Integrating with Kubernetes

FireHydrant's Kubernetes integration allows you to automatically send updates about the workloads deployed in your clusters to FireHydrant. This lets you follow the lifecycle of a change, from GitHub pull request to deployed pod.

Changes appear in your FireHydrant account, enabling you to identify:

  • whether an image in a Replica Set changed
  • the status of Pods in a Deployment
  • whether the labels on a Service were updated

This allows you to easily identify exactly what has changed in your cluster and determine whether changes contributed to an active incident. changelog.labels.png

  • Resources Tracked:
    • DaemonSet
    • Deployments
    • ReplicaSet
    • Services
    • StatefulSets

Installation Instructions

You need an API key for the controller to use for authentication. We recommend generating one specifically for this integration. This token goes in the firehydrant-keys Kubernetes secret. See an example manifest file below.

Note: Be sure to change 'YOUR_BOT_TOKEN' and 'YOUR_ENVIRONMENT_NAME' before deploying the manifests.

apiVersion: v1
kind: Namespace
metadata:
name: firehydrant-system
---
apiVersion: v1
kind: Secret
metadata:
name: firehydrant-keys
namespace: firehydrant-system
stringData:
FIREHYDRANT_API_KEY: 'YOUR_BOT_TOKEN'
---
kind: ConfigMap
apiVersion: v1
metadata:
name: firehydrant-cm
namespace: firehydrant-system
data:
config.yml: |
apiToken: '$FIREHYDRANT_API_KEY'
fireHydrantUrl: 'api.firehydrant.io'
watch:
- namespace: "*"
environment: 'YOUR_ENVIRONMENT_NAME'
resources:
- resource: deployments.v1.apps
updateOn: ["spec", "metadata"]
includeDiff: true
skipServiceCreate: false
- resource: configmaps
updateOn: ["data"]
includeDiff: true
skipServiceCreate: true

---
apiVersion: v1
kind: ServiceAccount
metadata:
name: firehydrant-k8s-changelog-serviceaccount
namespace: firehydrant-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: firehydrant-system-clusterrole
rules:
- apiGroups:
- ""
- "extensions"
- "apps"
resources:
- configmaps
- services
- deployments
- replicasets
- daemonsets
- statefulsets
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: firehydrant-clusterrole-nisa-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: firehydrant-system-clusterrole
subjects:
- kind: ServiceAccount
name: firehydrant-k8s-changelog-serviceaccount
namespace: firehydrant-system
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: firehydrant-k8s-changelog
namespace: firehydrant-system
labels:
app: firehydrant-k8s-changelog
app.kubernetes.io/name: firehydrant-k8s-changelog
app.kubernetes.io/component: changelog
spec:
replicas: 1
strategy:
type: RollingUpdate
selector:
matchLabels:
app: firehydrant-k8s-changelog
template:
metadata:
labels:
app: firehydrant-k8s-changelog
spec:
serviceAccount: firehydrant-k8s-changelog-serviceaccount
containers:
- name: changelog
image: quay.io/firehydrant/k8s-changelog:v0.0.20
command:
- firehydrant-k8s-changelog
- watch
envFrom:
- secretRef:
name: firehydrant-keys
volumeMounts:
- name: config
mountPath: /etc/k8s-watcher
resources:
limits:
cpu: 10m
memory: 128Mi
requests:
cpu: 10m
memory: 128Mi
volumes:
- name: config
configMap:
name: firehydrant-cm

Change Events

Once you've got the Kubernetes integration configured and connected, FireHydrant will automatically log change events including any changes to your configuration or one of the tracked resources list above.

Read more about change events.

Kubernetes change events 1

Kubernetes change events 2

Last updated on 2/9/2024