Integrating with Kubernetes

FireHydrant's Kubernetes integration allows you to automatically send updates about the workloads deployed in your clusters to FireHydrant. This lets you follow the lifecycle of a change, from GitHub pull request to deployed pod.

Changes appear in your FireHydrant account, enabling you to identify:

• whether an image in a Replica Set changed
• the status of Pods in a Deployment
• whether the labels on a Service were updated

This allows you to easily identify exactly what has changed in your cluster and determine whether changes contributed to an active incident.

• Resources Tracked:
  • DaemonSet
  • Deployments
  • ReplicaSet
  • Services
  • StatefulSets

Installation Instructions

You need an API key for the controller to use for authentication. We recommend generating one specifically for this integration. This token goes in the firehydrant-keys Kubernetes secret. See an example manifest file below.

Note: Be sure to change 'YOUR_BOT_TOKEN' and 'YOUR_ENVIRONMENT_NAME' before deploying the manifests.

apiVersion: v1
kind: Namespace
metadata:
  name: firehydrant-system
---
apiVersion: v1
kind: Secret
metadata:
  name: firehydrant-keys
  namespace: firehydrant-system
stringData:
  FIREHYDRANT_API_KEY: 'YOUR_BOT_TOKEN'
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: firehydrant-cm
  namespace: firehydrant-system
data:
  config.yml: |
    apiToken: '$FIREHYDRANT_API_KEY'
    fireHydrantUrl: 'api.firehydrant.io'
    watch:
      - namespace: "*"
        environment: 'YOUR_ENVIRONMENT_NAME'
        resources:
        - resource: deployments.v1.apps
          updateOn: ["spec", "metadata"]
          includeDiff: true
          skipServiceCreate: false
        - resource: configmaps
          updateOn: ["data"]
          includeDiff: true
          skipServiceCreate: true
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: firehydrant-k8s-changelog-serviceaccount
  namespace: firehydrant-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: firehydrant-system-clusterrole
rules:
  - apiGroups:
      - ""
      - "extensions"
      - "apps"
    resources:
      - configmaps
      - services
      - deployments
      - replicasets
      - daemonsets
      - statefulsets
    verbs:
      - list
      - watch
      - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: firehydrant-clusterrole-nisa-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: firehydrant-system-clusterrole
subjects:
  - kind: ServiceAccount
    name: firehydrant-k8s-changelog-serviceaccount
    namespace: firehydrant-system
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: firehydrant-k8s-changelog
  namespace: firehydrant-system
  labels:
    app: firehydrant-k8s-changelog
    app.kubernetes.io/name: firehydrant-k8s-changelog
    app.kubernetes.io/component: changelog
spec:
  replicas: 1
  strategy:
    type: RollingUpdate
  selector:
    matchLabels:
      app: firehydrant-k8s-changelog
  template:
    metadata:
      labels:
        app: firehydrant-k8s-changelog
    spec:
      serviceAccount: firehydrant-k8s-changelog-serviceaccount
      containers:
      - name: changelog
        image: quay.io/firehydrant/k8s-changelog:v0.0.20
        command:
        - firehydrant-k8s-changelog
        - watch
        envFrom:
        - secretRef:
            name: firehydrant-keys
        volumeMounts:
        - name: config
          mountPath: /etc/k8s-watcher
        resources:
          limits:
            cpu: 10m
            memory: 128Mi
          requests:
            cpu: 10m
            memory: 128Mi
      volumes:
      - name: config
        configMap:
          name: firehydrant-cm

Change Events

Once you've got the Kubernetes integration configured and connected, FireHydrant will automatically log change events including any changes to your configuration or one of the tracked resources list above.

Read more about change events.