Skip to main content
Reference for the ankra-agent chart installed from oci://ghcr.io/ankraio/ankra-agent/ankra-agent. For installation and architecture, see Cluster Agent.
helm upgrade --install ankra-agent oci://ghcr.io/ankraio/ankra-agent/ankra-agent \
  --namespace ankra \
  --create-namespace \
  --set config.token="YOUR_UNIQUE_TOKEN"

Connection

ValueDefaultDescription
config.ankra_urlhttps://platform.ankra.appPlatform endpoint the agent connects to
config.token""Agent token from the import flow (required unless using an existing secret)
config.existing_secret_name""Read the token from an existing Kubernetes Secret instead
config.secret_key""Key within that Secret holding the token

Workers and Performance

ValueDefaultDescription
read_worker_count5Concurrent worker slots for read jobs
write_worker_count5Concurrent worker slots for write jobs (create, update, delete)
nats_worker_max_workers15Maximum NATS worker threads for processing commands
resources.requests.cpu200mCPU request
resources.requests.memory256MiMemory request
resources.limits.memory1GiMemory limit
replica_count1Agent replicas
terminationGracePeriodSeconds600Grace period so in-flight work can finish — don’t set this low

Kubernetes Watch

Streaming of live resource state to the platform. Only override when you need to tune event volume.
ValueDefaultDescription
k8s_watch.enabledtrueEnable the resource watch stream
k8s_watch.batch_size20Events per batch
k8s_watch.batch_timeout_ms500Max wait before flushing a partial batch
k8s_watch.reconnect_delay_ms1000Initial reconnect delay
k8s_watch.max_reconnect_delay_ms30000Reconnect backoff ceiling
k8s_watch.max_events_per_sec500Event rate limit
k8s_watch.strip_fieldstrueStrip managed fields to reduce payload size
k8s_watch.timeout_seconds300Watch connection timeout

Public IP Reporting (Fleet World Map)

Places imported clusters on the fleet dashboard map when they run in private networks. Disabled by default; enabling makes the agent perform an outbound HTTP lookup. Leave disabled for air-gapped clusters.
ValueDefaultDescription
public_ip.reporting_enabledfalseReport the agent’s public egress IP on check-in
public_ip.lookup_urlhttps://api.ipify.org?format=jsonEndpoint returning the caller’s public IP
public_ip.refresh_seconds3600How often the cached IP is refreshed
public_ip.lookup_timeout_seconds5Per-lookup HTTP timeout

Image

ValueDefaultDescription
image.repositoryregistry.ankra.cloud/ankra/agentAgent image
image.tag"" (follows chart version)Explicit tag override — empty is the contract the platform auto-upgrade relies on; set only to pin a specific build
image.pull_policyAlwaysImage pull policy
image.pull_secrets[]Pull secrets

Security

The chart enforces non-root defaults matching the image’s ankra user (UID/GID 1000) with a read-only root filesystem. Don’t lower these without a rebuilt image.
ValueDefaultDescription
pod_security_contextnon-root, UID/GID 1000, RuntimeDefault seccompPod-level security context
security_contextnon-root, no privilege escalation, read-only rootfs, all capabilities droppedContainer-level security context
writable_volumes.enabledtrueMount emptyDir volumes for runtime-writable paths (required with read-only rootfs)
writable_volumes.tmp_size_limit1Gi/tmp size cap
writable_volumes.cache_size_limit4GiCache size cap
writable_volumes.config_size_limit16MiConfig size cap

Scheduling and Service

ValueDefaultDescription
node_selector / tolerations / affinity / topologySpreadConstraintsemptyStandard scheduling controls
service_account.nameankra-agent-saService account name
service_account.annotations{}Service account annotations (e.g. IRSA)
service.type / service.portClusterIP / 8080Agent HTTP service
pod_annotations{}Extra pod annotations
log_levelINFODEBUG, INFO, WARNING, ERROR, or CRITICAL

Metrics

ValueDefaultDescription
metrics.serviceMonitor.enabledfalseInstall a Prometheus Operator ServiceMonitor scraping /metrics
metrics.serviceMonitor.interval30sScrape interval
metrics.serviceMonitor.scrapeTimeout10sScrape timeout
metrics.serviceMonitor.labels{}Extra ServiceMonitor labels

Advanced Environment Tuning

Operator-tunable knobs go in extra_env:
extra_env:
  - name: KUBERNETES_HTTP2_ENABLED          # default "false"
    value: "false"
  - name: KUBERNETES_REQUEST_MAX_ATTEMPTS   # default "3"
    value: "3"
  - name: FORWARD_SERVICE_REQUEST_MAX_TIMEOUT_SECONDS  # default "120"
    value: "120"
See Cluster Agent — Advanced tuning for when to change these.