ankra-agent chart installed from oci://ghcr.io/ankraio/ankra-agent/ankra-agent. For installation and architecture, see Cluster Agent.
Connection
| Value | Default | Description |
|---|---|---|
config.ankra_url | https://platform.ankra.app | Platform endpoint the agent connects to |
config.token | "" | Agent token from the import flow (required unless using an existing secret) |
config.existing_secret_name | "" | Read the token from an existing Kubernetes Secret instead |
config.secret_key | "" | Key within that Secret holding the token |
Workers and Performance
| Value | Default | Description |
|---|---|---|
read_worker_count | 5 | Concurrent worker slots for read jobs |
write_worker_count | 5 | Concurrent worker slots for write jobs (create, update, delete) |
nats_worker_max_workers | 15 | Maximum NATS worker threads for processing commands |
resources.requests.cpu | 200m | CPU request |
resources.requests.memory | 256Mi | Memory request |
resources.limits.memory | 1Gi | Memory limit |
replica_count | 1 | Agent replicas |
terminationGracePeriodSeconds | 600 | Grace period so in-flight work can finish — don’t set this low |
Kubernetes Watch
Streaming of live resource state to the platform. Only override when you need to tune event volume.| Value | Default | Description |
|---|---|---|
k8s_watch.enabled | true | Enable the resource watch stream |
k8s_watch.batch_size | 20 | Events per batch |
k8s_watch.batch_timeout_ms | 500 | Max wait before flushing a partial batch |
k8s_watch.reconnect_delay_ms | 1000 | Initial reconnect delay |
k8s_watch.max_reconnect_delay_ms | 30000 | Reconnect backoff ceiling |
k8s_watch.max_events_per_sec | 500 | Event rate limit |
k8s_watch.strip_fields | true | Strip managed fields to reduce payload size |
k8s_watch.timeout_seconds | 300 | Watch connection timeout |
Public IP Reporting (Fleet World Map)
Places imported clusters on the fleet dashboard map when they run in private networks. Disabled by default; enabling makes the agent perform an outbound HTTP lookup. Leave disabled for air-gapped clusters.| Value | Default | Description |
|---|---|---|
public_ip.reporting_enabled | false | Report the agent’s public egress IP on check-in |
public_ip.lookup_url | https://api.ipify.org?format=json | Endpoint returning the caller’s public IP |
public_ip.refresh_seconds | 3600 | How often the cached IP is refreshed |
public_ip.lookup_timeout_seconds | 5 | Per-lookup HTTP timeout |
Image
| Value | Default | Description |
|---|---|---|
image.repository | registry.ankra.cloud/ankra/agent | Agent image |
image.tag | "" (follows chart version) | Explicit tag override — empty is the contract the platform auto-upgrade relies on; set only to pin a specific build |
image.pull_policy | Always | Image pull policy |
image.pull_secrets | [] | Pull secrets |
Security
The chart enforces non-root defaults matching the image’sankra user (UID/GID 1000) with a read-only root filesystem. Don’t lower these without a rebuilt image.
| Value | Default | Description |
|---|---|---|
pod_security_context | non-root, UID/GID 1000, RuntimeDefault seccomp | Pod-level security context |
security_context | non-root, no privilege escalation, read-only rootfs, all capabilities dropped | Container-level security context |
writable_volumes.enabled | true | Mount emptyDir volumes for runtime-writable paths (required with read-only rootfs) |
writable_volumes.tmp_size_limit | 1Gi | /tmp size cap |
writable_volumes.cache_size_limit | 4Gi | Cache size cap |
writable_volumes.config_size_limit | 16Mi | Config size cap |
Scheduling and Service
| Value | Default | Description |
|---|---|---|
node_selector / tolerations / affinity / topologySpreadConstraints | empty | Standard scheduling controls |
service_account.name | ankra-agent-sa | Service account name |
service_account.annotations | {} | Service account annotations (e.g. IRSA) |
service.type / service.port | ClusterIP / 8080 | Agent HTTP service |
pod_annotations | {} | Extra pod annotations |
log_level | INFO | DEBUG, INFO, WARNING, ERROR, or CRITICAL |
Metrics
| Value | Default | Description |
|---|---|---|
metrics.serviceMonitor.enabled | false | Install a Prometheus Operator ServiceMonitor scraping /metrics |
metrics.serviceMonitor.interval | 30s | Scrape interval |
metrics.serviceMonitor.scrapeTimeout | 10s | Scrape timeout |
metrics.serviceMonitor.labels | {} | Extra ServiceMonitor labels |
Advanced Environment Tuning
Operator-tunable knobs go inextra_env: