: config
mountPath: /etc/radar-agent
readOnly: true
# Resource limits
resources:
requests:
memory: "64Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "500m"
# Health checks
livenessProbe:
exec:
command:
- /app/radar-agent
- validate
- --config
- /etc/radar-agent/config.yml
initialDelaySeconds: 30
periodSeconds: 60
timeoutSeconds: 10
readinessProbe:
exec:
command:
- /app/radar-agent
- validate
- --config
- /etc/radar-agent/config.yml
- --test-connections
initialDelaySeconds: 10
periodSeconds: 30
timeoutSeconds: 15
volumes:
- name: config
configMap:
name: radar-agent-config
# Restart policy
restartPolicy: Always
# Node selection (optional)
nodeSelector:
kubernetes.io/os: linux
5. Create ServiceAccount and RBAC
Create service account with minimal permissions:
# rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: radar-agent
namespace: radar-agent
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: radar-agent
namespace: radar-agent
rules:
- apiGroups: [""]
resources: ["configmaps", "secrets"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: radar-agent
namespace: radar-agent
subjects:
- kind: ServiceAccount
name: radar-agent
namespace: radar-agent
roleRef:
kind: Role
name: radar-agent
apiGroup: rbac.authorization.k8s.io
kubectl apply -f rbac.yaml
kubectl apply -f deployment.yaml
Advanced Configuration
Multi-Environment Setup
Deploy different agents for different environments:
# production-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: radar-agent-production
namespace: radar-agent
spec:
replicas: 1
selector:
matchLabels:
app: radar-agent
environment: production
template:
metadata:
labels:
app: radar-agent
environment: production
spec:
containers:
- name: radar-agent
image: radar-agent:latest
env:
- name: ENVIRONMENT
value: "production"
volumeMounts:
- name: config
mountPath: /etc/radar-agent
volumes:
- name: config
configMap:
name: radar-agent-config-production
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: radar-agent-staging
namespace: radar-agent
spec:
replicas: 1
selector:
matchLabels:
app: radar-agent
environment: staging
template:
metadata:
labels:
app: radar-agent
environment: staging
spec:
containers:
- name: radar-agent
image: radar-agent:latest
env:
- name: ENVIRONMENT
value: "staging"
volumeMounts:
- name: config
mountPath: /etc/radar-agent
volumes:
- name: config
configMap:
name: radar-agent-config-staging
Horizontal Pod Autoscaler
Auto-scale based on CPU usage:
# hpa.yaml
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: radar-agent-hpa
namespace: radar-agent
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: radar-agent
minReplicas: 1
maxReplicas: 3
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 80
Network Policies
Restrict network access:
# network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: radar-agent-netpol
namespace: radar-agent
spec:
podSelector:
matchLabels:
app: radar-agent
policyTypes:
- Egress
egress:
# Allow DNS resolution
- to: []
ports:
- protocol: UDP
port: 53
# Allow HTTPS to Radar server
- to: []
ports:
- protocol: TCP
port: 443
# Allow Redis connections
- to: []
ports:
- protocol: TCP
port: 6379
- protocol: TCP
port: 6380
Container Image
Dockerfile
Create a secure container image:
# Dockerfile
FROM rust:1.88-slim as builder
WORKDIR /app
COPY . .
RUN cargo build --release
FROM debian:bookworm-slim
# Install CA certificates and create user
RUN apt-get update && \
apt-get install -y ca-certificates && \
rm -rf /var/lib/apt/lists/* && \
groupadd -r radar-agent && \
useradd -r -g radar-agent radar-agent
# Copy binary
COPY --from=builder /app/target/release/radar-agent /app/radar-agent
# Set ownership and permissions
RUN chown radar-agent:radar-agent /app/radar-agent
# Switch to non-root user
USER radar-agent
# Expose metrics port (if implemented)
EXPOSE 8080
ENTRYPOINT ["/app/radar-agent"]
Build and Push
# Build image
docker build -t radar-agent:latest .
# Tag for registry
docker tag radar-agent:latest your-registry.com/radar-agent:latest
# Push to registry
docker push your-registry.com/radar-agent:latest
Management and Operations
View Logs
# View logs from all radar-agent pods
kubectl logs -n radar-agent -l app=radar-agent -f
# View logs from specific pod
kubectl logs -n radar-agent <pod-name> -f
# View previous container logs (after restart)
kubectl logs -n radar-agent <pod-name> --previous
Update Configuration
# Update ConfigMap
kubectl apply -f configmap.yaml
# Restart deployment to pick up changes
kubectl rollout restart deployment/radar-agent -n radar-agent
# Check rollout status
kubectl rollout status deployment/radar-agent -n radar-agent
Scale Deployment
# Scale to 3 replicas
kubectl scale deployment/radar-agent --replicas=3 -n radar-agent
# Auto-scale based on CPU
kubectl autoscale deployment/radar-agent --cpu-percent=70 --min=1 --max=5 -n radar-agent
Monitoring and Alerting
Pod Monitoring
# servicemonitor.yaml (for Prometheus Operator)
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: radar-agent
namespace: radar-agent
spec:
selector:
matchLabels:
app: radar-agent
endpoints:
- port: metrics
interval: 30s
path: /metrics
Alerting Rules
# alerts.yaml
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: radar-agent-alerts
namespace: radar-agent
spec:
groups:
- name: radar-agent
rules:
- alert: RadarAgentDown
expr: up{job="radar-agent"} == 0
for: 5m
labels:
severity: critical
annotations:
summary: "Radar Agent is down"
description: "Radar Agent has been down for more than 5 minutes"
Troubleshooting
Common Issues
Pod won't start:
# Check pod status
kubectl get pods -n radar-agent
# Describe pod for events
kubectl describe pod <pod-name> -n radar-agent
# Check logs
kubectl logs <pod-name> -n radar-agent
Configuration issues:
# Validate ConfigMap
kubectl get configmap radar-agent-config -n radar-agent -o yaml
# Test configuration in pod
kubectl exec -it <pod-name> -n radar-agent -- /app/radar-agent validate --config /etc/radar-agent/config.yml
Network connectivity:
# Test from within pod
kubectl exec -it <pod-name> -n radar-agent -- /bin/sh
# Inside pod:
curl -v https://api.radar.com
redis-cli -u redis://user:pass@redis.example.com:6379 ping
Health Checks
Monitor deployment health:
# Check deployment status
kubectl get deployment radar-agent -n radar-agent
# Check pod health
kubectl get pods -n radar-agent -l app=radar-agent
# Check recent events
kubectl get events -n radar-agent --sort-by='.lastTimestamp'