DirectorySecurity AdvisoriesPricing
Sign in
Directory
newrelic-infrastructure logoHELM

newrelic-infrastructure

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:
1
# -- Override the name of the chart
2
nameOverride: ""
3
# -- Override the full name of the release
4
fullnameOverride: ""
5
# -- Name of the Kubernetes cluster monitored. Can be configured also with `global.cluster`
6
cluster: ""
7
# -- This set this license key to use. Can be configured also with `global.licenseKey`
8
licenseKey: ""
9
# -- In case you don't want to have the license key in you values, this allows you to point to a user created secret to get the key from there. Can be configured also with `global.customSecretName`
10
customSecretName: ""
11
# -- In case you don't want to have the license key in you values, this allows you to point to which secret key is the license key located. Can be configured also with `global.customSecretLicenseKey`
12
customSecretLicenseKey: ""
13
# -- This chart has support for GKE_AUTOPILOT, if booting in an autopilot cluster, set this to "GKE_AUTOPILOT"
14
provider:
15
# -- (bool) Enable EKS Fargate support. When enabled:
16
# - The kubelet DaemonSet will be excluded from Fargate nodes via node affinity (eks.amazonaws.com/compute-type != fargate)
17
# - The control plane DaemonSet will be completely disabled (control plane metrics are not available on Fargate)
18
# - The newrelic-infra-operator should be used to inject the integration as a sidecar into pods running on Fargate nodes
19
# Can be configured also with `global.fargate`
20
# @default -- `false`
21
fargate:
22
# -- Images used by the chart for the integration and agents.
23
# @default -- See `values.yaml`
24
images:
25
# -- The secrets that are needed to pull images from a custom registry.
26
pullSecrets: []
27
# - name: regsecret
28
# -- Image for the New Relic Infrastructure Agent sidecar.
29
# @default -- See `values.yaml`
30
forwarder:
31
registry: chainreg.biz
32
repository: chainguard-private/newrelic-k8s-events-forwarder
33
tag: latest@sha256:a7d05a2b84925c2d6ff2b43a701a81bf8978936f4559cc96cf42d765ca7cff61
34
pullPolicy: IfNotPresent
35
# -- Image for the New Relic Infrastructure Agent plus integrations.
36
# @default -- See `values.yaml`
37
agent:
38
registry: chainreg.biz
39
repository: chainguard-private/newrelic-infrastructure-bundle
40
tag: latest@sha256:8120ca0e8eafb5d4ece8ea447cbbb6cb1c06e47304fd29d170dd5a98f249c01e
41
pullPolicy: IfNotPresent
42
# -- Image for the New Relic Kubernetes integration.
43
# @default -- See `values.yaml`
44
integration:
45
registry: chainreg.biz
46
repository: chainguard-private/newrelic-kubernetes
47
tag: latest@sha256:704c1e5362d86366e9077506d857f32611d7de12cff169c3dd363a41a711d633
48
pullPolicy: IfNotPresent
49
# -- Image for the New Relic Kubernetes integration - Windows.
50
# @default -- See `values.yaml`
51
windowsIntegration:
52
registry: ""
53
repository: newrelic/nri-kubernetes
54
tag:
55
pullPolicy: IfNotPresent
56
# -- Image for the New Relic Infrastructure Agent - Windows.
57
# @default -- See `values.yaml`
58
windowsAgent:
59
registry: ""
