Skip to main content

Kubernetes Integration

Connect Annie to your clusters for deep insights into container orchestration, workloads, and resource usage.

Prerequisites

View changelog

Setup

1

Add the Anyshift Helm repository

2

Store your API token in a Kubernetes secret

Recommended for production. Create a secret to hold your API token:
3

Install the agent

Install using the secret:
Replace <YOUR_API_TOKEN> with your token from the integrations page and <YOUR_CLUSTER_NAME> with a meaningful name (e.g. “production-us-east”, “staging-eu”).
For testing, you can pass the token directly with --set token.value="<YOUR_API_TOKEN>" instead of using a secret.
4

Validate the installation

Check that the agent is running:
View agent logs:

Live Cluster Queries

Beyond the periodic snapshot, the agent supports live queries from Annie on demand: describing resources, reading pod logs, inspecting events, listing CRDs, and reading Helm release values. No inbound ports are opened on your cluster; the agent only makes outbound connections. Even over live queries, secret values are stripped from responses; only Secret metadata (name, namespace, labels, annotations, type) is ever returned.

Reference

Agent resource usage depends on cluster size:
On warmup, or when many events occur at once, the agent collects cluster state data which temporarily increases memory usage. For large clusters, you may need to set memory limits up to 2GB.
To configure higher memory limits:
Use a values.yaml file for full control over the install. If you use the secret method, create the secret first:
Create values.yaml:
Install with custom values:
Cluster name templating. Use Go template syntax for dynamic cluster names:
Custom labels. Add custom labels to all resources:
Dynamic cluster naming with custom labels (values.yaml).
The agent tracks Secret metadata only (name, namespace, labels, annotations, type). Secret values are stripped before anything leaves your cluster, in both the periodic snapshot and the live query paths. Metadata is what’s needed to understand topology and relationships.For environments with strict security requirements, you can drop secrets access entirely at the RBAC layer.Option 1: Command line
Option 2: values.yaml
When excludeSecrets=true, the agent’s ClusterRole drops get/list/watch on v1/secrets entirely.
The agent requires read-only access (get, list, watch). The ClusterRole covers:
  • All standard Kubernetes resources (core + apps, batch, networking, rbac, policy, autoscaling, storage, discovery, coordination, apiextensions, metrics, gateway, …).
  • Common add-on ecosystems (Argo CD/Flux, Istio/Linkerd, KEDA, Cert-Manager, Prometheus Operator, Kyverno/Gatekeeper, Crossplane, Tekton, Knative, Velero, Cilium/Calico, Kafka, Elastic, …).
  • Per-cloud controllers (EKS, GKE, AKS).
The full list is in the chart at templates/clusterRole.yaml.Adding custom CRDs. If you run in-house CRDs or an ecosystem not covered by the default list, extend the RBAC via extraApiGroups:
These are added to the agent’s ClusterRole with the same read-only verbs, so Annie can describe and list them during live queries.
To upgrade the agent to the latest version:
--reset-then-reuse-values keeps the overrides you set at install time while picking up any new defaults shipped by the chart (new fields, updated values). It’s the recommended flag for upgrades that introduce new configuration options.