The agent requires cluster-admin permissions to manage all Kubernetes resources and deploy add-ons.
What the Agent Does
Real-time Resource Streaming
Browse Deployments, Pods, Services, and 20+ resource types with live updates.
Pod Log Streaming
View container logs in real-time directly from the Ankra dashboard.
Helm Management
Deploy, upgrade, and manage Helm releases across your cluster.
Add-on Deployment
Install stacks and add-ons with ArgoCD integration for GitOps.
Installation
When you import a cluster, Ankra generates a Helm install command with a unique token:Verify Installation
Check the agent is running:Configuration Reference
Required Settings
| Parameter | Description |
|---|---|
config.token | Authentication token (provided during cluster import) |
config.ankra_url | Platform URL (default: https://platform.ankra.app) |
Using an Existing Secret
For production environments, store the token in a Kubernetes secret:Performance Tuning
For large clusters (1000+ resources), adjust these settings:| Parameter | Default | Description |
|---|---|---|
nats_worker_max_workers | 15 | Worker threads for command processing |
resources.limits.memory | 200Mi | Memory limit |
resources.requests.memory | 100Mi | Memory request |
replica_count | 1 | Number of agent replicas |
All Helm Values
| Parameter | Default | Description |
|---|---|---|
config.ankra_url | https://platform.ankra.app | Platform API URL |
config.token | "" | Agent authentication token |
config.existing_secret_name | "" | Name of existing K8s secret |
config.secret_key | "" | Key in existing secret containing token |
log_level | INFO | Log level (DEBUG, INFO, WARNING, ERROR) |
nats_worker_max_workers | 15 | NATS worker threads |
replica_count | 1 | Number of agent pods |
terminationGracePeriodSeconds | 600 | Graceful shutdown timeout |
resources.limits.memory | 200Mi | Memory limit |
resources.requests.memory | 100Mi | Memory request |
Architecture
The agent uses a NATS-based architecture for real-time communication:- Outbound connections only - The agent initiates all connections, no inbound ports required
- Real-time streaming - Resource data streams efficiently using pagination
- Automatic reconnection - Handles network interruptions gracefully
- Health monitoring - Exposes
/healthand/readyendpoints on port 8080
Network Requirements
The agent requires outbound connectivity to:| Endpoint | Port | Purpose |
|---|---|---|
platform.ankra.app | 443 | API communication |
connect.ngs.global | 4222 | NATS real-time streaming |
Upgrading the Agent
From the Platform
Click Upgrade Agent in the cluster settings. The agent will self-upgrade using Helm.Manually
Troubleshooting
Agent Not Connecting
-
Check agent pods are running:
-
View agent logs:
-
Verify network connectivity:
-
Check the token is set:
Common Issues
| Issue | Cause | Solution |
|---|---|---|
| Cluster shows Offline | Agent not running or network blocked | Check pods and firewall rules |
| Token invalid | Token expired or revoked | Go to Clusters → Your Cluster → Settings → Generate Command to get a new install command |
| Connection refused | Outbound network blocked | Allow connections to platform.ankra.app:443 |
| Resources not loading | Agent memory limits too low | Increase resources.limits.memory |
Health Checks
The agent exposes health endpoints:Uninstalling
To remove the agent from your cluster:Security
RBAC Requirements
The agent requires cluster-admin permissions to:- Browse all Kubernetes resources
- Deploy Helm charts and manifests
- Manage ArgoCD applications
- Stream pod logs
ClusterRoleBinding with the necessary permissions.
Token Security
- Tokens are unique per cluster
- Tokens can be revoked by deleting the cluster from Ankra
- Store tokens in Kubernetes secrets (not in Helm values) for production