Helm チャートを使用したインフラストラクチャの可視性のインストール

このページでは、クラスターエージェントの Helm チャートを使用してインフラストラクチャの可視性(InfraViz)を展開する方法について説明します。

Helm は Kubernetes のパッケージマネージャです。Helm チャートは、一連の Kubernetes リソースについて説明するファイルのコレクションです。クラスターエージェントの Helm チャートは、Splunk AppDynamics オペレータと InfraViz を展開するのに便利な方法です。

注: この展開では、Windows コンテナはサポートされていません。

要件

  • マシン エージェント バージョン 21.9.0 以降

  • NetViz バージョン 21.3.0 以降

  • コントローラバージョン 20.6.0 以降

  • クラスタエージェントの Helm チャートが Helm 3.0 と互換性を持っている

警告: クラスターエージェントの Helm チャートを使用して InfraViz をインストールするには、クラスターエージェントの Helm チャートのバージョンが 1.1.0 以降である必要があります。クラスターエージェントの Helm チャートのより古いバージョン(v0.1.19 以前)は機能しません。
注: Kubernetes が 1.25 以降の環境では、PodSecurityPolicy は K8s 1.25 以降から削除されます(https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/#pod-security-changes)。ポッドのセキュリティ制限は、ポッドセキュリティ標準レベルを使用して名前空間レベル(https://kubernetes.io/docs/concepts/security/pod-security-admission/)で適用されるようになりました。そのため、インフラストラクチャの可視性ポッドが実行されている名前空間については、レベルを [Privileged] として設定する必要があります。Kubernetes のバージョンが 1.25 よりも前で、PodSecurityPolicies が特権ポッドなど、特定のポッド セキュリティ コンテキスト設定をブロックする環境では、infraviz.yaml ファイルを編集する前に infraviz-pod-security-policy.yaml を展開する必要があります。PodSecurityPolicy を appdynamics-infraviz サービスアカウントに明示的にアタッチする必要があります。OpenShift SecurityContextConstraints が特権ポッドなど、特定のポッド セキュリティ コンテキスト設定をブロックする環境では、infraviz.yaml ファイルを編集する前に infraviz-security-context-constraint-openshift.yaml を展開する必要があります。

クラスターにインフラストラクチャの可視性をインストールする

  1. 次のコマンドを使用して、Splunk AppDynamics エージェントに関連する、以前にインストールされたすべての CRD を削除します。
    CODE 
    $ kubectl get crds
$ kubectl delete crds <crd-names>
  2. チャートリポジトリを Helm に追加します。
    CODE 
    $ helm repo add appdynamics-cloud-helmcharts https://appdynamics.jfrog.io/artifactory/appdynamics-cloud-helmcharts/
  3. クラスタで appdynamics の名前空間を作成します。
    CODE 
    $ kubectl create namespace appdynamics
  4. この values-ca1.yaml の例で、Helm 値のファイルを作成します。controllerInfo、Infraviz、netviz、enableMasters、enableContainerHostId、enableServerViz を更新します。values.yaml の values-ca1.yaml などの使用可能なプロパティについては、「InfraViz 構成設定」を参照してください。
    CODE 
    # To install InfraViz
installInfraViz: true
# Splunk AppDynamics controller info
controllerInfo:
url: https://<controller-url>:443
account: <appdynamics-controller-account>
username: <appdynamics-controller-username>
password: <appdynamics-controller-password>
accessKey: <appdynamics-controller-access-key>
globalAccount: <appdynamics-controller-global-account>
# InfraViz config
infraViz:
nodeOS: "linux"
enableMasters: false
stdoutLogging: false
enableContainerHostId: true
enableServerViz: true
enableDockerViz: false
runAsUser: <UID of runAsUser>
runAsGroup: 1001    # Netviz config
netViz:
enabled: true
netVizPort: 3892
    以下の設定オプション
    CODE 
    helm show values appdynamics-cloud-helmcharts/cluster-agent
  5. InfraViz を appdynamics 名前空間に展開します。
    CODE 
    $ helm install -f ./values-ca1.yaml "<my-cluster-agent-helm-release>" appdynamics-cloud-helmcharts/cluster-agent --namespace=appdynamics

Configuration Options

Configuration Option Description Required

installInfraViz

Used for installing InfraViz. This must be set to true.