60
repository: newrelic/infrastructure-bundle
61
tag: 3.3.29
62
pullPolicy: IfNotPresent
63
# -- Enable Windows node monitoring.
64
# @default -- `false`
65
enableWindows: false
66
# For every entry in this Windows OS list, we will create an independent DaemonSet which will get deployed
67
# on Windows nodes running each specific Windows version and build number. Note that
68
# Windows containers can only be executed on hosts running the exact same Windows version and build number,
69
# because Kubernetes only supports process isolation and not Hyper-V isolation (as of March 2025).
70
# -- Additional configuration for Windows node DaemonSets.
71
windowsOsList:
72
# Support for only LTSC2019/LTSC2022
73
# @default -- See `values.yaml`
74
# https://kubernetes.io/docs/setup/production-environment/windows/intro-windows-in-kubernetes/#windows-os-version-support
75
- version: ltsc2019
76
imageTagSuffix: ltsc2019
77
buildNumber: 10.0.17763
78
# @ignored
79
agentImage: ""
80
# @ignored
81
integrationImage: ""
82
- version: ltsc2022
83
imageTagSuffix: ltsc2022
84
buildNumber: 10.0.20348
85
# @ignored
86
agentImage: ""
87
# @ignored
88
integrationImage: ""
89
# Windows-specific configuration
90
windows:
91
# -- (bool) Override privileged mode for Windows nodes.
92
# When null, inherits from global 'privileged' setting.
93
# Set to false to disable HostProcess mode on Windows while keeping Linux privileged.
94
# HostProcess containers run directly on the Windows host (not in a container) and require hostNetwork: true.
95
# @default -- `true`
96
privileged: true
97
# -- Config that applies to all instances of the solution: kubelet, ksm, control plane and sidecars.
98
# @default -- See `values.yaml`
99
common:
100
# Configuration entries that apply to all instances of the integration: kubelet, ksm and control plane.
101
config:
102
# common.config.interval -- (duration) Intervals larger than 40s are not supported and will cause the NR UI to not
103
# behave properly. Any non-nil value will override the `lowDataMode` default.
104
# @default -- `15s` (See [Low data mode](README.md#low-data-mode))
105
interval:
106
# -- Config for filtering ksm and kubelet metrics by namespace.
107
namespaceSelector: {}
108
# If you want to include only namespaces with a given label you could do so by adding:
109
# matchLabels:
110
# newrelic.com/scrape: true
111
# Otherwise you can build more complex filters and include or exclude certain namespaces by adding one or multiple
112
# expressions that are added, for instance:
113
# matchExpressions:
114
# - {key: newrelic.com/scrape, operator: NotIn, values: ["false"]}
115
# -- Config for the Infrastructure agent.
116
# Will be used by the forwarder sidecars and the agent running integrations.
117
# See: https://docs.newrelic.com/docs/infrastructure/install-infrastructure-agent/configuration/infrastructure-agent-configuration-settings/
118
agentConfig: {}
119
# lowDataMode -- (bool) Send less data by incrementing the interval from `15s` (the default when `lowDataMode` is `false` or `nil`) to `30s`.
120
# Non-nil values of `common.config.interval` will override this value.
121
# @default -- `false` (See [Low data mode](README.md#low-data-mode))
122
lowDataMode:
123
# sink - Configuration for the scraper sink.
124
sink:
125
http:
126
# -- The amount of time the scraper container to probe infra agent sidecar container before giving up and restarting during pod starts.
127
probeTimeout: 90s
128
# -- The amount of time the scraper container to backoff when it fails to probe infra agent sidecar.
129
probeBackoff: 5s
130
# kubelet -- Configuration for the DaemonSet that collects metrics from the Kubelet.
131
# @default -- See `values.yaml`
132
kubelet:
133
# -- Enable kubelet monitoring.
134
# Advanced users only. Setting this to `false` is not supported and will break the New Relic experience.
135
enabled: true
136
# Setting this to true will force the kubelet to reach out to the /pods endpoint from the kube service rather than the local node.
137
fetchPodsFromKubeService: false
138
# Overrides the endpoint on the local kubelet that is used to check the pod can connect to the local node's service.
139
testConnectionEndpoint: "/healthz"
140
annotations: {}
141
# -- Tolerations for the kubelet DaemonSet.
142
# @default -- Schedules in all tainted nodes
143
# tolerations:
144
# - operator: "Exists"
145
# effect: "NoSchedule"
146
# - operator: "Exists"
147
# effect: "NoExecute"
148
tolerations: []
149
nodeSelector: {}
150
# Note that the Windows DaemonSet already contains a node selector label based on their OS (kubernetes.io/os: windows).
151
# and build number (node.kubernetes.io/windows-build: {{ .buildNumber }}, to ensure that each version of the DaemonSet
152
# gets deployed only on those Windows nodes running the exact same Windows version and build number. Note that
153
# Windows containers can only be executed on hosts running the exact same Windows version and build number.
154
# -- Node selector for the Windows kubelet DaemonSet.
155
windowsNodeSelector: {}
156
# -- (bool) Sets pod's hostNetwork. When set bypasses global/common variable. Note - does not apply to Windows nodes
157
# @default -- Not set
158
hostNetwork:
159
affinity: {}
160
# -- Config for the Infrastructure agent that will forward the metrics to the backend and will run the integrations in this cluster.
