Install the Kubernetes integration

The New Relic Kubernetes integration gives you full observability into the health and performance of your environment by leveraging the New Relic infrastructure agent. This agent collects telemetry data from your cluster using several New Relic integrations such as the Kubernetes events integration, the Prometheus Agent, and the New Relic Logs Kubernetes plugin.

Installation options

To install our Kubernetes integration, we recommend that you follow the instructions here for our guided install experience. We recommend this interactive installation tool for servers, VMs, and unprivileged environments.

The guided install experience simplifies the installation process for the New Relic Kubernetes integration, and gives you control over which features are enabled and what data is collected. It also offers a quickstart option that includes some optional, pre-built resources such as dashboards and alerts alongside the Kubernetes integration so that you can gain instant visibility into your Kubernetes clusters.

You can choose from one of the following three options:

New Relic CLI
A Helm command with pre-populated required values
A plain manifest

Once you start the guided install, use the following information to help you make decisions about the configurations.

Tip

The steps that follow skip the preliminary steps for the quickstart. If you chose the guided install with the quickstart, just click through the pages Confirm your Kubernetes quickstart installation and Installation plan to reach the main guided install pages described below.

Step 1 of 5

Prepare to install

Prepare your Kubernetes system for the guided install:

If custom manifests have been used instead of Helm, you will need to first remove the old installation using kubectl delete -f previous-manifest-file.yml, and then proceed through the guided installer again. This will generate an updated set of manifests that can be deployed using kubectl apply -f manifest-file.yml.
Make sure you're using the supported Kubernetes versions and make sure to check out the preliminary notes for your managed services or platforms on our compatibility and requirements page.
Make sure you have your New Relic . You can set up a free account—no credit card required.
Make sure the newrelic dockerhub (https://hub.docker.com/u/newrelic) and Google's registry (registry.k8s.io) domains are added to your allow list. This is where the installation will pull container images from. Note, you may need to follow the commands to identify the additional Google registry domains to be added to your white list, because registry.k8s.io typically redirects to your local registry domain (e.g., asia-northeast1-docker.pkg.dev) based on your region.
If you're installing our integration on a managed cloud, please take a look at these preliminary notes before proceeding:
The Kubernetes integration only monitors worker nodes in GKE as Google abstracts the management of master nodes away from the Kubernetes platform.
Before starting our guided install to deploy the Kubernetes integration on GKE, ensure you have sufficient permissions:
Go to console.cloud.google.com/iam-admin/iam and find your username.
Click edit.
Ensure you have permissions to create Roles and ClusterRoles: If you're not sure, add the Kubernetes Engine Cluster Admin role. If you cannot edit your user role, ask the owner of the GCP project to give you the necessary permissions.
To deploy the Kubernetes integration with OpenShift:
Add the service accounts used by the integration to your privileged Security Context Constraints:
oc adm policy add-scc-to-user privileged system:serviceaccount:<namespace>:<release_name>-newrelic-infrastructure oc adm policy add-scc-to-user privileged system:serviceaccount:<namespace>:<release_name>-nrk8s-controlplane oc adm policy add-scc-to-user privileged system:serviceaccount:<namespace>:<release_name>-kube-state-metrics oc adm policy add-scc-to-user privileged system:serviceaccount:<namespace>:<release_name>-newrelic-logging oc adm policy add-scc-to-user privileged system:serviceaccount:<namespace>:<release_name>-nri-kube-events oc adm policy add-scc-to-user privileged system:serviceaccount:<namespace>:<release_name>-nri-metadata-injection-admission oc adm policy add-scc-to-user privileged system:serviceaccount:<namespace>:<release_name>-nrk8s-controlplane oc adm policy add-scc-to-user privileged system:serviceaccount:<namespace>:default
Tip
The installer provides newrelic-bundle as default release_name and newrelic as default namespace.
Complete the steps in our guided install.
If you're using signed certificates, make sure they are properly configured by using the following variables in the DaemonSet portion of your manifest. Set the .pem file:
env: - name: NRIA_CA_BUNDLE_DIR value: YOUR_CA_BUNDLE_DIR - name: NRIA_CA_BUNDLE_FILE value: YOUR_CA_BUNDLE_NAME
Set your YAML key path to spec.template.spec.containers.name.env.
Save your changes.

Step 2 of 5

Begin the guided install

Begin your guided install by clicking one of the options below:

Guided install option	Description
Guided install	Use this if your New Relic organization does not use the EU data center, and you don't need the bonus dashboards and alerts from the quickstart.
Guided install (EU)	Use this if your New Relic organization uses the EU data center, and you don't need the bonus dashboards and alerts from the quickstart.
Guided install with quickstart	Use this option if your New Relic organization does not use the EU data center, and you also want to install some bonus dashboards and alerts from the quickstart.

Step 3 of 5

Configure your install

On the page Configure the Kubernetes Integration complete the following fields:

Field	Description
We'll send your data to this account	Choose the New Relic account that you want your Kubernetes data written to.
Cluster name	Cluster name is the name we will use to tag your Kubernetes data with so that you can filter for the data specific to the cluster you're installing this integration in. This is important if you choose to connect multiple clusters to your New Relic account so choose a name that you'll recognize.
Namespace for the integration	Namespace for the integration is the namespace we will use to house the Kubernetes integration in your cluster. We recommend using the default namespace of `newrelic`.

Step 4 of 5

Select additional data

On the page Select the additional data you want to gather, choose the options that are right for you:

Scrape Prometheus endpoints

By selecting this option, we will install Prometheus in agent mode to collect metrics from the Prometheus endpoints exposed in your cluster. Expand the collapsers to see details about each option:

We recommend this configuration because various other components of the Kubernetes integration, such as kube-state-metrics, newrelic-infrastructure, and nri-prometheus will already collect these metrics and configuring Prometheus to exclude those metrics will save your data ingest costs by removing any metric redundancies.

This configuration will filter out any metrics prefixed with kube_, container_, machine_, and cadvisor_.