Required (Defaults to false)
Image configuration options (options under imageInfo key in values.yaml)

imageInfo.operatorImage

Operator image address in format <registryUrl>/<registryAccount>/cluster-agent-operator

Optional (Defaults to the Docker Hub image

imageInfo.operatorTag

Operator image tag/version

Optional (Defaults to 22.1.0)

imageInfo.imagePullPolicy

Image pull policy for the operator pod

Optional

imageInfo.machineAgentImage

Machine Agent image address in format <registryUrl>/<registryAccount>/machine-agent

Optional (Defaults to Docker Hub image)

imageInfo.machineAgentTag

Machine Agent image tag/version

Optional (Defaults to latest)

ImageInfo.netVizImage

NetViz Agent image address in format <registryUrl>/<registryAccount>/machine-agent-netviz

Optional (Defaults to the Docker Hub image)

ImageInfo.netvizTag

NetViz Agent image tag/version

Optional (Defaults to latest)
Controller configuration options (Config options under controllerInfo key in values.yaml)

controllerInfo.accessKey

Controller accessKey

Required

controllerInfo.globalAccount

Controller globalAccount

Required

controllerInfo.account

Controller account

Required

controllerInfo.authenticateProxy

true/false if the proxy requires authentication

Optional

controllerInfo.customSSLCert

Base64 encoding of PEM formatted SSL certificate

Optional

controllerInfo.password

Controller password

Required only when auto-instrumentation is enabled.

controllerInfo.proxyPassword

Password for proxy authentication

Optional

controllerInfo.proxyUrl

Proxy URL if the Controller is behind some proxy

Optional

controllerInfo.proxyUser

Username for proxy authentication

Optional

controllerInfo.url

Controller URL

Required

controllerInfo.keyStoreFileSecret

Name of the secret containing the Keystore file to apply the custom SSL configuration for Infrastructure Visibility.

Optional

controllerInfo.keyStorePasswordSecret

Name of the secret containing the Keystore password to apply the custom SSL configuration for Infrastructure Visibility.

Optional

controllerInfo.username

Controller username

Required only when auto-instrumentation is enabled.
RBAC configuration

infravizServiceAccount

Service account to be used by the InfraViz

Optional

createServiceAccount

Set to true if ServiceAccounts mentioned are to be created by Helm

Optional

operatorServiceAccount

Service account to be used by the Splunk AppDynamics Operator

Optional
NetViz config

netViz.resourcesNetViz

Set resources for the Network Visibility (NetViz) container

Optional
netViz.netVizPort

When > 0, the Network Agent is deployed in a sidecar with the Machine Agent. By default, the Network Visibility Agent works with port 3892.

Optional

netViz.securityContext.runAsGroup

If you configured the application container as a non-root user, provide the groupId

This sets the appropriate file permission on the agent artifacts.

This value is applied to all the instrumented resources.

Add this parameter, if you require to override the default value of runAsGroup

Optional

netViz.securityContext.runAsUser

If you configured the application container as a non-root user, it provides the userId

This sets the appropriate file permission on the agent artifacts.

This value is applied to all the instrumented resources.

Add this parameter, if you require to override the default value of runAsUser

Optional
netViz.securityContext.allowPrivilegeEscalation

To control if a process can get more privileges than its parent process. The value is true when the container runs as:

  • Privileged container
  • CAP_SYS_ADMIN
注: NetViz does not run if the value for this parameter is set as false.This parameter is unavailable when spec.os.name is Windows.This parameter is currently available for Deployment and DeploymentConfig mode.
Optional
netViz.securityContext.capabilities

To add or remove POSIX capabilities from the running containers. This uses the default set of capabilities during container runtime.

These values are included by default irrespective of whether you specify the value:

  • NET_ADMIN
  • NET_RAW

If you specify any value for capabilities, helm considers the value along with the default values.

注: NetViz does not run if the value for this parameter is set as false.This parameter is unavailable when spec.os.name is Windows.This parameter is currently available for Deployment and DeploymentConfig mode.
Optional
netViz.securityContext.privileged

To run container in privileged mode, which is equivalent to root on the host.

注: This parameter is unavailable when spec.os.name is Windows.This parameter is currently available for Deployment and DeploymentConfig mode.
Optional
netViz.securityContext.procMount

The type of proc mount to use for the containers.

注: This parameter is currently available for Deployment and DeploymentConfig mode.
Optional
netViz.securityContext.readOnlyRootFilesystem

To specify if this container has a read-only root filesystem.

注: This parameter is unavailable when spec.os.name is Windows.This parameter is currently available for Deployment and DeploymentConfig mode.
Optional
netViz.securityContext.runAsNonRoot

To specify if the container must run as a non-root user.

If the value is true, the Kubelet validates the image at runtime to ensure that the container fails to start when run as root. If this parameter is not specified or if the value is false, there is no validation.

注: This parameter is currently available for Deployment and DeploymentConfig mode.
Optional
netViz.securityContext.seLinuxOptions

To apply the SELinux context to the container. If this parameter is not specified, the container runtime allocates a random SELinux context for each container.