161
# It will be merged with the configuration in `.common.agentConfig`. You can see all the agent configurations in
162
# [New Relic docs](https://docs.newrelic.com/docs/infrastructure/install-infrastructure-agent/configuration/infrastructure-agent-configuration-settings/)
163
# e.g. you can set `passthrough_environment` int the [config file](https://docs.newrelic.com/docs/infrastructure/install-infrastructure-agent/configuration/configure-infrastructure-agent/#config-file)
164
# so the agent let use that environment variables to the integrations.
165
agentConfig: {}
166
# passthrough_environment:
167
# - A_ENVIRONMENT_VARIABLE_SET_IN_extraEnv
168
# - A_ENVIRONMENT_VARIABLE_SET_IN_A_CONFIG_MAP_SET_IN_entraEnvForm
169
170
# -- Add user environment variables to the agent
171
extraEnv: []
172
# -- Add user environment from configMaps or secrets as variables to the agent
173
extraEnvFrom: []
174
# -- Volumes to mount in the containers
175
extraVolumes: []
176
# -- Defines where to mount volumes specified with `extraVolumes`
177
extraVolumeMounts: []
178
initContainers: []
179
kubelet:
180
# -- Resources for the kubelet scraper container.
181
# @default -- 100m/150M -/300M
182
resources:
183
limits:
184
memory: 300M
185
requests:
186
cpu: 100m
187
memory: 150M
188
agent:
189
# -- Resources for the infrastructure-bundle agent sidecar container.
190
# @default -- 100m/150M -/300M
191
resources:
192
limits:
193
memory: 300M
194
requests:
195
cpu: 100m
196
memory: 150M
197
# Windows containers have different resource characteristics than Linux; set these
198
# independently of the Linux kubelet.kubelet/agent resource values above.
199
windows:
200
kubelet:
201
# -- Resources for the Windows kubelet scraper container.
202
# @default -- 100m/150M -/300M
203
resources:
204
limits:
205
memory: 300M
206
requests:
207
cpu: 100m
208
memory: 150M
209
agent:
210
# -- Resources for the Windows agent sidecar container.
211
# @default -- 100m/150M -/300M
212
resources:
213
limits:
214
memory: 300M
215
requests:
216
cpu: 100m
217
memory: 150M
218
config:
219
# -- Timeout for the kubelet APIs contacted by the integration
220
timeout: 10s
221
# -- Number of retries after timeout expired
222
retries: 3
223
# -- Max number of scraper rerun when scraper runtime error happens
224
scraperMaxReruns: 4
225
# -- Total timeout for kubelet connection retries during pod initialization. Useful for environments like EKS/GKE where kubelet certificates may take 1-2 minutes to provision after node startup. Set to 0s to disable retries and use legacy behavior (fail immediately).
226
initTimeout: 180s
227
# -- Delay between retry attempts during kubelet client initialization. Only used if initTimeout > 0.
228
initBackoff: 5s
229
# -- When empty (default), kubelet TLS verification is skipped (back-compat).
230
# -- For clusters with kubelet TLS bootstrap enabled, set to /var/run/secrets/kubernetes.io/serviceaccount/ca.crt.
231
# -- Path to a PEM-encoded CA bundle used to verify the kubelet's serving certificate.
232
caBundlePath: ""
233
# port:
234
# scheme:
235
# ksm -- Configuration for the Deployment that collects state metrics from KSM (kube-state-metrics).
236
# @default -- See `values.yaml`
237
ksm:
238
# -- Enable cluster state monitoring.
239
# Advanced users only. Setting this to `false` is not supported and will break the New Relic experience.
240
enabled: true
241
annotations: {}
242
# -- Tolerations for the KSM Deployment.
243
# @default -- Tolerates common node pressure taints but not unschedulable nodes
244
# tolerations:
245
# - key: "node.kubernetes.io/disk-pressure"
246
# operator: "Exists"
247
# effect: "NoSchedule"
248
# - key: "node.kubernetes.io/memory-pressure"
249
# operator: "Exists"
250
# effect: "NoSchedule"
251
# - key: "node.kubernetes.io/pid-pressure"
252
# operator: "Exists"
253
# effect: "NoSchedule"
254
# - key: "node.kubernetes.io/network-unavailable"
255
# operator: "Exists"
256
# effect: "NoSchedule"
257
# - operator: "Exists"
258
# effect: "NoExecute"
259
tolerations: []
260
nodeSelector: {}
261
# -- (bool) Sets pod's hostNetwork. When set bypasses global/common variable
262
# @default -- Not set
263
hostNetwork:
264
# -- Affinity for the KSM Deployment.
265
# @default -- Deployed in the same node as KSM
266
affinity:
267
podAffinity:
268
preferredDuringSchedulingIgnoredDuringExecution:
269
- podAffinityTerm:
270
topologyKey: kubernetes.io/hostname
271
labelSelector:
272
matchLabels:
273
app.kubernetes.io/name: kube-state-metrics
274
weight: 100
275
# -- Config for the Infrastructure agent that will forward the metrics to the backend. It will be merged with the configuration in `.common.agentConfig`
276
# See: https://docs.newrelic.com/docs/infrastructure/install-infrastructure-agent/configuration/infrastructure-agent-configuration-settings/
277
agentConfig: {}
278
extraEnv: []
279
extraEnvFrom: []
280
extraVolumes: []
281
extraVolumeMounts: []
282
initContainers: []
283
# -- Enable to collect metrics for resource quota.
284
enableResourceQuotaSamples: true
285
ksm:
286
# -- Resources for the KSM scraper container.
287
# Keep in mind that sharding is not supported at the moment, so memory usage for this component ramps up quickly on
288
# large clusters.
289
# @default -- 100m/150M -/850M
290
resources:
291
limits:
292
memory: 850M # Bump me up if KSM pod shows restarts.
293
requests:
294
cpu: 100m
295
memory: 150M
296
forwarder:
297
# -- Resources for the Forwarder sidecar container.
298
# @default -- 100m/150M -/850M
299
resources:
300
limits:
301
memory: 850M # Bump me up if KSM pod shows restarts.
302
requests:
303
cpu: 100m
304
memory: 150M
305
config:
306
# -- Timeout for the ksm API contacted by the integration
307
timeout: 10s
308
# -- Number of retries after timeout expired
309
retries: 3
310
# -- if specified autodiscovery is not performed and the specified URL is used
311
# staticUrl: "http://test.io:8080/metrics"
312
# -- Label selector that will be used to automatically discover an instance of kube-state-metrics running in the cluster.
313
selector: "app.kubernetes.io/name=kube-state-metrics"
314
# -- Scheme to use to connect to kube-state-metrics. Supported values are `http` and `https`.
315
scheme: "http"
316
# -- Restrict autodiscovery of the kube-state-metrics endpoint to those using a specific port. If empty or `0`, all endpoints are considered regardless of their port (recommended).
317
# port: 8080
318
# -- Restrict autodiscovery of the kube-state-metrics service to a particular namespace.
319
# @default -- All namespaces are searched (recommended).
320
# namespace: "ksm-namespace"
321
# controlPlane -- Configuration for the control plane scraper.
322
# @default -- See `values.yaml`
323
controlPlane:
324
# -- Deploy control plane monitoring component.
325
enabled: true
326
annotations: {}
327
# -- Tolerations for the control plane DaemonSet.
328
# @default -- Schedules in all tainted nodes
329
# tolerations:
330
# - operator: "Exists"
331
# effect: "NoSchedule"
332
# - operator: "Exists"
333
# effect: "NoExecute"
334
tolerations: []