Here's an example from newrelic-prometheus-configurator/charts/newrelic-prometheus-agent/static/lowdatamodedefaults.yaml:

low_data_mode:
- action: drop
  source_labels: [__name__]
  regex: "kube_.+|container_.+|machine_.+|cadvisor_.+"

New Relic provides quickstarts, which are pre-made dashboards, alerts, and entities for various services. Select this option to have Prometheus only scrape for services which have a pre-made quickstart and are ready to go for instant observability.

Here's an example from newrelic-prometheus-configurator/charts/newrelic-prometheus-agent/values.yaml showing in the app_values field which services will be scraped for the Prometheus quickstart option:

kubernetes:
    # NewRelic provides a list of Dashboards, alerts and entities for several Services. The integrations_filter configuration
    # allows to scrape only the targets having this experience out of the box.
    # If integrations_filter is enabled, then the jobs scrape merely the targets having one of the specified labels matching
    # one of the values of app_values.
    # Under the hood, a relabel_configs with 'action=keep' are generated, consider it in case any custom extra_relabel_config is needed.
    integrations_filter:
      # -- enabling the integration filters, merely the targets having one of the specified labels matching
      #    one of the values of app_values are scraped. Each job configuration can override this default.
      enabled: true
      # -- source_labels used to fetch label values in the relabel config added by the integration filters configuration
      source_labels: ["app.kubernetes.io/name", "app.newrelic.io/name", "k8s-app"]
      # -- app_values used to create the regex used in the relabel config added by the integration filters configuration.
      # Note that a single regex will be created from this list, example: '.*(?i)(app1|app2|app3).*'
      app_values: ["redis", "traefik", "calico", "nginx", "coredns", "kube-dns", "etcd", "cockroachdb", "velero", "harbor", "argocd"]

You'll find this option useful if you're an advanced user who has a good idea of what services you want to see Prometheus metrics from. Enter a comma-separated list of services you want Prometheus to scrape, and Prometheus will perform a wildcard match on the service name in order to find you metrics from your desired endpoint.

This option will only provide metrics from the services that match the submitted list, so be careful to validate the entry for correctness. To learn more about custom app labels, see Advanced configuration for the Prometheus agent.

The services you add to the submitted list will overwrite the data in app_values below, and Prometheus will only scrape metrics from those services.

Here is an example from newrelic-prometheus-configurator/charts/newrelic-prometheus-agent/values.yaml:

kubernetes:
    # NewRelic provides a list of Dashboards, alerts and entities for several Services. The integrations_filter configuration
    # allows to scrape only the targets having this experience out of the box.
    # If integrations_filter is enabled, then the jobs scrape merely the targets having one of the specified labels matching
    # one of the values of app_values.
    # Under the hood, a relabel_configs with 'action=keep' are generated, consider it in case any custom extra_relabel_config is needed.
    integrations_filter:
      # -- enabling the integration filters, merely the targets having one of the specified labels matching
      #    one of the values of app_values are scraped. Each job configuration can override this default.
      enabled: true
      # -- source_labels used to fetch label values in the relabel config added by the integration filters configuration
      source_labels: ["app.kubernetes.io/name", "app.newrelic.io/name", "k8s-app"]
      # -- app_values used to create the regex used in the relabel config added by the integration filters configuration.
      # Note that a single regex will be created from this list, example: '.*(?i)(app1|app2|app3).*'
      app_values: ["redis", "traefik", "calico", "nginx", "coredns", "kube-dns", "etcd", "cockroachdb", "velero", "harbor", "argocd"]

Gather log data

If you prefer more robust data, select this option to fully enrich your logs by adding label and annotation data.

Here's an example of a log with full data enrichment:

[
  {
    "cluster_name": "api-test",
    "kubernetes": {
      "annotations": {
        "kubernetes.io/psp": "eks.privileged"
      },
      "container_hash": "fryckbos/test@sha256:5b098eaf3c7d5b3585eb10cebee63665b6208bea31ef31a3f0856c5ffdda644b",
      "container_image": "fryckbos/test:latest",
      "container_name": "newrelic-logging",
      "docker_id": "134e1daf63761baa15e035b08b7aea04518a0f0e50af4215131a50c6a379a072",
      "host": "ip-192-168-17-123.ec2.internal",
      "labels": {
        "app": "newrelic-logging",
        "app.kubernetes.io/name": "newrelic-logging",
        "controller-revision-hash": "84db95db86",
        "pod-template-generation": "1",
        "release": "nri-bundle"
      },
      "namespace_name": "nrlogs",
      "pod_id": "54556e3e-719c-46b5-af69-020b75d69bf1",
      "pod_name": "nri-bundle-newrelic-logging-jxnbj"
    },
    "message": "[2021/09/14 12:30:49] [ info] [engine] started (pid=1)\n",
    "plugin": {
      "source": "kubernetes",
      "type": "fluent-bit",
      "version": "1.8.1"
    },
    "stream": "stderr",
    "time": "2021-09-14T12:30:49.138824971Z",
    "timestamp": 1631622649138
  }
]

If you want to prioritize data ingest costs, you can choose to gather log data with minimal enrichment, also known as low data mode. This option drops labels and annotations from your logs and only shares standard Kubernetes log data such as the name of the cluster, container, namespace, and pod, along with the message and timestamp.

When selecting the minimal enrichment mode, only the following log attributes are retained: cluster_name, container_name, namespace_name, pod_name, stream, message and log.

Here's an example of a log with minimal data enrichment:

[
  {
    "cluster_name": "api-test",
    "container_name": "newrelic-logging",
    "namespace_name": "nrlogs",
    "pod_name": "nri-bundle-newrelic-logging-jxnbj",
    "message": "[2021/09/14 12:30:49] [ info] [engine] started (pid=1)\n",
    "stream": "stderr",
    "timestamp": 1631622649138
  }
]

Enable service-level insights, full-body requests, and application profiles through Pixie

Pixie is an open source observability tool for Kubernetes applications that uses eBPF to automatically collect telemetry data. If you don't have Pixie installed on your cluster, but want to leverage Pixie's powerful telemetry data collection and visualization on the New Relic platform, check Enable service-level insights, full-body requests, and application profiles through Pixie.