注: This parameter is unavailable when spec.os.name is Windows.This parameter is currently available for Deployment and DeploymentConfig mode.
Optional
netViz.securityContext.seccompProfile

To specify the seccomp options used by the container. If seccomp options are specified at both the pod and container level, the container options override the pod options.

注: This parameter is unavailable when spec.os.name is Windows.This parameter is currently available for Deployment and DeploymentConfig mode.
Optional
netViz.securityContext.windowsOptions

To specify Windows-specific options for every container.

注: This parameter is unavailable when spec.os.name is Windows.This parameter is currently available for Deployment and DeploymentConfig mode.
Optional
InfraViz config
infraViz.appName

Name of the cluster displayed on the Controller UI as your cluster name. This configuration groups the nodes of the cluster based on the master worker infra worker-infra

 Optional
infraViz.enableContainerd

Enable containerd visibility on Machine Agent. Specify either true or false. The default value is false.

 Optional
infraViz.enableContainerHostId Flag that determines how container names are derived; specify either true or false. Required
infraViz.enableMasters By default, only Worker nodes are monitored. When set to true, Server Visibility is provided for Master nodes. For managed Kubernetes providers, the flag has no effect because the Master plane is not accessible. Optional
infraViz.enableServerViz Enable Server Visibility Required
infraViz.enableDockerViz Enable Docker Visibility Required
infraViz.eventServiceUrl The Event Service Endpoint. Optional
infraViz.runAsUser

The UID (User ID) to run the entry point of the container process. If you do not specify the UID, this defaults to the user id specified in the image.

  • docker.io/appdynamics/machine-agent
  • docker.io/appdynamics/machine-agent-analytics:latest

If you require to run on any other UID, change the UID for runAsUser without changing the group ID.

If you specify runAsUser infraviz.securityContext securityContext infraViz.runasUser

注: This parameter is deprecated. We recommend to use infraviz.securityContext.runAsUser.
Optional

infraViz.logProperties.logLevel

Level of logging verbosity. Valid options are: info debug.

Optional

infraViz.metricProperties.metricsLimit

 Maximum number of metrics that the Machine Agent sends to the Controller.

Optional

infraViz.propertyBag
String containing additional Machine Agent JVM system properties.
注: The keyStoreFileSecret and keyStorePasswordSecret parameters do not apply to the Analytics Agent. To configure SSL/TLS for the Analytics Agent or to provide a TrustStore, you must use the infraViz.propertyBag parameter to pass JVM system properties.

Optional
infraViz.runAsGroup
The GID (Group ID) to run the entry point of the container process. If you do not specify the ID, this uses the UID specified in the image,

docker.io/appdynamics/machine-agent

docker.io/appdynamics/machine-agent-analytics:latest

If you also specify runAsGroup infraviz.securityContext securityContext infraViz.runasGroup

注: This parameter is deprecated. We recommend to use infraviz.securityContext.runAsGroup.

Optional
infraViz.stdoutLogging Determines if logs are saved to a file or redirected to the Console. Optional

infraViz.uniqueHostId

Unique host ID in Splunk AppDynamics. Valid options are: spec.nodeName status.hostIP

Optional

infraViz.securityContext.runAsGroup

If you configured the application container as a non-root user, provide the groupId

This sets the appropriate file permission on the agent artifacts.

This value is applied to all the instrumented resources.

Add this parameter, if you require to override the default value of runAsGroup

Optional

infraViz.securityContext.runAsUser

If you configured the application container as a non-root user, it provides the userId

This sets the appropriate file permission on the agent artifacts.

This value is applied to all the instrumented resources.

Add this parameter, if you require to override the default value of runAsUser

Optional
infraViz.securityContext.allowPrivilegeEscalation

To control if a process can get more privileges than its parent process. The value is true when the container runs as:

  • Privileged container
  • CAP_SYS_ADMIN

If you do not set this parameter, the helm uses the default value as true

注: This parameter is unavailable when spec.os.name is Windows.This parameter is currently available for Deployment and DeploymentConfig mode.
Optional
infraViz.securityContext.capabilities

To add or remove POSIX capabilities from the running containers. This uses the default set of capabilities during container runtime.

注: This parameter is unavailable when spec.os.name is Windows.This parameter is currently available for Deployment and DeploymentConfig mode.
Optional
infraViz.securityContext.privileged

To run container in privileged mode, which is equivalent to root on the host.

If you do not set this parameter, the helm uses the default value as true

注: This parameter is unavailable when spec.os.name is Windows.This parameter is currently available for Deployment and DeploymentConfig mode.
Optional
infraViz.securityContext.procMount

The type of proc mount to use for the containers.

注: This parameter is currently available for Deployment and DeploymentConfig mode.
Optional
infraViz.securityContext.readOnlyRootFilesystem

To specify if this container has a read-only root filesystem.

