With Deepfactor’s mutating admission webhook controller you can instrument pods in your Kubernetes cluster without modifying your podspec. If you would like to know how to install and configure the Deepfactor mutating admission webhook in your K8s cluster refer to the following article
Run your Kubernetes workload with Deepfactor
Once the webhook is successfully installed in your K8s cluster, you can configure the instrumentation configuration from the UI. The following article will describe the fine grained options provided by the webhook that allow you to select which pods you would like to instrument with Deepfactor.
The options of importance for this purpose are:
- Include pods -> selector
This option will let you filter the list of pods based on labels. - Exclude options
These are a set of options you can use to exclude certain pods or container images from being instrumented with Deepfactor.
As with other options, Deepfactor allows you to set these options at the cluster level and also override them per namespace if you would like to customize the behavior for a particular namespace.
Selector #
This option follows the standard Kubernetes set based label selector syntax. You can read more about it in the following kubernetes documentation article
Example: You want to instrument only the pods that match following criteria
- Pods have the label env=qa
- Pods have the label ‘release’
- The label ‘status’ is set to either ready_for_qa or ready_for_staging
The following include selectors will meet the above mentioned criteria
- {key: env, operator: In, values: [qa]}
- {key: release, operator: exists } # A label with name release exists
- {key: status, operator: In, values: [ready_for_qa, ready_for_staging]}
Exclude Options #
Deepfactor provides the following exclude options
Regular expressions for pod names: Pods with name that match any of the following regexes will not be observed by Deepfactor
Regular expressions for container image paths: Containers with image path that match any of the following regexes will not be observed by Deepfactor
These options can be used to exclude certain pods and container images from instrumentation.
Example: You want to exclude all containers that have ‘istio’ in the image path
Regular expressions for container image paths: ["/istio.*/']
By combining the selector and the exclude options, you can setup fine grained criteria and target only the pods that you wish to instrument with Deepfactor.
Exclude using pod annotation #
If you would like to exclude individual pods, you can add the following annotation to the pod spec. All containers within the particular pod will not be observed by Deepfactor.
df.k8-app.registration/inject: "disabled"