If you're already using Community Cloud, select Community Cloud hosted Pixie is already running on this cluster. Keep the following in mind about the different ways Pixie can be hosted. New Relic provides a different level of integration support for each Pixie hosting option.

If you're using Pixie with a self-hosted Pixie Cloud, you can also connect Pixie to New Relic. This approach will enable the export of Pixie telemetry data into New Relic via the OpenTelemetry endpoint for long-term data retention and visibility. Unfortunately, if you're self-hosting your Pixie Cloud, New Relic does not support embedding Pixie's Live UI.

If you're self-hosting Pixie Cloud and would like to enable the export of Pixie telemetry data into New Relic, simply enable Pixie in the Kubernetes Integration without checking the Community Cloud hosted Pixie option. The Kubernetes Integration will detect that Pixie is running in your cluster and enable the data export for instant data visibility and insight.

Step 5 of 5

Finish your install

Finalize the Kubernetes installation setup by choosing one of the following installation methods in the last step of the guided install:

Guided Install (recommended): This option will automatically download and use the newrelic-cli CLI to install and configure the Kubernetes integration.
Helm 3: Use this option if you prefer using Helm to install and configure the Kubernetes integration. This option installs the nri-bundle Helm chart, which you can further configure with the options described here. This is also where you can enable the New Relic operator.
Manifest: Select this option if you prefer generating a Kubernetes manifest in YAML format and manually installing it with kubectl.
Tip
Not seeing data? If you completed the steps above and are still not seeing data, check out this troubleshooting page.

Use this option when you have a Windows-based Kubernetes system. Note that there are various limitations to the Windows integration.

preview

This feature is currently in preview.

Compatibility and requirements

Before you install the Kubernetes integration, review the compatibility and requirements.

Important

When using containers in Windows, the container host version and the container image version must be the same. Our Kubernetes integration can run on Windows versions LTSC 2019 (1809), 20H2, and LTSC 2022.

To check your Windows version:

Open a command window.
Run the following command:

bash

$Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v
$ReleaseIdcmd.exe

Example: Get Kubernetes for Windows from a BusyBox container

Run this command:

bash

$kubectl exec -it busybox1-766bb4d6cc-rmsnj -- Reg Query
$"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ReleaseId

You should see something like this:

bash

$HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
$ReleaseId   REG_SZ  1809

For a useful mapping between release IDs and OS versions, see here.

Install

You can install the Kubernetes integration for Windows using Helm. See an example on how to install the integration in a cluster with nodes having different build versions of Windows (1809 and 2004):

Add the New Relic Helm charts repo:

bash

$helm repo add newrelic https://helm-charts.newrelic.com

Create a namespace for newrelic:

bash

$kubectl create namespace newrelic

Install kube-state-metrics.

bash

$helm repo add ksm https://kubernetes.github.io/kube-state-metrics
$helm install ksm ksm/kube-state-metrics --version 2.13.2

Important

This command is for installing kube-state-metrics, a mandatory dependency of the integration, on a Linux node. We don't support installing this for non-Linux nodes, and if you install it on a non-Linux node, deployment might fail. We recommend using nodeSelector to choose a Linux node. This can be done by editing kube-state-metrics deployment.

Create a values-newrelic.yaml file with the follow data to be used by Helm:

global:
  licenseKey: _YOUR_NEW_RELIC_LICENSE_KEY_
  cluster: _K8S_CLUSTER_NAME_

enableLinux: true        # Set to true if your cluster also has linux nodes
enableWindows: true
windowsOsList:
  - version: 2019            # Human-readable version identifier
    imageTag: 2-windows-1809-alpha  # Tag to be used for nodes running the windows version above
    buildNumber: 10.0.17763         # Build number for your nodes running the version above. Used as a selector.
  - version: 20h2
    imageTag: 2-windows-20H2-alpha
    buildNumber: 10.0.19042
  - version: 2022
    imageTag: 2-windows-ltsc2022-alpha
    buildNumber: 10.0.20348
nodeSelector:
  kubernetes.io/os: linux         # Selector for Linux installation.
windowsNodeSelector:
  kubernetes.io/os: windows       # Selector for Windows installation.

Install the integration with:

bash

$helm upgrade --install newrelic newrelic/newrelic-infrastructure \
>--namespace newrelic --create-namespace \
>--version 2.7.2 \
>-f values-newrelic.yaml

Check that pods are being deployed and reach a stable state:

bash

$kubectl -n newrelic get pods -w

The Helm chart will create one DaemonSet per each version of Windows that is in the list and use NodeSelector to deploy the corresponding Pod per Node.

Limitations

The following limitations apply to the Kubernetes integration for Windows:

The Windows agent only sends the Kubernetes samples (K8sNodeSample, K8sPodSample, etc.)
SystemSample, StorageSample, NetworkSample, and ProcessSample are not generated.
Some Kubernetes metrics are missing because the Windows kubelet doesn’t have them:
Node:
fsInodes: not sent
fsInodesFree: not sent
fsInodesUsed: not sent
memoryMajorPageFaultsPerSecond: always returns zero as a value
memoryPageFaults: always returns zero as a value
memoryRssBytes: always returns zero as a value
runtimeInodes: not sent
runtimeInodesFree: not sent
runtimeInodesUsed: not sent
Pod:
net.errorsPerSecond: not sent
net.rxBytesPerSecond: not sent
net.txBytesPerSecond: not sent
Container:
containerID: not sent
containerImageID: not sent
memoryUsedBytes: in the UI, this is displayed in the pod card that appears when you click on a pod, and will show no data. We will soon fix this by updating our charts to use memoryWorkingSetBytes instead.
Volume:
fsUsedBytes: zero, so fsUsedPercent is zero

Known issues with the Windows Kubelet

There are a couple of issues with the Windows version of Kubelet that can prevent the integration from fetching data:

Issue 90554: This issue makes the Kubelet return 500 errors when the integration makes a request to the /stats/summary endpoint. It will be included in the Kubernetes 1.19 release and has been backported to the releases 1.16.11, 1.17.7, and 1.18.4. There is no solution on the integration side for this problem, we advise you to update to one of the patch versions as soon as possible. You can see if you're being affected by this problem by enabling verbose logs and looking for messages of the type:

bash

$error querying Kubelet. Get "https://<KUBELET_IP>/stats/summary": error calling kubelet endpoint. Got status code: 500

Issue 87730: This issue makes the Kubelet metrics very slow when running minimal load. It makes the integration fail with a timeout error. A patch for this issue has been added for Kubernetes 1.18 and backported to 1.15.12, 1.16.9, and 1.17.5. We advise you to update to one of the patch versions as soon as possible. To mitigate this issue you can increase the integration timeout with the TIMEOUT config option. You can see if you're being affected by this problem by enabling verbose logs and looking for messages of the type:

bash

$error querying Kubelet. Get "https://<KUBELET_IP>/stats/summary": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

Use this option when monitoring Kubernetes workloads on EKS Fargate. This integration automatically injects a sidecar containing the infrastructure agent and the nri-kubernetes integration in each pod that needs to be monitored.

Preview

This feature is currently in preview.

New Relic supports monitoring Kubernetes workloads on EKS Fargate by automatically injecting a sidecar containing the infrastructure agent and the nri-kubernetes integration in each pod that needs to be monitored.

If the same Kubernetes cluster also contains EC2 nodes, our solution will also be deployed as a DaemonSet in all of them. No sidecar will be injected into pods scheduled in EC2 nodes, and no DaemonSet will be deployed to Fargate nodes. Here's an example of a hybrid instance with both Fargate and EC2 nodes:

In a mixed environment, the integration only uses a sidecar for Fargate nodes.

New Relic collects all the supported metrics for all Kubernetes objects regardless of where they are scheduled, whether it's Fargate or EC2 nodes. Please note that, due to the limitations imposed by Fargate, the New Relic integration is limited to running in unprivileged mode on Fargate nodes. This means that metrics that are usually fetched from the host directly, like running processes, will not be available for Fargate nodes.

The agent in both scenarios will scrape data from Kube State Metrics (KSM), Kubelet, and cAdvisor and send data in the same format.

Important

Just like for any other Kubernetes cluster, our solution still requires you to deploy and monitor a Kube State Metrics (KSM) instance. Our Helm Chart and/or installer will do so automatically by default, although this behavior can be disabled if your cluster already has a working instance of KSM. This KSM instance will be monitored as any other workload: By injecting a sidecar if it gets scheduled in a Fargate node or with the local instance of the DaemonSet if it gets scheduled on an EC2 node.

Other components of the New Relic solution for Kubernetes, such as nri-prometheus, nri-metadata-injection, and nri-kube-events, do not have any particularities and will be deployed by our Helm Chart normally as they would in non-Fargate environments.

Installation

You can choose between two alternatives for installing New Relic full observability in your EKS Fargate cluster:

Automatic injection (recommended)
Manual injection

Regardless of the approach you choose, the experience is exactly the same after it's installed. The only difference is how the container is injected. We do recommend setting up automatic injection with the New Relic infrastructure monitoring operator because it will eliminate the need to manually edit each deployment you want to monitor.

Automatic injection (recommended)

By default, when Fargate support is enabled, New Relic will deploy an operator to the cluster (newrelic-infra-operator). Once deployed, this operator will automatically inject the monitoring sidecar to pods that are scheduled into Fargate nodes, while also managing the creation and the update of Secrets, ClusterRoleBindings, and any other related resources.

This operator accepts a variety of advanced configuration options that can be used to narrow or widen the scope of the injection, through the use of label selectors for both pods and namespaces.

What the operator does

Behind the scenes, the operator sets up a MutatingWebhookConfiguration, which allows it to modify the pod objects that are about to be created in the cluster. On this event, and when the pod being created matches the user’s configuration, the operator will:

Add a sidecar container to the pod containing the New Relic Kubernetes integration.
If a secret doesn't exist, create one in the same namespace as the pod containing the New Relic , which is needed for the sidecar to report data.
Add the pod's service account to a ClusterRoleBinding previously created by the operator chart, which will grant this sidecar the required permissions to hit the Kubernetes metrics endpoints.

The ClusterRoleBinding grants the following permissions to the pod being injected:

rules:
- apiGroups: [""]
  resources:
  - "nodes"
  - "nodes/metrics"
  - "nodes/stats"
  - "nodes/proxy"
  - "pods"
  - "services"
  - "namespaces"
  verbs: ["get", "list"]
- nonResourceURLs: ["/metrics"]
  verbs: ["get"]

Tip

In order for the sidecar to be injected, and therefore to get metrics from pods deployed before the operator has been installed, you need to manually perform a rollout (restart) of the affected deployments. This way, when the pods are created, the operator will be able to inject the monitoring sidecar. New Relic has chosen not to do this automatically in order to prevent unexpected service disruptions and resource usage spikes.

Important

Remember to create a Fargate profile with a selector that declares the newrelic namespace (or the namespace you choose for the installation).

Here's the injection workflow:

Automatic injection installation

Tip

The following steps are for a default setup. Before completing these, we suggest you take a look at the Configuration section below to see if you want to modify any aspects of the automatic injection.