注: This parameter is unavailable when spec.os.name is Windows.This parameter is currently available for Deployment and DeploymentConfig mode.
Optional
infraViz.securityContext.runAsNonRoot

To specify if the container must run as a non-root user.

If the value is true, the Kubelet validates the image at runtime to ensure that the container fails to start when run as root. If this parameter is not specified or if the value is false, there is no validation.

注: This parameter is currently available for Deployment and DeploymentConfig mode.
Optional
infraViz.securityContext.seLinuxOptions

To apply the SELinux context to the container. If this parameter is not specified, the container runtime allocates a random SELinux context for each container.

注: This parameter is unavailable when spec.os.name is Windows.This parameter is currently available for Deployment and DeploymentConfig mode.
Optional
infraViz.securityContext.seccompProfile

To specify the seccomp options used by the container. If seccomp options are specified at both the pod and container level, the container options override the pod options.

注: This parameter is unavailable when spec.os.name is Windows.This parameter is currently available for Deployment and DeploymentConfig mode.
Optional
infraViz.securityContext.windowsOptions

To specify Windows-specific options for every container.

注: This parameter is unavailable when spec.os.name is Windows.This parameter is currently available for Deployment and DeploymentConfig mode.
Optional
InfraViz pod config

infravizPod.nodeSelector

Kubernetes node selector field in the InfraViz pod spec.

Optional

infravizPod.resources

Kubernetes CPU and memory resources in the InfraViz pod spec.

Optional

infravizPod.imagePullPolicy

The image pull policy for the InfraViz pod.

Optional
infravizPod.imagePullSecret The credential file used to authenticate when pulling images from your private Docker registry or repository. Optional
infravizPod.priorityClassName The name of the pod priority class, which is used in the pod specification to set the priority. Optional
infravizPod.env List environment variables. Optional
infravizPod.overrideVolumeMounts The list of volumeMounts. Optional
infravizPod.tolerations List of tolerations based on the taints that are associated with nodes. Optional
Operator pod config

operatorPod.nodeSelector

Kubernetes node selector field in the Splunk AppDynamics Operator pod spec

Optional

operatorPod.tolerations

Kubernetes tolerations field in the Splunk AppDynamics Operator pod spec

Optional

operatorPod.resources

Kubernetes CPU and memory resources in the Splunk AppDynamics Operator pod spec

Optional

機密データのベストプラクティス

複数の values.yaml ファイルを使用して、機密データを個別の values.yaml ファイルに分けることを推奨します。これらの値の例を次に示します。

  • controllerInfo.password
  • controllerInfo.accessKey
  • controllerInfo.customSSLCert
  • controllerInfo.proxyPassword

各値

user-values.yamlDefault

user-values.yaml
CODE 
# To install InfraViz
installInfraViz: true
imageInfo:
operatorImage: docker.io/appdynamics/cluster-agent-operator
operatorTag: 22.1.0
imagePullPolicy: Always            # Will be used for operator pod
machineAgentImage: docker.io/appdynamics/machine-agent
machineAgentTag: latest
netVizImage: docker.io/appdynamics/machine-agent-netviz
netvizTag: latest
controllerInfo:
url: https://<controller-url>:443
account: <appdynamics-controller-account>
username: <appdynamics-controller-username>
password: <appdynamics-controller-password>
accessKey: <appdynamics-controller-access-key>
infravizServiceAccount: appdynamics-infraviz-ssl # Can be any valid name
operatorServiceAccount: appdynamics-operator-ssl # Can be any valid name
user-values-sensitive.yaml
CODE 
controllerInfo:
password: welcome
accessKey: abc-def-ghi-1516

Helm チャートをインストールする場合は、複数の -f を使用します

CODE 
helm install -f ./user-values.yaml -f ./user-values-sensitive.yaml "<my-cluster-agent-helm-release>" appdynamics-cloud-helmcharts/cluster-agent --namespace ca-appdynamics

クラスタへのクラスタエージェントおよびインフラストラクチャの可視性のインストール

クラスターエージェントとインフラストラクチャの可視性を同時にインストールするには、「クラスターにインフラストラクチャの可視性をインストールする」に記載されている手順と同じ手順に従い、以下の更新を行います。

  1. yaml ファイルで以下のように指定します(values.ca1 など):
    CODE 
    installClusterAgent: true
installInfraViz: true
  2. コントローラのログイン情報を使用して controllerInfo プロパティを更新します。clusterAgent プロパティを更新して、モニターする名前空間とポッドを設定します。nsToMonitorRegexnsToExcludeRegex などの使用可能なプロパティについては、「クラスターエージェントの設定」を参照してください。InfraViz および N etViz プロパティを更新します。values.yamlenableMastersenableContainerHostIdenableServerViz などの使用可能なプロパティについては、「InfraViz 構成設定」を参照してください。