Kubernetes Integration

Kubernetes integration will allow Annie to connect to your clusters and provide deep insights into your container orchestration, workloads, and resource usage.

Prerequisites

Installation

Security Configuration

Secrets Handling

By default, the agent tracks secrets metadata (name, namespace, labels, annotations) but never accesses actual secret contents. The agent only reads the metadata to understand the relationships and the topology. For environments with strict security requirements, you can disable secrets scanning: Option 1: Command line 
helm install anyshift-agent anyshift/anyshift-k8s-agent \
  --namespace anyshift-agent --create-namespace \
  --set token.value="<YOUR_API_TOKEN>" \
  --set excludeSecrets=true
Option 2: values.yaml 
excludeSecrets: true
When secrets are excluded, the Anyshift agent will not be granted the ClusterRole permissions, preventing access to secrets.

Permissions Overview

The agent requires read-only access to cluster resources. Here are the exact ClusterRole permissions: 
rules:
  - apiGroups: [""]
    resources:
      - pods
      - services
      - nodes
      - persistentvolumeclaims
      - persistentvolumes
      - namespaces
      - configmaps
      {{- if not .Values.excludeSecrets }}
      - secrets
      {{- end }}
    verbs: ["get", "list", "watch"]

  - apiGroups: [""]
    resources:
      - serviceaccounts
    verbs: ["get", "list", "watch"]

  - apiGroups: ["apps"]
    resources:
      - deployments
      - replicasets
      - daemonsets
      - statefulsets
    verbs: ["get", "list", "watch"]

  - apiGroups: ["networking.k8s.io"]
    resources:
      - ingresses
    verbs: ["get", "list", "watch"]

  - apiGroups: ["rbac.authorization.k8s.io"]
    resources:
      - clusterroles
      - clusterrolebindings
      - roles
      - rolebindings
    verbs: ["get", "list", "watch"]

  - apiGroups: ["autoscaling"]
    resources:
      - horizontalpodautoscalers
    verbs: ["get", "list", "watch"]

  - apiGroups: ["batch"]
    resources:
      - cronjobs
      - jobs
    verbs: ["get", "list", "watch"]

Validate The Installation

Check that the agent is running: 
kubectl get pods -n anyshift-agent
View agent logs: 
kubectl logs -n anyshift-agent -l app.kubernetes.io/name=anyshift-k8s-agent

Upgrade

helm upgrade anyshift-agent anyshift/anyshift-k8s-agent \
  --reuse-values

Uninstall

helm uninstall anyshift-agent --namespace anyshift-agent