First, add the New Relic Helm repository if you have not done so before:

bash

$helm repo add newrelic https://helm-charts.newrelic.com

Then, in order to install the operator in charge of injecting the infrastructure sidecar, please create a file named values.yaml, which will be used to define your configuration:

## Global values
global:
  # -- The cluster name for the Kubernetes cluster.
  cluster: "_YOUR_K8S_CLUSTER_NAME_"

  # -- The license key for your New Relic Account. This will be preferred configuration option if both `licenseKey` and `customSecret` are specified.
  licenseKey: "_YOUR_NEW_RELIC_LICENSE_KEY_"

  # -- (bool) In each integration it has different behavior. Enables operating system metric collection on each EC2 K8s node. Not applicable to Fargate nodes.
  # @default -- false
  privileged: true

  # -- (bool) Must be set to `true` when deploying in an EKS Fargate environment
  # @default -- false
  fargate: true

## Enable nri-bundle sub-charts

newrelic-infra-operator:
  # Deploys the infrastructure operator, which injects the monitoring sidecar into Fargate pods
  enabled: true
  tolerations: 
  - key: "eks.amazonaws.com/compute-type"
    operator: "Equal"
    value: "fargate"
    effect: "NoSchedule"
  config:
    ignoreMutationErrors: true
    infraAgentInjection:
      # Injection policies can be defined here.  See [values file](https://github.com/newrelic/newrelic-infra-operator/blob/main/charts/newrelic-infra-operator/values.yaml#L114-L125) for more detail.
      policies:
      - namespaceName: namespace-a
      - namespaceName: namespace-b

newrelic-infrastructure:
  # Deploys the Infrastructure Daemonset to EC2 nodes.  Disable for Fargate-only clusters.
  enabled: true

nri-metadata-injection:
  # Deploy our mutating admission webhook to link APM and Kubernetes entities
  enabled: true

kube-state-metrics:
  # Deploys Kube State Metrics.  Disable if you are already running KSM in your cluster.
  enabled: true

nri-kube-events:
  # Deploy the Kubernetes events integration.
  enabled: true

newrelic-logging:
  # Deploys the New Relic's Fluent Bit daemonset to EC2 nodes.  Disable for Fargate-only clusters.
  enabled: true

newrelic-prometheus-agent:
  # Deploys the Prometheus agent for scraping Prometheus endpoints.
  enabled: true
  config:
    kubernetes:
      integrations_filter:
        enabled: true
        source_labels: ["app.kubernetes.io/name", "app.newrelic.io/name", "k8s-app"]
        app_values: ["redis", "traefik", "calico", "nginx", "coredns", "kube-dns", "etcd", "cockroachdb", "velero", "harbor", "argocd", "istio"]

Finally, after creating and tweaking the file, you can deploy the solution using the following Helm command:

bash

$helm upgrade --install newrelic-bundle newrelic/nri-bundle -n newrelic --create-namespace -f values.yaml

Important

When deploying the solution on a hybrid cluster (with both EC2 and Fargate nodes), please make sure that the solution is not selected by any Fargate profiles; otherwise, the DaemonSet instances will be stuck in a pending state. For fargate-only environments this is not a concern because no DaemonSet instances are created.

Configuration

You can configure different aspects of the automatic injection. By default, the operator will inject the monitoring sidecar to all pods deployed in Fargate nodes which are not part of a Job or a BatchJob.

This behavior can be changed through configuration options. For example, you can define selectors to narrow or widen the selection of pods that are injected, assign resources to the operator, and tune the sidecar. Also, you can add other attributes, labels, and environment variables. Please refer to the chart README.md and values.yaml.

Important

Specifying your own custom injection rules will discard the default ruleset that prevents sidecar injection on pods that are not scheduled in Fargate. Please ensure that your custom rules have the same effect; otherwise, on hybrid clusters which also have the DaemonSet deployed, pods scheduled in EC2 will be monitored twice, leading to incorrect or duplicate data.

Update to the latest version or to a new configuration

To update to the latest version of the EKS Fargate integration, upgrade the Helm repository using helm repo update newrelic and reinstall the bundle by simply running again the command above.

To update the configuration of the infrastructure agent injected or the operator itself, modify the values-newrelic.yaml and upgrade the Helm release with the new configuration. The operator is updated immediately, and your workloads will be instrumented with the new version on their next restart. If you wish to upgrade them immediately, you can force a restart of your workloads by running:

bash

$kubectl rollout restart deployment YOUR_APP

Uninstall the Fargate integration

In order to uninstall the sidecar performing the automatic injection but keep the rest of the New Relic solution, using Helm, disable the infra-operator by setting infra-operator.enabled to false, either in the values.yaml file or in the command line (--set), and re-run the installation command above.

We strongly recommend keeping the --set global.fargate=true flag, since it does not enable automatic injection but makes other components of the installation Fargate-aware, preventing unwanted behavior.

To uninstall the whole solution:

Completely uninstall the Helm release.
Rollout the pods in order to remove the sidecar:

bash

$kubectl rollout restart deployment YOUR_APP

Garbage collect the secrets:

bash

$kubectl delete secrets -n YOUR_NAMESPACE -l newrelic/infra-operator-created=true

Known limitations: automatic injection

Here are some issues to be aware of when using automatic injection:

Currently there is no controller that watches the whole cluster to make sure that secrets that are no longer needed are garbage collected. However, all objects share the same label that you can use to remove all resources, if needed. We inject the label newrelic/infra-operator-created: true, which you can use to delete resources with a single command.
At the moment, it's not possible to use the injected sidecar to monitor services running in the pod. The sidecar will only monitor Kubernetes itself. However, advanced users might want to exclude these pods from automatic injection and manually inject a customized version of the sidecar with on-host integrations enabled by configuring them and mounting their configurations in the proper place. For help, see this tutorial.

Manual injection

If you have any concerns about the automatic injection, you can inject the sidecar manually directly by modifying the manifests of the workloads scheduled that are going to be scheduled on Fargate nodes. Please note that adding the sidecar into deployments scheduled into EC2 nodes may lead into incorrect or duplicate data, especially if those nodes are already being monitored with the DaemonSet.

The following objects are required for the sidecar to successfully report data:

The ClusterRole providing the permission needed by the nri-kubernetes integration
A ClusterRoleBinding linking the ClusterRole and the service account of the pod
The secret storing the New Relic licenseKey in each Fargate namespace
The sidecar container in the spec template of the monitored workload

Manual injection installation

Tip

These manual setup steps are for a generic installation. Before completing these, take a look at the Configuration section below to see if you want to modify any aspects of the automatic injection.

Complete the following for manual injection:

If ClusterRole doesn't exist, create it and grant the permissions required to hit the metrics endpoints. This only needs to be done once, even for monitoring multiple applications in the same cluster.

