• EnglishEspañol日本語한국어Português
  • Log inStart now

Enable FedRAMP-compliant Endpoints

If you're installing New Relic's Kubernetes integration and need to ensure that your data is sent to FedRAMP-compliant endpoints, this page explains how to accomplish this using both the Helm and Manifest install options.

For information about FedRAMP compliance at New Relic, visit our FedRAMP documentation page.

Helm

You can enable FedRAMP support globally by setting the global.fedramp.enabled parameter to true when performing a Helm install. This global setting will cascade down to all sub-charts contained within the nri-bundle parent chart, resulting in configuring all agents to send their data to New Relic's FedRAMP-compliant endpoints.

bash
$
helm upgrade --install newrelic-bundle newrelic/nri-bundle \
>
 --set global.licenseKey=<YOUR LICENSE KEY> \
>
 --set global.cluster=<YOUR CLUSTER NAME> \
>
 --namespace=newrelic \
>
 --set newrelic-infrastructure.privileged=true \
>
 --set global.lowDataMode=true \
>
 --set kube-state-metrics.image.tag=<KSM VERSION> \
>
 --set kube-state-metrics.enabled=true \
>
 --set kubeEvents.enabled=true \
>
 --set global.fedramp.enabled=true

If using a values.yaml file for your installation, you would enable the same parameter.

...
global:
fedramp:
enabled: true
...

The full nri-bundle values.yaml file example can be found here.

Manifest

If installing using the Manifest install method from the Guided Install, you'll need to append "global.fedramp.enabled":"true" to the JSON parameters that get passed to the k8s-config-generator service.

Example

bash
$
function ver { printf "%03d%03d" $(echo "$1" | tr '.' ' '); } && \
>
K8S_VERSION=$(kubectl version --short 2>&1 | grep 'Server Version' | awk -F' v' '{ print $2; }' | awk -F. '{ print $1"."$2; }') && \
>
if [[ $(ver $K8S_VERSION) -lt $(ver "1.25") ]]; then KSM_IMAGE_VERSION="v2.6.0"; else KSM_IMAGE_VERSION="v2.7.0"; fi && \
>
curl -X POST https://k8s-config-generator.service.newrelic.com/generate -H 'Content-Type: application/json' -d '{"global.cluster":"<YOUR CLUSTER NAME>>","global.namespace":"newrelic","newrelic-infrastructure.privileged":"true","global.lowDataMode":"true","kube-state-metrics.image.tag":"'${KSM_IMAGE_VERSION}'","kube-state-metrics.enabled":"true","kubeEvents.enabled":"true","global.licenseKey":"<YOUR LICENSE KEY>", "global.fedramp.enabled":"true"}' > newrelic.yaml && (kubectl create namespace newrelic ; kubectl apply -f newrelic.yaml)

Validate FedRAMP setting

There are a couple of ways to validate that the FedRAMP endpoints have been configured successfully. First, validate the ConfigMaps to contain fedramp: true, where appropriate. The output from your cluster may vary depending on which components were installed.

ConfigMap validation

$ kubectl get cm -n newrelic -o yaml | grep fedramp -A 1
fedramp:
enabled: true
--
cluster_name: minkube-fedramp-test
scrape_interval: 30s
--
fedramp: true
kind: ConfigMap
--
clusterName: minkube-fedramp-test
agentHTTPTimeout: 30s
--
clusterName: minkube-fedramp-test
fedramp: true
http_server_enabled: true
--
clusterName: minkube-fedramp-test
fedramp: true
http_server_enabled: true
--
clusterName: minkube-fedramp-test
features:
--
fedramp: true
http_server_enabled: true

Pod log validation

Additionally, you can check the collectorURL value in the pod logs. Our Infrastructure agent connects to this collector for data transmission.

VERBOSE LOGS REQUIRED

You'll need to enable verbose logs to view the collectorURL. Do this using the --set newrelic-infrastructure.verboseLog=true setting for the nri-bundle helm chart. When your validation is complete, you should disable verbose logs.

To validate that you enabled FedRAMP endpoints successfully, run the kubectl command as listed below and look for collectorURL in the log output. Be sure to replace the newrelic-bundle-nrk8s-kubelet-f74g2 pod name with a pod from your cluster.

$ kubectl logs newrelic-bundle-nrk8s-kubelet-f74g2 -n newrelic -c agent | grep collectorURL
time="2023-07-26T20:09:33Z" level=debug msg="Collector URL" action=NormalizeConfig collectorURL="https://gov-infra-api.newrelic.com" component=Configuration
Copyright © 2024 New Relic Inc.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.