Back to Geneos FAQ

Internal documentation only

This page has been marked as draft.

Netprobe - How to monitor Control Plane components with Kubernetes plugin

Kubernetes, Control Plane, Collection Agent, NetProbe, pods, taints, cluster.

Problem Copied

I am using Kubernetes Plugin and I want to monitor the Control Plane components of my Kubernetes cluster however this is not visible in my dataview.

Solution Copied

Use the documentation below to verify permissions and access rights.

docs.itrsgroup.com/docs/geneos/collection/kubernetes/current/user-guide/kubernetes/index.html#permissions

In addition the following commands can be useful to verify

Permissions Copied 

root@host:/# kubectl -n geneos get pod netprobe-xxxx -o jsonpath='{.spec.serviceAccountName}'
netprobe

root@host:/# kubectl auth can-i list pods -n kube-system --as=system:serviceaccount:geneos:netprobe
yes

root@host:/#
 kubectl get pods -n kube-system --as=system:serviceaccount:geneos:netprobe
If this fails, it could indicate a restriction beyond standard RBAC.

## Did not fail... Execution ok.

root@host:/# kubectl describe clusterrole netprobe
Name:         netprobe-geneos
Labels:       app.kubernetes.io/instance=netprobe
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=netprobe
              app.kubernetes.io/version=7.4.2
              helm.sh/chart=netprobe-7.4.2
Annotations:  meta.helm.sh/release-name: netprobe
              meta.helm.sh/release-namespace: geneos
PolicyRule:
  Resources          Non-Resource URLs  Resource Names  Verbs
  ---------          -----------------  --------------  -----
  endpoints          []                 []              [get list watch]
  events             []                 []              [get list watch]
  namespaces         []                 []              [get list watch]
  nodes/proxy        []                 []              [get list watch]
  nodes              []                 []              [get list watch]
  pods               []                 []              [get list watch]
  resourcequotas     []                 []              [get list watch]
  services           []                 []              [get list watch]
  daemonsets.apps    []                 []              [get list watch]
  deployments.apps   []                 []              [get list watch]
  replicasets.apps   []                 []              [get list watch]
  statefulsets.apps  []                 []              [get list watch]
  jobs.batch         []                 []              [get list watch]

Access Copied

Verify RoleBindings and ClusterRoleBindings Ensure the netprobe ServiceAccount is correctly bound to a ClusterRole that allows listing pods:

root@host:/# kubectl get rolebinding -n geneos
No resources found in geneos namespace.

root@host:/# kubectl get clusterrolebinding | grep netprobe
netprobe-geneos                                          ClusterRole/netprobe-geneos                                                        19d

root@host:/# kubectl get clusterrolebinding netprobe-geneos -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    meta.helm.sh/release-name: netprobe
    meta.helm.sh/release-namespace: geneos
  creationTimestamp: "2026-01-07T09:34:44Z"
  labels:
    app.kubernetes.io/instance: netprobe
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: netprobe
    app.kubernetes.io/version: 7.4.2
    helm.sh/chart: netprobe-7.4.2
  name: netprobe-geneos
  resourceVersion: "1564170137"
  uid: 62ca7b72-83d5-47b1-9709-950ca44edabc
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: netprobe-geneos
subjects:
- kind: ServiceAccount
  name: netprobe
  namespace: geneos

Network Policy / Policy Engines Copied

Some clusters enforce network restrictions that may block access to the API server (port 443).

root@host:/# kubectl get networkpolicy -A
root@host:/# kubectl get constrainttemplates
root@host:/# kubectl get constraints
root@host:/# kubectl get cpol
root@host:/# kubectl get pol -A

## Not getting anything from these...

Security Standards Copied 

root@host:/# kubectl get ns kube-system --show-labels
NAME          STATUS   AGE     LABELS
kube-system   Active   3y78d   admission.policy.azure.com/ignore=true,kubernetes.io/metadata.name=kube-system,openservicemesh.io/ignore=true

API Server Connectivity Copied

Commands below verify whether the pod itself cam reach the Kubernetes API. Run from within the netprobe pod.

root@host:# kubectl -n geneos exec -it netprobe-xxxx sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
Defaulted container "netprobe" out of: netprobe, collection-agent, dynatrace-operator (init)
sh-5.1$ curl -k https://kubernetes.default.svc
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {},
  "code": 403
}sh-5.1$