You can use this snippet as it appears below, without any changes:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app: newrelic-infrastructure
  name: newrelic-newrelic-infrastructure-infra-agent
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - nodes/metrics
  - nodes/stats
  - nodes/proxy
  - pods
  - services
  verbs:
  - get
  - list
- nonResourceURLs:
  - /metrics
  verbs:
  - get

For each workload you want to monitor, add an additional sidecar container for the newrelic/infrastructure-k8s image. Here is an example of an injected sidecar.

Take the container of the following snippet and inject it in the workload you want to monitor, specifying the name of your FargateProfile in the customAttributes variable. Note that the volumes can be defined as emptyDir: {}.

Tip

In the special case of a KSM deployment, you also need to remove the DISABLE_KUBE_STATE_METRICS environment variable and increase the resources requests and limits.

apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: newrelic-infrastructure
  env:
  - name: NRIA_LICENSE_KEY
    valueFrom:
      secretKeyRef:
        key: license
        name: newrelic-newrelic-infrastructure-config
  - name: NRIA_VERBOSE
    value: "1"
  - name: DISABLE_KUBE_STATE_METRICS
    value: "true"
  - name: CLUSTER_NAME
    value: testing-injection
  - name: COMPUTE_TYPE
    value: serverless
  - name: NRK8S_NODE_NAME
    valueFrom:
      fieldRef:
        apiVersion: v1
        fieldPath: spec.nodeName
  - name: NRIA_DISPLAY_NAME
    valueFrom:
      fieldRef:
        apiVersion: v1
        fieldPath: spec.nodeName
  - name: NRIA_CUSTOM_ATTRIBUTES
    value: '{"clusterName":"$(CLUSTER_NAME)", "computeType":"$(COMPUTE_TYPE)", "fargateProfile":"[YOUR FARGATE PROFILE]"}'
  - name: NRIA_PASSTHROUGH_ENVIRONMENT
    value: KUBERNETES_SERVICE_HOST,KUBERNETES_SERVICE_PORT,CLUSTER_NAME,CADVISOR_PORT,NRK8S_NODE_NAME,KUBE_STATE_METRICS_URL,KUBE_STATE_METRICS_POD_LABEL,TIMEOUT,ETCD_TLS_SECRET_NAME,ETCD_TLS_SECRET_NAMESPACE,API_SERVER_SECURE_PORT,KUBE_STATE_METRICS_SCHEME,KUBE_STATE_METRICS_PORT,SCHEDULER_ENDPOINT_URL,ETCD_ENDPOINT_URL,CONTROLLER_MANAGER_ENDPOINT_URL,API_SERVER_ENDPOINT_URL,DISABLE_KUBE_STATE_METRICS,DISCOVERY_CACHE_TTL
  image: newrelic/infrastructure-k8s:2.4.0-unprivileged
  imagePullPolicy: IfNotPresent
  resources:
    limits:
      memory: 100M
      cpu: 200m
    requests:
      cpu: 100m
      memory: 50M
  securityContext:
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    runAsUser: 1000
  terminationMessagePath: /dev/termination-log
  terminationMessagePolicy: File
  volumeMounts:
  - mountPath: /var/db/newrelic-infra/data
    name: tmpfs-data
  - mountPath: /var/db/newrelic-infra/user_data
    name: tmpfs-user-data
  - mountPath: /tmp
    name: tmpfs-tmp
  - mountPath: /var/cache/nr-kubernetes
    name: tmpfs-cache
[...]

Create a ClusterRoleBinding, or add to a previously created one the ServiceAccount of the application that is going to be monitored. All the workloads may share the same ClusterRoleBinding, but the ServiceAccount of each one must be added to it.

Create the following ClusterRoleBinding that has as subjects the service account of the pods you want to monitor.

Tip

You don't need to repeat the same service account twice. Each time you want to monitor a pod with a service account that isn't included yet, just add it to the list.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: newrelic-newrelic-infrastructure-infra-agent
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: newrelic-newrelic-infrastructure-infra-agent
subjects:
- kind: ServiceAccount
  name: [INSERT_SERVICE_ACCOUNT_NAME_OF_WORKLOAD]
  namespace: [INSERT_SERVICE_ACCOUNT_NAMESPACE_OF_WORKLOAD]

Create a secret containing the New Relic . Each namespace needs its own secret.

Create the following Secret that has a license with the Base64 encoded value of your . One secret is needed in each namespace where a pod you want to monitor is running.

apiVersion: v1
data:
  license: INSERT_YOUR_NEW_RELIC_LICENSE_ENCODED_IN_BASE64
  kind: Secret
metadata:
  name: newrelic-newrelic-infrastructure-config
  namespace: [INSERT_NAMESPACE_OF_WORKLOAD]
  type: Opaque

Configuration

When adding the manifest of the sidecar agent manually, you can use any agent configuration option to configure the agent behavior. For help, see Infrastructure agent configuration settings.

Update to the latest version

To update any of the components, you just need to modify the deployed yaml.

Updating any of the fields of the injected container will cause the pod to be re-created.

Important

The agent cannot hot load the New Relic . After updating the secret, you need to rollout the deployments again.

Uninstall the Fargate integration

To remove the injected container and the related resources, you just have to remove the following:

The sidecar from the workloads that should be no longer monitored.
All the secrets containing the newrelic license.
ClusterRole and ClusterRoleBinding objects.

Notice that removing the sidecar container will cause the pod to be re-created.

Logging

New Relic logging isn't available on Fargate nodes because of security constraints imposed by AWS, but here are some logging options:

If you're using Fluentbit for logging, see Kubernetes plugin for log forwarding.
If your log data is already being monitored by AWS FireLens, see AWS FireLens plugin for log forwarding.
If your log data is already being monitored by Amazon CloudWatch Logs, see Stream logs using Kinesis Data Firehose.
See AWS Lambda for sending CloudWatch logs.
See Three ways to forward logs from Amazon ECS to New Relic.

Troubleshooting

DaemonSet replicas are being deployed into Fargate nodes

If you notice that any Infra DaemonSet replicas are being scheduled on Fargate nodes, it might be because the nodeAffinity rules are not configured properly.

