Skip to content

Kubernetes Deployment#

Unryo is deployable on Kubernetes using helm charts. This method can be used to deploy the complete Unryo Platform (All-In-One) or the Unryo Collector.

Requirements#

The Unryo Platform (All-In-One) and the Unryo Collector are packaged as Helm Charts. They can be obtained online (URLs in installation steps) or you can use the Wizard for a one-liner install.

Before beginning the installation, you will need to have :

  • an Unryo account
  • your kubectl tool configured for the cluster where you would like to deploy the stack.
  • helm installed
  • a storageClass to persist data
  • every worker node that will be running Unryo to have Internet access to https://*.unryo.com.

Restrictions#

To date, Unryo has been tested on Kubernetes v1.19 up to v1.22, vanilla releases https://kubernetes.io/releases/

Current Helm charts and Unryo services do not support securityContext or Pod Security Admission.

To monitor Kubernetes nodes and containers, the Unryo Collector needs hostPath access.

All containers run with the root user. This is required to enable several performance enhancements, and also some special ICMP packet types required for optimal network monitoring.

Install the Unryo Platform (All-In-One)#

The Unryo Platform contains everything to run a standalone Unryo solution. It has the collectors for events & metrics, the databases, analytics engine and frontend.

Installing the Chart#

To install the chart with the release name my-release you will need to use the platform helm chart and get your Unryo Token values.

The Unryo Token and Vault Token can be reused from an existing deployment or obtained from the portal.

image

helm install --create-namespace --namespace unryo my-release --set "config.secret.unryoToken=REPLACE_ME_BY_YOUR_UNRYO_TOKEN,config.secret.unryoVaultToken=REPLACE_ME_BY_YOUR_UNRYO_VAULT_TOKEN" https://downloads.unryo.com/helms-unryo-fullstack-latest.tgz

The command deploys Unryo Fullstack on the Kubernetes cluster in the default configuration. The Parameters section lists the parameters that can be configured during installation.

If you wish to change multiple parameters, it may be easier to download the chart, tune the values.yaml contained inside it, and deploy:

curl -LO https://downloads.unryo.com/helms-unryo-fullstack-latest.tgz
tar xvzf helms-unryo-fullstack-latest.tgz
helm install --create-namespace --namespace unryo my-release -f values.yaml ./unryo-fullstack

Parameters#

NAME DESCRIPTION DEFAULT VALUE
config.broker Unryo broker url used for the orchestration https://broker.unryo.com
config.secret.unryoToken Unryo token for the namespace REPLACE_ME_BY_YOUR_UNRYO_TOKEN
config.secret.unryoVaultToken: Unryo Vault token to cypher the configuration REPLACE_ME_BY_YOUR_UNRYO_VAULT_TOKEN
config.secret.defaultAdminPassword Default password to access the main portal changeme
config.secret.grafanaAdminPassword Default password for the Grafana adminisatrator changeme
config.storageClass If not set use the default storageClass ; otherwise it will use the configured storageClass {}
monitoring.dockerMonitoringFromK8s Do you want to monitor docker directly from kubernetes ? false
datacollection.enabled If you want to remove the embedded metric/events collectors, set this to false true
datacollection.nodeSelector Defines what nodes would be selected for pods ; leave as blank to use all nodes or give a label (e.g. node-role.kubernetes.io/master: ""
datacollection.tolerations Defines tolerations that would be applied to node for the deployments
databases.events.persistentVolume.size What PV size you want to give to the event DB? 60Gi
databases.metrics.persistentVolume.size Same question for the metrics database ? 60Gi
databases.nodeSelector Defines what nodes would be selected for pods ; leave as blank to use all nodes or give a label (e.g. node-role.kubernetes.io/master: ""
databases.tolerations Defines tolerations that would be applied to node for the deployments
portal.nodeSelector Defines what nodes would be selected for pods ; leave as blank to use all nodes or give a label (e.g. node-role.kubernetes.io/master: ""
portal.tolerations Defines tolerations that would be applied to node for the deployments
vault.nodeSelector Defines what nodes would be selected for pods ; leave as blank to use all nodes or give a label (e.g. node-role.kubernetes.io/master: ""
vault.tolerations Defines tolerations that would be applied to node for the deployments
analytics.nodeSelector Defines what nodes would be selected for pods ; leave as blank to use all nodes or give a label (e.g. node-role.kubernetes.io/master: ""
analytics.tolerations Defines tolerations that would be applied to node for the deployments
images.imagePullPolicy Default pull policy for all the images Always
images.imagePullSecrets In case you use a private repo that is secured with credentials, you can set the imagePullSecret here {}
images.busybox This value and the other ones available in the values.yaml file gives the option to specify a different registry than docker.io (e.g. in case you have a private one) docker.io/busybox:1.28
services.type How do you want to expose all our services outside the K8S cluster LoadBalancer
podSecurityPolicy.enabled Enable PodSecurityPolicy.
WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later.		 false
podSecurityPolicy.name Name of the PodSecurityPolicy to be used. This helm chart won't create one but will have to use a predefined one. psp:priviledged

