Setup collection using Kubernetes
Prerequisites:
- Kubernetes Cluster.
- Kubernetes Nodes are running Linux 5.4 or newer.
Get a Service Account Token and Project ID
To send data to Polar Signals Cloud, you'll need:
- A service account token for authentication
- Your project ID to specify where the data should be sent
Please refer to the Generating Tokens documentation for detailed instructions on creating a service account and generating a token.
To find your project ID:
- Navigate to your project settings in the Polar Signals Cloud UI
- The project ID is displayed in the project details section
- Copy the project ID (it will be in UUID format, e.g.,
6fbb6403-203d-4ab1-b48c-6dfbfc67a679)
Instructions
The Kubernetes manifest below will deploy the Polar Signals Agent as a DaemonSet to a Kubernetes cluster. Here's what it does in summary:
- Creates a namespace called
polarsignalsto deploy the agent into. - Creates a secret containing your service account token for authentication.
- Defines a ClusterRole and ClusterRoleBinding to grant the agent permissions to list pods and get node info across the cluster.
- Deploys the agent as a DaemonSet. This will deploy a pod to each node in the cluster. The agent container runs with privileged settings to enable profiling via eBPF.
The agent will then profile all applications running on the nodes and send the profiling data to the Polar Signals Cloud for queries and analysis.
Before applying the manifest:
- Replace
<your-service-account-token-here>with your actual service account token - Replace
<your-project-id-here>with your actual project ID
Then copy the manifest below into a file called polarsignals-agent.yaml and apply it to your Kubernetes cluster using the command below.
kubectl apply -f polarsignals-agent.yaml
apiVersion: v1
kind: Namespace
metadata:
labels:
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged
name: polarsignals
---
apiVersion: v1
kind: Secret
metadata:
name: polarsignals-agent
namespace: polarsignals
labels:
app.kubernetes.io/component: continuous-profiler
app.kubernetes.io/instance: polarsignals-agent
app.kubernetes.io/name: polarsignals-agent
stringData:
token: <your-service-account-token>
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: continuous-profiler
app.kubernetes.io/instance: polarsignals-agent
app.kubernetes.io/name: polarsignals-agent
name: polarsignals-agent
namespace: polarsignals
data:
polarsignals-agent.yaml: |
relabel_configs:
- source_labels:
- __meta_process_executable_compiler
target_label: compiler
- source_labels:
- __meta_system_kernel_machine
target_label: arch
- source_labels:
- __meta_system_kernel_release
target_label: kernel_version
- source_labels:
- __meta_process_pid
target_label: pid
- source_labels:
- __meta_kubernetes_namespace
target_label: namespace
- source_labels:
- __meta_kubernetes_pod_name
target_label: pod
- source_labels:
- __meta_kubernetes_pod_container_name
target_label: container
- source_labels:
- __meta_kubernetes_pod_container_image
target_label: container_image
- source_labels:
- __meta_kubernetes_node_label_topology_kubernetes_io_region
target_label: region
- source_labels:
- __meta_kubernetes_node_label_topology_kubernetes_io_zone
target_label: zone
- source_labels:
- __meta_agent_revision
target_label: parca_agent_revision
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
replacement: 1
- action: labeldrop
regex: apps_kubernetes_io_pod_index|controller_revision_hash|statefulset_kubernetes_io_pod_name|pod_template_hash
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: continuous-profiler
app.kubernetes.io/instance: polarsignals-agent
app.kubernetes.io/name: polarsignals-agent
name: polarsignals-agent
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: continuous-profiler
app.kubernetes.io/instance: polarsignals-agent
app.kubernetes.io/name: polarsignals-agent
name: polarsignals-agent
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: polarsignals-agent
subjects:
- kind: ServiceAccount
name: polarsignals-agent
namespace: polarsignals
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app.kubernetes.io/component: continuous-profiler
app.kubernetes.io/instance: polarsignals-agent
app.kubernetes.io/name: polarsignals-agent
name: polarsignals-agent
namespace: polarsignals
spec:
selector:
matchLabels:
app.kubernetes.io/component: continuous-profiler
app.kubernetes.io/instance: polarsignals-agent
app.kubernetes.io/name: polarsignals-agent
template:
metadata:
labels:
app.kubernetes.io/component: continuous-profiler
app.kubernetes.io/instance: polarsignals-agent
app.kubernetes.io/name: polarsignals-agent
app.kubernetes.io/version: v0.46.0
spec:
containers:
- args:
- --log-level=info
- --node=$(NODE_NAME)
- --http-address=:7071
- --remote-store-address=grpc.polarsignals.com:443
- --remote-store-bearer-token-file=/var/polarsignals-agent/token
- --remote-store-grpc-headers=projectID=<your-project-id>
- --debuginfo-strip
- --debuginfo-temp-dir=/tmp
- --debuginfo-upload-cache-duration=5m
- --config-path=/etc/polarsignals-agent-config/polarsignals-agent.yaml
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: ghcr.io/parca-dev/parca-agent:v0.46.0
name: polarsignals-agent
ports:
- containerPort: 7071
name: http
resources:
limits:
cpu: 200m
memory: 500Mi
requests:
cpu: 10m
memory: 200Mi
securityContext:
privileged: true
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /tmp
name: tmp
- mountPath: /run
name: run
- mountPath: /boot
name: boot
readOnly: true
- mountPath: /lib/modules
name: modules
- mountPath: /sys/kernel/debug
name: debugfs
- mountPath: /sys/fs/cgroup
name: cgroup
- mountPath: /sys/fs/bpf
name: bpffs
- mountPath: /var/run/dbus/system_bus_socket
name: dbus-system
- mountPath: /var/polarsignals-agent
name: token
- mountPath: /etc/polarsignals-agent-config
name: config
readOnly: true
hostPID: true
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: polarsignals-agent
tolerations:
- effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists
volumes:
- emptyDir: {}
name: tmp
- hostPath:
path: /run
name: run
- hostPath:
path: /boot
name: boot
- hostPath:
path: /sys/fs/cgroup
name: cgroup
- hostPath:
path: /lib/modules
name: modules
- hostPath:
path: /sys/fs/bpf
name: bpffs
- hostPath:
path: /sys/kernel/debug
name: debugfs
- hostPath:
path: /var/run/dbus/system_bus_socket
name: dbus-system
- secret:
secretName: polarsignals-agent
name: token
- configMap:
name: polarsignals-agent
name: config
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: continuous-profiler
app.kubernetes.io/instance: polarsignals-agent
app.kubernetes.io/name: polarsignals-agent
name: polarsignals-agent
namespace: polarsignals
You can also use the command below to apply the manifest directly from the Polar Signals API.
kubectl apply -f "https://api.polarsignals.com/api/manifests.yaml?token=<your-service-account-token>&projectID=<your-project-id>"
Replace <your-service-account-token> and <your-project-id> with your actual values.
info
The service account token is passed in the Authorization: Bearer header, while the project ID is sent as gRPC metadata in the projectID header. This separation allows tokens to be reused across multiple projects.