Integrating with Kubernetes
FireHydrant's Kubernetes integration allows you to automatically send updates about the workloads deployed in your clusters to FireHydrant. This lets you follow the lifecycle of a change, from GitHub pull request to deployed pod.
Changes appear in your FireHydrant account, enabling you to identify:
- whether an image in a Replica Set changed
- the status of Pods in a Deployment
- whether the labels on a Service were updated
This allows you to easily identify exactly what has changed in your cluster and determine whether changes contributed to an active incident.
Resources Tracked
- DaemonSet
- Deployments
- ReplicaSet
- Services
- StatefulSets
Installation Instructions
You need a bot token for the controller to use for authentication. We recommend generating one specifically for this integration. This token goes in the firehydrant-keys
Kubernetes secret. See an example manifest file below.
Note:
Be sure to change [[YOUR_BOT_TOKEN]]
and [[YOUR_ENVIRONMENT_NAME]]
before deploying the manifests.
apiVersion: v1
kind: Namespace
metadata:
name: firehydrant-system
---
apiVersion: v1
kind: Secret
metadata:
name: firehydrant-keys
namespace: firehydrant-system
stringData:
FIREHYDRANT_API_KEY: [[YOUR_BOT_TOKEN]]
---
kind: ConfigMap
apiVersion: v1
metadata:
name: firehydrant-cm
namespace: firehydrant-system
data:
config.yml: |
apiToken: '$FIREHYDRANT_API_KEY'
fireHydrantUrl: 'api.firehydrant.io'
watch:
- namespace: "*"
environment: [[YOUR_ENVIRONMENT_NAME]]
resources:
- resource: deployments.v1.apps
updateOn: ["spec", "metadata", "status"]
includeDiff: true
skipServiceCreate: false
- resource: configmaps
updateOn: ["data"]
includeDiff: true
skipServiceCreate: true
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: firehydrant-k8s-changelog-serviceaccount
namespace: firehydrant-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: firehydrant-system-clusterrole
rules:
- apiGroups:
- ""
- "extensions"
- "apps"
resources:
- configmaps
- services
- deployments
- replicasets
- daemonsets
- statefulsets
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: firehydrant-clusterrole-nisa-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: firehydrant-system-clusterrole
subjects:
- kind: ServiceAccount
name: firehydrant-k8s-changelog-serviceaccount
namespace: firehydrant-system
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: firehydrant-k8s-changelog
namespace: firehydrant-system
labels:
app: firehydrant-k8s-changelog
app.kubernetes.io/name: firehydrant-k8s-changelog
app.kubernetes.io/component: changelog
spec:
replicas: 1
strategy:
type: RollingUpdate
selector:
matchLabels:
app: firehydrant-k8s-changelog
template:
metadata:
labels:
app: firehydrant-k8s-changelog
spec:
serviceAccount: firehydrant-k8s-changelog-serviceaccount
containers:
- name: changelog
image: quay.io/firehydrant/k8s-changelog:v0.0.20
command:
- firehydrant-k8s-changelog
- watch
envFrom:
- secretRef:
name: firehydrant-keys
volumeMounts:
- name: config
mountPath: /etc/k8s-watcher
resources:
limits:
cpu: 10m
memory: 128Mi
requests:
cpu: 10m
memory: 128Mi
volumes:
- name: config
configMap:
name: firehydrant-cm