Double-check that the solution was installed with the global.fargate option to true, either through the command line (--set global.fargate=true) or in the values.yaml file. If the installation method was not Helm, you’ll need to manually add nodeAffinity rules to exclude Fargate nodes.

Event `FailedScheduling` due to untolerated taint

Remember to add in the values.yaml file the tolerations described in Automatic injection installation if you get the following event while trying to create a pod:

LAST SEEN | TYPE | REASON | OBJECT | MESSAGE
:--|:--|:--|:--|:--
3m9s (x2 over 8m10s) | Warning | FailedScheduling | Pod/no-fargate-deploy-cbddd6ccf-8f9x4 | 0/2 nodes are available: 2 node(s) had untolerated taint {eks.amazonaws.com/compute-type: fargate}. preemption: 0/2 nodes are available: 2 Preemption is not helpful for scheduling..

Event `FailedScheduling` due to too many pods

Check if there's a Fargate profile with a selector that names the namespace where installation is occurring if you get the following event while trying to create a pod:

LAST SEEN | TYPE | REASON | OBJECT | MESSAGE
:--|:--|:--|:--|:--
61s | Warning | FailedScheduling | Pod/newrelic-bundle-newrelic-infra-operator-admission-create-d8ggt | 0/2 nodes are available: 2 Too many pods. preemption: 0/2 nodes are available: 2 No preemption victims found for incoming pod..

View your EKS data

Here's an example of what a Fargate node looks like in the New Relic UI:

To view your AWS data:

Go to one.newrelic.com > All capabilities > Infrastructure > Kubernetes and do one of the following:

Select an integration name to view data.
Select the Explore data icon to view AWS data.

Filter your data using two Fargate tags:

computeType=serverless
fargateProfile=[name of the Fargate profile to which the workload belongs]

If you want to use Helm to install the integration, you have two options:

Our guided install experience, which will provide a Helm command with the required fields pre-populated. This option also allows for installing our integration as plain manifests rather than a Helm release.
Manual configuration via the values.yaml file. This tab will guide you through how to do that.

Helm is a package manager on top of Kubernetes. It facilitates installation, upgrades, or revision tracking, and it manages dependencies for the services that you install in Kubernetes. If you haven't already, create your free New Relic account below to start monitoring your data today.

Start the installer

Compatibility and requirements

Make sure Helm is installed on your machine. Version 3 of the Kubernetes Integration requires Helm version 3.

To install the Kubernetes integration using Helm, you will need your New Relic and your Kubernetes cluster's name:

Find and copy your .
Choose a display name for your cluster. For example, you could use the output of:

bash

$kubectl config current-context

Important

Keep these values somewhere safe, as you will need them later during the installation process.

Install the Kubernetes integration with Helm

New Relic has several Helm charts for the different components which offer different features for the platform:

newrelic-infrastructure: Contains the main Kubernetes integration and the infrastructure agent. This is the core component for the New Relic Kubernetes experience, responsible for reporting most of the data that is surfaced in the Kubernetes Dashboard and the Kubernetes Cluster Explorer.
newrelic-logging: Provides a DaemonSet with New Relic's Fluent Bit output plugin to easily forward your logs to New Relic.
nri-kube-events: Collects and reports cluster events (such as kubectl get events) to New Relic.
newrelic-prometheus-agent: New Relic's Prometheus Configurator configures a Prometheus in agent mode and use our remote write endpoint to reports metrics to New Relic.
nri-metadata-injection: Sets up a minimal MutatingAdmissionWebhook that injects a couple of environment variables in the containers. These contain metadata about the cluster and New Relic installation and will be later picked up by applications instrumented using APM, allowing to correlate APM and infrastructure data.
nri-statsd: New Relic StatsD integration.

Although you can install these components separately, we strongly recommend you use the nri-bundle chart. New Relic provides this chart, which acts as a wrapper or a meta-package for the individual charts mentioned above. The use of this chart enables you these advantages:

It provides full control over which components are installed. Each component is installed as a separate Helm dependency. You can configure them individually using the parameters mentioned here.
It ensures that their installed versions are compatible with each other.
It ensures that their configuration values are consistent across the installed charts.

The nri-bundle chart is the one that is installed and configured by our Kubernetes guided install.

Installing and configuring `nri-bundle` with Helm

Ensure you're using the appropriate context in the machine where you will run Helm and kubectl:

You can check the available contexts with:

bash

$kubectl config get-contexts

And switch to the desired context using:

bash

$kubectl config use-context _CONTEXT_NAME_

Add the New Relic Helm charts repo:

bash

$helm repo add newrelic https://helm-charts.newrelic.com

Create a file named values-newrelic.yaml, which will be used to define your configuration:

global:
  licenseKey: _YOUR_NEW_RELIC_LICENSE_KEY_
  cluster: _K8S_CLUSTER_NAME_

newrelic-prometheus-agent:
  # Automatically scrape prometheus metrics for annotated services in the cluster
  # Collecting prometheus metrics for large clusters might impact data usage significantly
  enabled: true
nri-metadata-injection:
  # Deploy our webhook to link APM and Kubernetes entities
  enabled: true
nri-kube-events:
  # Report Kubernetes events
  enabled: true
newrelic-logging:
  # Report logs for containers running in the cluster
  enabled: true
kube-state-metrics:
  # Deploy kube-state-metrics in the cluster.
  # Set this to true unless it is already deployed.
  enabled: true

Make sure everything is configured properly in the chart by running the following command. Notice that we're specifying --dry-run and --debug, so nothing will be installed in this step:

bash

$helm upgrade --install newrelic-bundle newrelic/nri-bundle \
>--namespace newrelic --create-namespace \
>-f values-newrelic.yaml \
>--dry-run \
>--debug

Please notice and adjust the following flags:

global.licenseKey=YOUR_NEW_RELIC_LICENSE_KEY: Must be set to a valid for your account.
global.cluster=K8S_CLUSTER_NAME: It's used to identify the cluster in the New Relic UI, so should be a descriptive value not used by any other Kubernetes cluster configured in your New Relic account.
kube-state-metrics.enabled=true: Setting this to true will automatically install Kube State Metrics (KSM) for you, which is required for our integration to run. You can set this to false if KSM is already present in your cluster, even if it's on a different namespace.
newrelic-prometheus-agent.enabled=true: Will deploy our Prometheus Agent, which automatically collects data from Prometheus endpoints present in the cluster.
nri-metadata-injection.enabled=true: Will install our minimal webhook, which adds environment variables that, in turn, allows linking applications instrumented with New Relic APM to Kubernetes.