335
nodeSelector: {}
336
# -- Affinity for the control plane DaemonSet.
337
# @default -- Deployed only in control plane nodes.
338
affinity:
339
nodeAffinity:
340
requiredDuringSchedulingIgnoredDuringExecution:
341
nodeSelectorTerms:
342
- matchExpressions:
343
- key: node-role.kubernetes.io/control-plane
344
operator: Exists
345
- matchExpressions:
346
- key: node-role.kubernetes.io/controlplane
347
operator: Exists
348
- matchExpressions:
349
- key: node-role.kubernetes.io/etcd
350
operator: Exists
351
# -- How to deploy the control plane scraper. If autodiscovery is in use, it should be `DaemonSet`.
352
# Advanced users using static endpoints set this to `Deployment` to avoid reporting metrics twice.
353
kind: DaemonSet
354
# -- Run Control Plane scraper with `hostNetwork`.
355
# `hostNetwork` is required for most control plane configurations, as they only accept connections from localhost.
356
hostNetwork: true
357
# -- Config for the Infrastructure agent that will forward the metrics to the backend. It will be merged with the configuration in `.common.agentConfig`
358
# See: https://docs.newrelic.com/docs/infrastructure/install-infrastructure-agent/configuration/infrastructure-agent-configuration-settings/
359
agentConfig: {}
360
extraEnv: []
361
extraEnvFrom: []
362
extraVolumes: []
363
extraVolumeMounts: []
364
initContainers: []
365
controlplane:
366
# -- Resources for the controlplane scraper container.
367
# @default -- 100m/150M -/300M
368
resources:
369
limits:
370
memory: 300M
371
requests:
372
cpu: 100m
373
memory: 150M
374
forwarder:
375
# -- Resources for the k8s-events-forwarder sidecar container.
376
# @default -- 100m/150M -/300M
377
resources:
378
limits:
379
memory: 300M
380
requests:
381
cpu: 100m
382
memory: 150M
383
config:
384
# -- Timeout for the Kubernetes APIs contacted by the integration
385
timeout: 10s
386
# -- Number of retries after timeout expired
387
retries: 3
388
# -- etcd monitoring configuration
389
# @default -- Common settings for most K8s distributions.
390
etcd:
391
# -- Enable etcd monitoring. Might require manual configuration in some environments.
392
enabled: true
393
# Discover etcd pods using the following namespaces and selectors.
394
# If a pod matches the selectors, the scraper will attempt to reach it through the `endpoints` defined below.
395
autodiscover:
396
- selector: "tier=control-plane,component=etcd"
397
namespace: kube-system
398
# Set to true to consider only pods sharing the node with the scraper pod.
399
# This should be set to `true` if Kind is Daemonset, `false` otherwise.
400
matchNode: true
401
# Try to reach etcd using the following endpoints.
402
endpoints:
403
- url: https://localhost:4001
404
insecureSkipVerify: true
405
auth:
406
type: bearer
407
- url: http://localhost:2381
408
- selector: "k8s-app=etcd-manager-main"
409
namespace: kube-system
410
matchNode: true
411
endpoints:
412
- url: https://localhost:4001
413
insecureSkipVerify: true
414
auth:
415
type: bearer
416
- selector: "k8s-app=etcd"
417
namespace: kube-system
418
matchNode: true
419
endpoints:
420
- url: https://localhost:4001
421
insecureSkipVerify: true
422
auth:
