If you're installing New Relic's Kubernetes integration and need to ensure that your data is sent to FedRAMP-compliant endpoints, this page explains how to accomplish this using both the Helm and Manifest install options.
For information about FedRAMP compliance at New Relic, visit our FedRAMP documentation page.
Helm
You can enable FedRAMP support globally by setting the global.fedramp.enabled
parameter to true
when performing a Helm install. This global setting will cascade down to all sub-charts contained within the nri-bundle
parent chart, resulting in configuring all agents to send their data to New Relic's FedRAMP-compliant endpoints.
$helm upgrade --install newrelic-bundle newrelic/nri-bundle \> --set global.licenseKey=<YOUR LICENSE KEY> \> --set global.cluster=<YOUR CLUSTER NAME> \> --namespace=newrelic \> --set newrelic-infrastructure.privileged=true \> --set global.lowDataMode=true \> --set kube-state-metrics.image.tag=<KSM VERSION> \> --set kube-state-metrics.enabled=true \> --set kubeEvents.enabled=true \> --set global.fedramp.enabled=true
If using a values.yaml file for your installation, you would enable the same parameter.
...global: fedramp: enabled: true...
The full nri-bundle
values.yaml file example can be found here.
Manifest
If installing using the Manifest install method from the Guided Install, you'll need to append "global.fedramp.enabled":"true"
to the JSON parameters that get passed to the k8s-config-generator
service.
Example
$function ver { printf "%03d%03d" $(echo "$1" | tr '.' ' '); } && \>K8S_VERSION=$(kubectl version --short 2>&1 | grep 'Server Version' | awk -F' v' '{ print $2; }' | awk -F. '{ print $1"."$2; }') && \>if [[ $(ver $K8S_VERSION) -lt $(ver "1.25") ]]; then KSM_IMAGE_VERSION="v2.6.0"; else KSM_IMAGE_VERSION="v2.7.0"; fi && \>curl -X POST https://k8s-config-generator.service.newrelic.com/generate -H 'Content-Type: application/json' -d '{"global.cluster":"<YOUR CLUSTER NAME>>","global.namespace":"newrelic","newrelic-infrastructure.privileged":"true","global.lowDataMode":"true","kube-state-metrics.image.tag":"'${KSM_IMAGE_VERSION}'","kube-state-metrics.enabled":"true","kubeEvents.enabled":"true","global.licenseKey":"<YOUR LICENSE KEY>", "global.fedramp.enabled":"true"}' > newrelic.yaml && (kubectl create namespace newrelic ; kubectl apply -f newrelic.yaml)
Validate FedRAMP setting
There are a couple of ways to validate that the FedRAMP endpoints have been configured successfully. First, validate the ConfigMaps
to contain fedramp: true
, where appropriate. The output from your cluster may vary depending on which components were installed.
ConfigMap validation
$ kubectl get cm -n newrelic -o yaml | grep fedramp -A 1 fedramp: enabled: true-- cluster_name: minkube-fedramp-test scrape_interval: 30s-- fedramp: true kind: ConfigMap-- clusterName: minkube-fedramp-test agentHTTPTimeout: 30s-- clusterName: minkube-fedramp-test fedramp: true http_server_enabled: true-- clusterName: minkube-fedramp-test fedramp: true http_server_enabled: true-- clusterName: minkube-fedramp-test features:-- fedramp: true http_server_enabled: true
Pod log validation
Additionally, you can check the collectorURL
value in the pod logs. Our Infrastructure agent connects to this collector for data transmission.
VERBOSE LOGS REQUIRED
You'll need to enable verbose logs to view the collectorURL
. Do this using the --set newrelic-infrastructure.verboseLog=true
setting for the nri-bundle
helm chart. When your validation is complete, you should disable verbose logs.
To validate that you enabled FedRAMP endpoints successfully, run the kubectl
command as listed below and look for collectorURL
in the log output. Be sure to replace the newrelic-bundle-nrk8s-kubelet-f74g2
pod name with a pod from your cluster.
$ kubectl logs newrelic-bundle-nrk8s-kubelet-f74g2 -n newrelic -c agent | grep collectorURLtime="2023-07-26T20:09:33Z" level=debug msg="Collector URL" action=NormalizeConfig collectorURL="https://gov-infra-api.newrelic.com" component=Configuration