Skip to main content

Install Mission Control Agent on an AWS EKS cluster

Prerequisites

To install and run Mission Control you need to have the following prerequisites:

  • GKE 1.28+ with an Ingress Controller
  • 500-1000m of CPU and 4GB of Memory
  • Persistent Volumes with 20GB+ of storage or an external postgres database like CloudSQL

Create an IAM Role

Depending on how you want to use Mission Control you need to create an IAM role for mission control to use:

Use CaseRole
Read Only Scrapingroles/viewer
Playbooks to create and update GCP Resourcesroles/editor

Configure IAM Roles for Mission Control

You can also refer the official docs for Workload Identity

  1. Enable workload identity

    # The name of the GKE cluster mission control is being deployed to
    export CLUSTER=<CLUSTER_NAME>
    # the default namespace the mission-control helm chart uses
    export NAMESPACE=mission-control
    # GCP Project ID
    export PROJECT_ID=gcp-project-id
    # GCP Project Number
    export PROJECT_NUMBER=gcp-project-number
    # Location of GKE Cluster
    LOCATION=us-east1

    gcloud container clusters update $CLUSTER \
        --location=$LOCATION \
        --workload-pool=PROJECT_ID.svc.id.goog

  2. Bind IAM Policy

    The $KSA_NAME refers to the Kubernetes service account name. In our case, we need to bind to 3 service accounts: mission-control-sa, canary-checker-sa and config-db-sa

    gcloud projects add-iam-policy-binding projects/$PROJECT_ID \
        --role=$ROLE \
        --member=principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$PROJECT_ID.svc.id.goog/subject/ns/$NAMESPACE/sa/mission-control-sa \
        --condition=None

    gcloud projects add-iam-policy-binding projects/$PROJECT_ID \
        --role=$ROLE \
        --member=principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$PROJECT_ID.svc.id.goog/subject/ns/$NAMESPACE/sa/canary-checker-sa \
        --condition=None

    gcloud projects add-iam-policy-binding projects/$PROJECT_ID \
        --role=$ROLE \
        --member=principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$PROJECT_ID.svc.id.goog/subject/ns/$NAMESPACE/sa/config-db-sa \
        --condition=None

  3. Choose a routable DOMAIN for Mission Control

    See Ingress for more options on configuring the ingress including generating certs with cert-manager

    See Local Testing for testing using a kind or minikube without a routable domain

  4. Install Mission Control

    apiVersion: v1
    kind: Namespace
    metadata:
      name: mission-control
    ---
    apiVersion: source.toolkit.fluxcd.io/v1
    kind: HelmRepository
    metadata:
      name: flanksource
      namespace: mission-control
    spec:
      interval: 5m0s
      url: https://flanksource.github.io/charts
    ---
    apiVersion:  helm.toolkit.fluxcd.io/v2
    kind: HelmRelease
    metadata:
      name: mission-control-agent
      namespace: mission-control
    spec:
      chart:
        spec:
          chart: mission-control-agent
          sourceRef:
            kind: HelmRepository
            name: flanksource
            namespace: mission-control
      interval: 5m
    values:
      upstream.agent: YOUR_LOCAL_NAME
      upstream.username: token
      upstream.password: 
      upstream.host:
    See values.yaml

Next Steps

Scrape GCP Resources
Integration
Scraper
CRD