423
type: bearer
424
# Openshift users might want to remove previous autodiscover entries and add this one instead.
425
# Manual steps are required to create a secret containing the required TLS certificates to connect to etcd.
426
# - selector: "app=etcd,etcd=true,k8s-app=etcd"
427
# namespace: openshift-etcd
428
# matchNode: true
429
# endpoints:
430
# - url: https://localhost:9979
431
# insecureSkipVerify: true
432
# auth:
433
# type: mTLS
434
# mtls:
435
# secretName: secret-name
436
# secretNamespace: secret-namespace
437
# -- staticEndpoint configuration.
438
# It is possible to specify static endpoint to scrape. If specified 'autodiscover' section is ignored.
439
# If set the static endpoint should be reachable, otherwise an error will be returned and the integration stops.
440
# Notice that if deployed as a daemonSet and not as a Deployment setting static URLs could lead to duplicate data
441
# staticEndpoint:
442
# url: https://url:port
443
# insecureSkipVerify: true
444
# auth: {}
445
446
# -- Scheduler monitoring configuration
447
# @default -- Common settings for most K8s distributions.
448
scheduler:
449
# -- Enable scheduler monitoring.
450
enabled: true
451
autodiscover:
452
- selector: "tier=control-plane,component=kube-scheduler"
453
namespace: kube-system
454
matchNode: true
455
endpoints:
456
- url: https://localhost:10259
457
insecureSkipVerify: true
458
auth:
459
type: bearer
460
- selector: "k8s-app=kube-scheduler"
461
namespace: kube-system
462
matchNode: true
463
endpoints:
464
- url: https://localhost:10259
465
insecureSkipVerify: true
466
auth:
467
type: bearer
468
- selector: "app=openshift-kube-scheduler,scheduler=true"
469
namespace: openshift-kube-scheduler
470
matchNode: true
471
endpoints:
472
- url: https://localhost:10259
473
insecureSkipVerify: true
474
auth:
475
type: bearer
476
- selector: "app=openshift-kube-scheduler,scheduler=true"
477
namespace: kube-system
478
matchNode: true
479
endpoints:
480
- url: https://localhost:10259
481
insecureSkipVerify: true
482
auth:
483
type: bearer
484
# -- staticEndpoint configuration.
485
# It is possible to specify static endpoint to scrape. If specified 'autodiscover' section is ignored.
486
# If set the static endpoint should be reachable, otherwise an error will be returned and the integration stops.
487
# Notice that if deployed as a daemonSet and not as a Deployment setting static URLs could lead to duplicate data
488
# staticEndpoint:
489
# url: https://url:port
490
# insecureSkipVerify: true
491
# auth: {}
492
# -- Controller manager monitoring configuration
493
# @default -- Common settings for most K8s distributions.
494
controllerManager:
495
# -- Enable controller manager monitoring.
496
enabled: true
497
autodiscover:
498
- selector: "tier=control-plane,component=kube-controller-manager"
499
namespace: kube-system
500
matchNode: true
501
endpoints:
502
- url: https://localhost:10257
503
insecureSkipVerify: true
504
auth:
505
type: bearer
506
- selector: "k8s-app=kube-controller-manager"
507
namespace: kube-system
508
matchNode: true
509
endpoints:
510
- url: https://localhost:10257
511
insecureSkipVerify: true
512
auth:
513
type: bearer
514
- selector: "app=kube-controller-manager,kube-controller-manager=true"
515
namespace: openshift-kube-controller-manager
516
matchNode: true
517
endpoints:
518
- url: https://localhost:10257
519
insecureSkipVerify: true
520
auth:
521
type: bearer
522
- selector: "app=kube-controller-manager,kube-controller-manager=true"
523
namespace: kube-system
524
matchNode: true
525
endpoints:
526
- url: https://localhost:10257
527
insecureSkipVerify: true
528
auth:
529
type: bearer
530
- selector: "app=controller-manager,controller-manager=true"
531
namespace: kube-system
532
matchNode: true
533
endpoints:
534
- url: https://localhost:10257
535
insecureSkipVerify: true
536
auth:
