Resolve Satellite

the resolve satellite is a lightweight, read only infrastructure agent that runs in your kubernetes environment and collects data from the kubernetes api maps service dependencies using dns tap integrates with on prem observability / /observability md supports sensitive data redaction /sensitive data redaction md this context powers resolve’s knowledge graph it enables complex investigations of incidents, and connects telemetry, deployments, and dependencies across services and environments install the resolve satellite below you will install and configure the satellite from the helm chart 1\ create ingest token the satellite communicates with the resolve backend over an authenticated, encrypted channel authentication is handled via the ingest token you generate below as an admin in resolve ai, open the ingest tokens https //app0 resolve ai/admin/tokens page click create ingest token name it and click create ingest token copy the token to use in the next step 2\ create values file create a resolve values yaml file to set up the satellite configuration required values ingest token the token created in step 1 clustername global identifier for the satellite (ex prod main ) environment ex production , staging , qa match this environment name exactly with each integration you set up (ex datadog) here's an example resolve values yaml file with the required values, plus dns tap /resolve satellite/dns tap md resolve values yaml ingest token \<your resolve satellite token> clustername \<your cluster name> environment \<your environment> 3\ install helm chart use this command to install the helm chart from docker hub helm install resolve satellite \\ oci //registry 1 docker io/resolveaihq/satellite chart \\ \ values resolve values yaml \\ 4\ check permissions the resolve satellite reads from the kubernetes api with a clusterrole describe permissions kubectl describe clusterrole resolve satellite core resources configmaps, events, namespaces, nodes, pods, services workload controllers daemonsets, deployments, replicasets, statefulsets crds argorollout, istiovirtualservice, istiogateway 5\ verify connection in the resolve ui, check kubernetes integrations to verify that the satellite is connected next enable dns tap now that the resolve satellite is installed, enable cross application investigations with resolve using dns tap /resolve satellite/dns tap md frequently asked questions what are the resource requirements? cpu 1 core memory 8 gb storage 1 gb the satellite is stateless and keeps all working data in memory storage is used primarily for container images and temporary file sources where can i find the satellite helm chart and image? helm chart https //hub docker com/r/resolveaihq/satellite chart/tagsimage https //hub docker com/r/resolveaihq/satellite/tags what data sources does the resolve satellite use? the satellite relies on two primary sources, the kubernetes api server and dns tap kubernetes api server collects from pods, services, deployments, jobs, configmaps, events, nodes, pvcs, crds uses watch api with caching and concurrency default interval every 10 minutes (configurable) namespace concurrency 10 threads (contact us to configure) scrapes customresourcedefinitions from kubernetes ingest popular crds like argorollout, istiovirtualservice, istiogateway ingest custom crds (contact us to configure) dns tap open source dns log monitoring captures service to service dns traffic (e g , from coredns) enables automatic runtime dependency discovery non intrusive push model (no polling) does the satellite write to the kubernetes api server? no it is read only and leverages the kubernetes watch cache , minimizing impact on cluster performance how often does the satellite collect data? kubernetes api reads occur every 5 minutes by default this interval is configurable (e g , every 10 or 15 minutes depending on your needs) note you will need to get in touch with your resolve ai contact to make this configuration change namespace level concurrency is also tunable (default 10 concurrent read threads) does it work with our internal proxy? if your proxy supports long lived http2 0 connections the satellite communicates with the resolve server using a bidirectional grpc/http2 0 streaming connection these are long lived connections spanning over 30 minutes if the proxy supports long lived http2 0 streaming connections, then yes, satellites should be able to support it otherwise allowlist the static ip for the resolve server so the satellite can communicate with it what ip addresses should i allowlist? we have a cidr block of ip addresses for the satellite to securely connect to the resolve ai backend add this set of addresses to your allowlist, a /29 block of 8 ips 18 97 138 16/29 kubernetes api reads occur every 5 minutes by default this interval is configurable (e g , every 10 or 15 minutes depending on your needs) note you will need to get in touch with your resolve ai contact to make this configuration change namespace level concurrency is also tunable (default 10 concurrent read threads) how does the satellite communicate with the resolve server? the resolve satellite is a lightweight proxy that establishes a bidirectional grpc streaming connection with the resolve server and executes http requests to local on prem integrations — both observability data sources and kubernetes what is the performance impact? the satellite periodically fetches data from kubernetes and other on prem integrations to update its knowledge graph but this frequency is configurable and we ensure that they do not overload the server assuming that your typical cluster sizes are namespaces 1000 nodes 400 pods 10,000 here are some numbers that illustrate the load placed on your kubernetes api server polling interval is 10 minutes (configurable) each poll is sharded and fetches about 1 2mib of data we further limit the concurrency of these shards to 10 (configurable) and it roughly approximates to 25 requests per second there should not be any observable load or latency on your system how do i handle pii data? resolve supports sensitive data redaction /sensitive data redaction md to handle pii