Network ports exposed#

  • Reporting
  • Port 443/TCP - always required
  • Timeseries collector (tscollect)
  • Port 8186/TCP - used to receive timeseries metrics from our Linux/Windows Unryo agent, or external custom sources
  • Port 162/UDP - required for SNMP trap reception
  • Event collector (evcollect)
  • Port 2055/UDP - required for Netflow reception
  • Port 5514 - required for Syslog reception (might be TCP and/or UDP)
  • Port 24224/TCP - available when you enable one of our TCP receivers, like for CDR reception
  • Timeseries reception from external Unryo components
  • Port 8086/TCP - could be used if you install external collectors in the future
  • Event reception from external Unryo components
  • Port 9200/TCP - could be used if you install external collectors in the future
  • Retrieval of encrypted configuration by external Unryo components
  • Port 4224/TCP - could be used if you install external collectors in the future

Install the Unryo Collector#

The Unryo Collector contains collectors for events & metrics, typically used to forward data to an Unryo Platform.

Installing the Chart#

To install the chart with the release name my-release you will need to use the collector helm chart and get your Unryo Token value.

The Unryo Token can be reused from an existing deployment or obtained from the portal.

helm install --create-namespace --namespace unryo my-release --set "config.secret.unryoToken=REPLACE_ME_BY_YOUR_UNRYO_TOKEN" https://downloads.unryo.com/helms-unryo-collector-latest.tgz

The command deploys the Unryo collectors on the Kubernetes cluster in the default configuration. The Parameters section lists the parameters that can be configured during installation.

If you wish to change multiple parameters, it may be easier to download the chart, tune the values.yaml contained inside it, and deploy:

curl -LO https://downloads.unryo.com/helms-unryo-collector-latest.tgz
tar xvzf helms-unryo-collector-latest.tgz
helm install --create-namespace --namespace unryo my-release -f values.yaml ./unryo-collector

Parameters#

NAME DESCRIPTION DEFAULT VALUE
config.broker Unryo broker url used for the orchestration https://broker.unryo.com
config.secret.unryoToken Unryo token for the namespace REPLACE_ME_BY_YOUR_UNRYO_TOKEN
config.storageClass If not set use the default storageClass ; otherwise it will use the configured storageClass {}
monitoring.dockerMonitoringFromK8s Do you want to monitor docker directly from kubernetes ? false
datacollection.enabled Do you want to enable metrics and events collection true
datacollection.nodeSelector Defines what nodes would be selected for pods ; leave as blank to use all nodes or give a label (e.g. node-role.kubernetes.io/master: ""
datacollection.tolerations Defines tolerations that would be applied to node for the deployments
images.imagePullPolicy Default pull policy for all the images Always
images.imagePullSecrets In case you use a private repo that is secured with credentials, you can set the imagePullSecret here {}
images.busybox This value and the other ones available from the values.yaml file gives the option to specify a different registry tha docke.io (e.g. in case you have a private one) docker.io/busybox:1.28
services.type How do you want to expose listening ports for events & logs the external world LoadBalancer
podSecurityPolicy.enabled Enable PodSecurityPolicy.
WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later.		 false
podSecurityPolicy.name Name of the PodSecurityPolicy to be used. This helm chart won't create one but will have to use a predefined one. psp:priviledged

Network ports exposed#

  • Timeseries collector (tscollect)
  • Port 8186/TCP - required if this collector needs to receive metrics from Unryo linux/windows agents, or custom sources
  • Port 162/UDP - required for SNMP traps reception
  • Event collector (evcollect)
  • Port 2055/UDP - required for Netflow reception
  • Port 5514 - required for Syslog reception (might be TCP and/or UDP)
  • Port 24224/TCP - available when you enable one of our TCP receivers, like CDR reception

Uninstalling a Chart#

To uninstall/delete the my-release deployment:

helm uninstall my-release

Upgrade a Chart#

To upgrade the my-release deployment:

helm upgrade my-release --namespace my-namespace my-instance https://downloads.unryo.com/helms-unryo-[chart]-latest.tgz

Note that if you want to change the parameters, it is probably better to download the chart, apply your parameters and then run helm upgrade.

Then to make sure you pull all the latest images, you can run:

kubectl -n unryo rollout restart deployment-name