537
type: bearer
538
# mtls:
539
# secretName: secret-name
540
# secretNamespace: secret-namespace
541
# -- staticEndpoint configuration.
542
# It is possible to specify static endpoint to scrape. If specified 'autodiscover' section is ignored.
543
# If set the static endpoint should be reachable, otherwise an error will be returned and the integration stops.
544
# Notice that if deployed as a daemonSet and not as a Deployment setting static URLs could lead to duplicate data
545
# staticEndpoint:
546
# url: https://url:port
547
# insecureSkipVerify: true
548
# auth: {}
549
# -- API Server monitoring configuration
550
# @default -- Common settings for most K8s distributions.
551
apiServer:
552
# -- Enable API Server monitoring
553
enabled: true
554
autodiscover:
555
- selector: "tier=control-plane,component=kube-apiserver"
556
namespace: kube-system
557
matchNode: true
558
endpoints:
559
- url: https://localhost:8443
560
insecureSkipVerify: true
561
auth:
562
type: bearer
563
# Endpoint distributions target: Kind(v1.22.1)
564
- url: https://localhost:6443
565
insecureSkipVerify: true
566
auth:
567
type: bearer
568
- url: http://localhost:8080
569
- selector: "k8s-app=kube-apiserver"
570
namespace: kube-system
571
matchNode: true
572
endpoints:
573
- url: https://localhost:8443
574
insecureSkipVerify: true
575
auth:
576
type: bearer
577
- url: http://localhost:8080
578
- selector: "app=openshift-kube-apiserver,apiserver=true"
579
namespace: openshift-kube-apiserver
580
matchNode: true
581
endpoints:
582
- url: https://localhost:8443
583
insecureSkipVerify: true
584
auth:
585
type: bearer
586
- url: https://localhost:6443
587
insecureSkipVerify: true
588
auth:
589
type: bearer
590
- selector: "app=openshift-kube-apiserver,apiserver=true"
591
namespace: kube-system
592
matchNode: true
593
endpoints:
594
- url: https://localhost:8443
595
insecureSkipVerify: true
596
auth:
597
type: bearer
598
# -- staticEndpoint configuration.
599
# It is possible to specify static endpoint to scrape. If specified 'autodiscover' section is ignored.
600
# If set the static endpoint should be reachable, otherwise an error will be returned and the integration stops.
601
# Notice that if deployed as a daemonSet and not as a Deployment setting static URLs could lead to duplicate data
602
# staticEndpoint:
603
# url: https://url:port
604
# insecureSkipVerify: true
605
# auth: {}
606
# -- Update strategy for the deployed DaemonSets.
607
# @default -- See `values.yaml`
608
updateStrategy:
609
type: RollingUpdate
610
rollingUpdate:
611
maxUnavailable: 1
612
# -- Update strategy for the deployed Deployments.
613
# @default -- `type: Recreate`
614
strategy:
615
type: Recreate
616
# -- Adds extra attributes to the cluster and all the metrics emitted to the backend. Can be configured also with `global.customAttributes`
617
customAttributes: {}
618
# -- Settings controlling ServiceAccount creation.
619
# @default -- See `values.yaml`
620
serviceAccount:
621
# -- (bool) Whether the chart should automatically create the ServiceAccount objects required to run.
622
# @default -- `true`
623
create:
624
annotations: {}
625
# If not set and create is true, a name is generated using the fullname template
626
name: ""
627
# -- Additional labels for chart objects. Can be configured also with `global.labels`
628
labels: {}
629
# -- Annotations to be added to all pods created by the integration.
630
podAnnotations: {}
631
# -- Additional labels for chart pods. Can be configured also with `global.podLabels`
632
podLabels: {}
633
# -- Run the integration with full access to the host filesystem and network.
634
# Running in this mode allows reporting fine-grained cpu, memory, process and network metrics for your nodes.
635
privileged: true
636
# -- Sets pod's priorityClassName. Can be configured also with `global.priorityClassName`
637
priorityClassName: ""
638
# -- (bool) Sets pod's hostNetwork. Can be configured also with `global.hostNetwork`
639
# @default -- `false`
640
hostNetwork:
641
# -- Sets security context (at pod level). Can be configured also with `global.podSecurityContext`
642
podSecurityContext: {}
643
# -- Sets security context (at container level). Can be configured also with `global.containerSecurityContext`
644
containerSecurityContext: {}
645
# -- Sets pod's dnsConfig. Can be configured also with `global.dnsConfig`
646
dnsConfig: {}
647
# Settings controlling RBAC objects creation.
648
rbac:
649
# rbac.create -- Whether the chart should automatically create the RBAC objects required to run.
650
create: true
651
# rbac.pspEnabled -- Whether the chart should create Pod Security Policy objects.
652
pspEnabled: false
653
# rbac.kubeletFineGrainedAuth -- Whether to use fine-grained kubelet authorization (KEP-2862).
654
# When true, uses nodes/metrics, nodes/stats, nodes/pods, nodes/healthz (requires K8s 1.33+ or feature gate on 1.32).
655
# Fine-grained mode limits RBAC to read-only kubelet endpoints, eliminating privilege escalation risks.
656
# When false (default), uses nodes/proxy which could be exploited to access kubelet write endpoints.
657
# See: https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/#fine-grained-authorization
658
kubeletFineGrainedAuth: false
659
# -- Sets pod/node affinities set almost globally. (See [Affinities and tolerations](README.md#affinities-and-tolerations))
660
affinity: {}
661
# -- Sets pod's node selector almost globally. (See [Affinities and tolerations](README.md#affinities-and-tolerations))
662
nodeSelector: {}
663
# -- Sets pod's tolerations to node taints almost globally. (See [Affinities and tolerations](README.md#affinities-and-tolerations))
664
tolerations: []
665
# -- Config files for other New Relic integrations that should run in this cluster.
666
integrations: {}
667
# If you wish to monitor services running on Kubernetes you can provide integrations
668
# configuration under `integrations`. You just need to create a new entry where
669
# the key is the filename of the configuration file and the value is the content of
670
# the integration configuration.
671
# The data is the actual integration configuration as described in the spec here:
672
# https://docs.newrelic.com/docs/integrations/integrations-sdk/file-specifications/integration-configuration-file-specifications-agent-v180
673
# For example, if you wanted to monitor a Redis instance that has a label "app=sampleapp"
674
# you could do so by adding following entry:
675
# nri-redis-sampleapp:
676
# discovery:
677
# command:
678
# # Run NRI Discovery for Kubernetes
679
# # https://github.com/newrelic/nri-discovery-kubernetes
680
# exec: /var/db/newrelic-infra/nri-discovery-kubernetes
681
# match:
682
# label.app: sampleapp
683
# integrations:
684
# - name: nri-redis
685
# env:
686
# # using the discovered IP as the hostname address
687
# HOSTNAME: ${discovery.ip}
688
# PORT: 6379
689
# labels:
690
# env: test
691
692
# -- (bool) Collect detailed metrics from processes running in the host.
693
# This defaults to true for accounts created before July 20, 2020.
694
# ref: https://docs.newrelic.com/docs/release-notes/infrastructure-release-notes/infrastructure-agent-release-notes/new-relic-infrastructure-agent-1120
695
# @default -- `false`
696
enableProcessMetrics:
697
# Prefix nodes display name with cluster to reduce chances of collisions
698
# prefixDisplayNameWithCluster: false
699
700
# 'true' will use the node name as the name for the "host",
701
# note that it may cause data collision if the node name is the same in different clusters
702
# and prefixDisplayNameWithCluster is not set to true.
703
# 'false' will use the host name as the name for the "host".
704
# useNodeNameAsDisplayName: true
705
selfMonitoring:
706
pixie:
707
# selfMonitoring.pixie.enabled -- Enables the Pixie Health Check nri-flex config.
708
# This Flex config performs periodic checks of the Pixie /healthz and /statusz endpoints exposed by the Pixie
709
# Cloud Connector. A status for each endpoint is sent to New Relic in a pixieHealthCheck event.
710
enabled: false
711
# -- Configures the integration to send all HTTP/HTTPS request through the proxy in that URL. The URL should have a standard format like `https://user:password@hostname:port`. Can be configured also with `global.proxy`
712
proxy: ""
713
# -- (bool) Send the metrics to the staging backend. Requires a valid staging license key. Can be configured also with `global.nrStaging`
714
# @default -- `false`
715
nrStaging:
716
fedramp:
717
# -- (bool) Enables FedRAMP. Can be configured also with `global.fedramp.enabled`
718
# @default -- `false`
719
enabled:
720
# -- (bool) Sets the debug logs to this integration or all integrations if it is set globally. Can be configured also with `global.verboseLog`
721
# @default -- `false`
722
verboseLog:
723

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0SOC 2Golden ImagesCVE RemediationPublic SectorStartups

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogOpen Source LeadershipPartnersNewsroomCareersLegal
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.