Our Kubernetes charts have a comprehensive set of flags and tunables that can be edited to better fit your particular needs. Please, check the Configure the integration section below to see what can be changed.

Install the Kubernetes integration by running the command without --debug and --dry-run:

bash

$helm upgrade --install newrelic-bundle newrelic/nri-bundle \
>--namespace newrelic --create-namespace \
>-f values-newrelic.yaml

Important

Make sure you're using Kubernetes version 1.27.x or a lower version that we support.

Check that pods are being deployed and reach a stable state:

bash

$kubectl -n newrelic get pods -w

You should see:

newrelic-nrk8s-ksm pod.
newrelic-nrk8s-kubelet pod for each node in your cluster.
newrelic-nrk8s-control-plane pod for each master node in your cluster, if any.
newrelic-kube-state-metrics pod, if you included KSM with our installation.
newrelic-nri-kube-events pod, if you enabled Kubernetes events reporting.
prometheus-agent pod, if you enabled the Prometheus agent integration.
newrelic-newrelic-logging pod for each node in your cluster, if you enabled the logging integration.

Did this doc help with your installation?

Configure the integration

Our nri-bundle chart. whose installation instructions can be found above, acts as a wrapper or a meta-package for a couple of other charts, which are the ones containing the components for our solution. By offering such a wrapper we can provide a controlled set of our components with versions that we know are compatible with each other, while keeping the component's charts relatively simple.

The nri-bundle chart wraps multiple individual charts to gather different telemetry data and send it to New Relic. The bundle allows to selectively enable the desired child charts depending on your needs. To configure each individual component, you must use Helm's dependency system, which in short means that the configuration for each child chart must be placed under a separate section (named after each child chart) in the values-newrelic.yml file. For example, to configure the newrelic-infrastructure chart, you would add the following to the values-newrelic.yaml:

# General settings that apply to all the child charts
global:
  licenseKey: _YOUR_NEW_RELIC_LICENSE_KEY_
  cluster: _K8S_CLUSTER_NAME_

# ... Other settings as shown above

# Specific configuration for the newrelic-infrastructure child chart
newrelic-infrastructure:
  verboseLog: true  # Enable debug logs
  privileged: false  # Install with minimal privileges
  # Other options from https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-infrastructure-v3

# Specific configuration for the newrelic-logging child chart
newrelic-logging:
  fluentBit:
  retryLimit: 10

You can also pass child chart options through the command line by prefixing them with the child chart name and replace the nesting by dots:

helm upgrade --install newrelic-bundle newrelic/nri-bundle \
--namespace=newrelic \
--set global.licenseKey=_YOUR_NEW_RELIC_LICENSE_KEY_ \
--set global.cluster=_K8S_CLUSTER_NAME_ \
--set newrelic-infrastructure.privileged=false \
--set newrelic-infrastructure.verboseLog=true \
--set newrelic-logging.fluentBit.retryLimit=10

The full list of flags you can tweak (such as scrape-interval) for each child chart can be found in their respective repositories:

newrelic-infrastructure
Configure debug logs, privilege mode, control plane monitoring, etc.
nri-kube-events
nri-metadata-injection
Configure how the webhook for APM linkage is deployed.
Configure which Prometheus endpoints are scraped.
newrelic-logging
Configure which logs or log attributes are sent to New Relic.

Tip

When specifying configuration options for the child charts, you must place them under a section named after the chart name in your values-newrelic.yaml.

Tip

To pass child chart options through the command line, you need to prefix them with the child chart name and replace the nesting by dots.

Use your Kubernetes data

Learn more about:

Unprivileged and privileged modes
Exploring your Kubernetes data in the UI
Using your Kubernetes data with queries, in charts, for alerts, etc.

Installation options

Navigating the Kubernetes integration guided install

Tip

Prepare to install

Google Kubernetes Engine (GKE)

OpenShift container platform

Azure Kubernetes Service (AKS)

Begin the guided install

Configure your install

Select additional data

Scrape Prometheus endpoints

Scrape all Prometheus endpoints except core Kubernetes system metrics (recommended)

Scrape all Prometheus endpoints

Scrape only Prometheus endpoints with quickstarts

Scrape only the certain labels

Gather log data

Forward all logs with full enrichment

Forward all logs with minimal enrichment (low data mode)

Enable service-level insights, full-body requests, and application profiles through Pixie

Community Cloud Pixie

Self-hosted Pixie

Finish your install

Tip

preview

Compatibility and requirements

Important

Example: Get Kubernetes for Windows from a BusyBox container

Install

Important

Limitations

Known issues with the Windows Kubelet

Preview

Important

Installation

Automatic injection (recommended)

What the operator does

Tip

Important

Automatic injection installation

Tip

Important

Configuration

Important

Update to the latest version or to a new configuration

Uninstall the Fargate integration

Known limitations: automatic injection

Manual injection

Manual injection installation

Tip

ClusterRole

ContainerToInject

ClusterRoleBinding

Secret

Configuration

Update to the latest version

Important

Uninstall the Fargate integration

Logging

Troubleshooting

DaemonSet replicas are being deployed into Fargate nodes

Event FailedScheduling due to untolerated taint

Event FailedScheduling due to too many pods

View your EKS data

Compatibility and requirements

Important

Install the Kubernetes integration with Helm

Installing and configuring nri-bundle with Helm

Important

Did this doc help with your installation?

Configure the integration

Tip

Tip

Use your Kubernetes data

Did this doc help with your installation?

Event `FailedScheduling` due to untolerated taint

Event `FailedScheduling` due to too many pods

Installing and configuring `nri-bundle` with Helm