> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ankra.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Agent Helm Values

> Every configurable value of the ankra-agent Helm chart — workers, watch tuning, security contexts, metrics, and public IP reporting.

Reference for the `ankra-agent` chart installed from `oci://ghcr.io/ankraio/ankra-agent/ankra-agent`. For installation and architecture, see [Cluster Agent](/concepts/cluster-agent).

```bash theme={null}
helm upgrade --install ankra-agent oci://ghcr.io/ankraio/ankra-agent/ankra-agent \
  --namespace ankra \
  --create-namespace \
  --set config.token="YOUR_UNIQUE_TOKEN"
```

## Connection

| Value                         | Default                      | Description                                                                 |
| ----------------------------- | ---------------------------- | --------------------------------------------------------------------------- |
| `config.ankra_url`            | `https://platform.ankra.app` | Platform endpoint the agent connects to                                     |
| `config.token`                | `""`                         | Agent token from the import flow (required unless using an existing secret) |
| `config.existing_secret_name` | `""`                         | Read the token from an existing Kubernetes Secret instead                   |
| `config.secret_key`           | `""`                         | Key within that Secret holding the token                                    |

## Workers and Performance

| Value                           | Default | Description                                                     |
| ------------------------------- | ------- | --------------------------------------------------------------- |
| `read_worker_count`             | `5`     | Concurrent worker slots for read jobs                           |
| `write_worker_count`            | `5`     | Concurrent worker slots for write jobs (create, update, delete) |
| `nats_worker_max_workers`       | `15`    | Maximum NATS worker threads for processing commands             |
| `resources.requests.cpu`        | `200m`  | CPU request                                                     |
| `resources.requests.memory`     | `256Mi` | Memory request                                                  |
| `resources.limits.memory`       | `1Gi`   | Memory limit                                                    |
| `replica_count`                 | `1`     | Agent replicas                                                  |
| `terminationGracePeriodSeconds` | `600`   | Grace period so in-flight work can finish — don't set this low  |

## Kubernetes Watch

Streaming of live resource state to the platform. Only override when you need to tune event volume.

| Value                              | Default | Description                                 |
| ---------------------------------- | ------- | ------------------------------------------- |
| `k8s_watch.enabled`                | `true`  | Enable the resource watch stream            |
| `k8s_watch.batch_size`             | `20`    | Events per batch                            |
| `k8s_watch.batch_timeout_ms`       | `500`   | Max wait before flushing a partial batch    |
| `k8s_watch.reconnect_delay_ms`     | `1000`  | Initial reconnect delay                     |
| `k8s_watch.max_reconnect_delay_ms` | `30000` | Reconnect backoff ceiling                   |
| `k8s_watch.max_events_per_sec`     | `500`   | Event rate limit                            |
| `k8s_watch.strip_fields`           | `true`  | Strip managed fields to reduce payload size |
| `k8s_watch.timeout_seconds`        | `300`   | Watch connection timeout                    |

## Public IP Reporting (Fleet World Map)

Places imported clusters on the [fleet dashboard map](/platform/dashboard) when they run in private networks. Disabled by default; enabling makes the agent perform an outbound HTTP lookup. Leave disabled for air-gapped clusters.

| Value                              | Default                             | Description                                     |
| ---------------------------------- | ----------------------------------- | ----------------------------------------------- |
| `public_ip.reporting_enabled`      | `false`                             | Report the agent's public egress IP on check-in |
| `public_ip.lookup_url`             | `https://api.ipify.org?format=json` | Endpoint returning the caller's public IP       |
| `public_ip.refresh_seconds`        | `3600`                              | How often the cached IP is refreshed            |
| `public_ip.lookup_timeout_seconds` | `5`                                 | Per-lookup HTTP timeout                         |

## Image

| Value                | Default                            | Description                                                                                                         |
| -------------------- | ---------------------------------- | ------------------------------------------------------------------------------------------------------------------- |
| `image.repository`   | `registry.ankra.cloud/ankra/agent` | Agent image                                                                                                         |
| `image.tag`          | `""` (follows chart version)       | Explicit tag override — empty is the contract the platform auto-upgrade relies on; set only to pin a specific build |
| `image.pull_policy`  | `Always`                           | Image pull policy                                                                                                   |
| `image.pull_secrets` | `[]`                               | Pull secrets                                                                                                        |

## Security

The chart enforces non-root defaults matching the image's `ankra` user (UID/GID 1000) with a read-only root filesystem. Don't lower these without a rebuilt image.

| Value                                | Default                                                                       | Description                                                                        |
| ------------------------------------ | ----------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- |
| `pod_security_context`               | non-root, UID/GID 1000, `RuntimeDefault` seccomp                              | Pod-level security context                                                         |
| `security_context`                   | non-root, no privilege escalation, read-only rootfs, all capabilities dropped | Container-level security context                                                   |
| `writable_volumes.enabled`           | `true`                                                                        | Mount emptyDir volumes for runtime-writable paths (required with read-only rootfs) |
| `writable_volumes.tmp_size_limit`    | `1Gi`                                                                         | `/tmp` size cap                                                                    |
| `writable_volumes.cache_size_limit`  | `4Gi`                                                                         | Cache size cap                                                                     |
| `writable_volumes.config_size_limit` | `16Mi`                                                                        | Config size cap                                                                    |

## Scheduling and Service

| Value                                                                      | Default              | Description                                        |
| -------------------------------------------------------------------------- | -------------------- | -------------------------------------------------- |
| `node_selector` / `tolerations` / `affinity` / `topologySpreadConstraints` | empty                | Standard scheduling controls                       |
| `service_account.name`                                                     | `ankra-agent-sa`     | Service account name                               |
| `service_account.annotations`                                              | `{}`                 | Service account annotations (e.g. IRSA)            |
| `service.type` / `service.port`                                            | `ClusterIP` / `8080` | Agent HTTP service                                 |
| `pod_annotations`                                                          | `{}`                 | Extra pod annotations                              |
| `log_level`                                                                | `INFO`               | `DEBUG`, `INFO`, `WARNING`, `ERROR`, or `CRITICAL` |

## Metrics

| Value                                  | Default | Description                                                      |
| -------------------------------------- | ------- | ---------------------------------------------------------------- |
| `metrics.serviceMonitor.enabled`       | `false` | Install a Prometheus Operator ServiceMonitor scraping `/metrics` |
| `metrics.serviceMonitor.interval`      | `30s`   | Scrape interval                                                  |
| `metrics.serviceMonitor.scrapeTimeout` | `10s`   | Scrape timeout                                                   |
| `metrics.serviceMonitor.labels`        | `{}`    | Extra ServiceMonitor labels                                      |

## Advanced Environment Tuning

Operator-tunable knobs go in `extra_env`:

```yaml theme={null}
extra_env:
  - name: KUBERNETES_HTTP2_ENABLED          # default "false"
    value: "false"
  - name: KUBERNETES_REQUEST_MAX_ATTEMPTS   # default "3"
    value: "3"
  - name: FORWARD_SERVICE_REQUEST_MAX_TIMEOUT_SECONDS  # default "120"
    value: "120"
```

See [Cluster Agent — Advanced tuning](/concepts/cluster-agent#advanced-tuning-via-extra_env) for when to change these.
