Kubernetes Integration

Kubernetes integration will allow Annie to connect to your clusters and provide deep insights into your container orchestration, workloads, and resource usage.

Prerequisites

View changelog

Installation

Security Configuration

Secrets Handling

By default, the agent tracks secrets metadata (name, namespace, labels, annotations) but never accesses actual secret contents. The agent only reads the metadata to understand the relationships and the topology. For environments with strict security requirements, you can disable secrets scanning: Option 1: Command line 
helm install anyshift-agent anyshift/anyshift-k8s-agent \
  --namespace anyshift-agent --create-namespace \
  --set token.value="<YOUR_API_TOKEN>" \
  --set clusterName="<YOUR_CLUSTER_NAME>" \
  --set excludeSecrets=true
Option 2: values.yaml 
excludeSecrets: true
When secrets are excluded, the Anyshift agent will not be granted the ClusterRole permissions, preventing access to secrets.

Validate The Installation

Check that the agent is running: 
kubectl get pods -n anyshift-agent
View agent logs: 
kubectl logs -n anyshift-agent -l app.kubernetes.io/name=anyshift-k8s-agent

Upgrade

To upgrade the agent to the latest version: 
# Step 1: Update the Helm repository
helm repo update anyshift

# Step 2: Upgrade the agent
helm upgrade anyshift-agent anyshift/anyshift-k8s-agent \
  --namespace anyshift-agent \
  --reuse-values

Uninstall

helm uninstall anyshift-agent --namespace anyshift-agent

Supported Resources

The Anyshift Kubernetes agent v1 supports a wide range of resources across several API groups to provide a comprehensive view of your cluster. Here is the full list of supported resources:

Core Resources

  • Pods
  • Services
  • Nodes
  • Namespaces
  • ServiceAccounts
  • ConfigMaps
  • Secrets
  • PersistentVolumeClaims (PVCs)
  • PersistentVolumes (PVs)

Apps Resources

  • Deployments
  • ReplicaSets
  • DaemonSets
  • StatefulSets

Networking Resources

  • Ingresses

RBAC Resources

  • Roles
  • ClusterRoles
  • RoleBindings
  • ClusterRoleBindings

Autoscaling & Availability

  • HorizontalPodAutoscalers (HPA)
  • PodDisruptionBudgets (PDB)

Batch Resources

  • Jobs
  • CronJobs

Permissions Overview

The agent requires read-only access to cluster resources. Here are the exact ClusterRole permissions: 
rules:
  - apiGroups: [""]
    resources:
      - pods
      - services
      - nodes
      - persistentvolumeclaims
      - persistentvolumes
      - namespaces
      - configmaps
      {{- if not .Values.excludeSecrets }}
      - secrets
      {{- end }}
    verbs: ["get", "list", "watch"]

  - apiGroups: [""]
    resources:
      - serviceaccounts
    verbs: ["get", "list", "watch"]

  - apiGroups: ["apps"]
    resources:
      - deployments
      - replicasets
      - daemonsets
      - statefulsets
    verbs: ["get", "list", "watch"]

  - apiGroups: ["networking.k8s.io"]
    resources:
      - ingresses
    verbs: ["get", "list", "watch"]

  - apiGroups: ["rbac.authorization.k8s.io"]
    resources:
      - clusterroles
      - clusterrolebindings
      - roles
      - rolebindings
    verbs: ["get", "list", "watch"]

  - apiGroups: ["autoscaling"]
    resources:
      - horizontalpodautoscalers
    verbs: ["get", "list", "watch"]

  - apiGroups: ["policy"]
    resources:
      - poddisruptionbudgets
    verbs: ["get", "list", "watch"]

  - apiGroups: ["batch"]
    resources:
      - cronjobs
      - jobs
    verbs: ["get", "list", "watch"]