API Groups and Resources Availability Copied 

root@host:/# kubectl api-resources --namespaced=true | grep pods
pods                             po                       v1                                          true         Pod
actionpodspecbindings                                     config.kio.kasten.io/v1alpha1               true         ActionPodSpecBinding
actionpodspecs                                            config.kio.kasten.io/v1alpha1               true         ActionPodSpec
pods                                                      metrics.k8s.io/v1beta1                      true         PodMetrics
constraintpodstatuses                                     status.gatekeeper.sh/v1beta1                true         ConstraintPodStatus
constrainttemplatepodstatuses                             status.gatekeeper.sh/v1beta1                true         ConstraintTemplatePodStatus

root@host:/#  kubectl api-versions
access.smi-spec.io/v1alpha3
actions.kio.kasten.io/v1alpha1
admissionregistration.k8s.io/v1
admissionregistration.k8s.io/v1beta1
agent.k8s.elastic.co/v1alpha1
apiextensions.k8s.io/v1
apiregistration.k8s.io/v1
apm.k8s.elastic.co/v1
apm.k8s.elastic.co/v1beta1
appprotect.f5.com/v1beta1
appprotectdos.f5.com/v1beta1
apps.kio.kasten.io/v1alpha1
apps/v1
aquasecurity.github.io/v1alpha1
arc.azure.com/v1beta1
auth.kio.kasten.io/v1alpha1
authentication.k8s.io/v1
authentication.k8s.io/v1beta1
authorization.k8s.io/v1
autoscaling.k8s.elastic.co/v1alpha1
autoscaling/v1
autoscaling/v2
azmonitoring.coreos.com/v1
batch/v1
beat.k8s.elastic.co/v1beta1
certificates.k8s.io/v1
certificates.microsoft.com/v1
cis.f5.com/v1
clusterconfig.azure.com/v1alpha1
clusterconfig.azure.com/v1beta1
config.gatekeeper.sh/v1alpha1
config.kio.kasten.io/v1alpha1
config.openservicemesh.io/v1alpha1
config.openservicemesh.io/v1alpha2
coordination.k8s.io/v1
cr.kanister.io/v1alpha1
crd.projectcalico.org/v1
csi.storage.k8s.io/v1alpha1
defender.microsoft.com/v1alpha1
discovery.k8s.io/v1
dist.kio.kasten.io/v1alpha1
dynatrace.com/v1alpha1
dynatrace.com/v1alpha2
dynatrace.com/v1beta3
dynatrace.com/v1beta4
dynatrace.com/v1beta5
elasticsearch.k8s.elastic.co/v1
elasticsearch.k8s.elastic.co/v1beta1
enterprisesearch.k8s.elastic.co/v1
enterprisesearch.k8s.elastic.co/v1beta1
events.k8s.io/v1
externaldns.nginx.org/v1
flowcontrol.apiserver.k8s.io/v1
flowcontrol.apiserver.k8s.io/v1beta3
helm.toolkit.fluxcd.io/v2
helm.toolkit.fluxcd.io/v2beta1
helm.toolkit.fluxcd.io/v2beta2
image.toolkit.fluxcd.io/v1beta1
image.toolkit.fluxcd.io/v1beta2
k8s.nginx.org/v1
k8s.nginx.org/v1alpha1
kibana.k8s.elastic.co/v1
kibana.k8s.elastic.co/v1beta1
kustomize.toolkit.fluxcd.io/v1
kustomize.toolkit.fluxcd.io/v1beta1
kustomize.toolkit.fluxcd.io/v1beta2
logstash.k8s.elastic.co/v1alpha1
maps.k8s.elastic.co/v1alpha1
metrics.k8s.io/v1beta1
networking.k8s.io/v1
node.k8s.io/v1
notification.toolkit.fluxcd.io/v1
notification.toolkit.fluxcd.io/v1beta1
notification.toolkit.fluxcd.io/v1beta2
notification.toolkit.fluxcd.io/v1beta3
policy.openservicemesh.io/v1alpha1
policy/v1
rbac.authorization.k8s.io/v1
reporting.kio.kasten.io/v1alpha1
repositories.kio.kasten.io/v1alpha1
scheduling.k8s.io/v1
source.toolkit.fluxcd.io/v1
source.toolkit.fluxcd.io/v1beta1
source.toolkit.fluxcd.io/v1beta2
specs.smi-spec.io/v1alpha4
split.smi-spec.io/v1alpha2
stackconfigpolicy.k8s.elastic.co/v1alpha1
status.gatekeeper.sh/v1beta1
storage.k8s.io/v1
templates.gatekeeper.sh/v1
templates.gatekeeper.sh/v1alpha1
templates.gatekeeper.sh/v1beta1
v1
vault.kio.kasten.io/v1alpha1

Cluster Size Copied

Possible Out of Memory issues may prevent cluster components from being monitored - the script kube-stats.sh can be run to check the cluster size in the case that there might be too many monitored objects.

Taints and Tolerations Copied

Check there is a taint on the node - A taint on the node would mean no workloads could be scheduled onto a pod, typically Control Plane nodes have taints. Example command below would confirm that daemonsets would only be run on the nodes with TAINTS status as 

root@host:/# kubectl get nodes -o custom-columns=NAME:.metadata.name,TAINTS:.spec.taints
NAME                                      TAINTS
itrs-test-1b3fg-ef67k                     [map[effect:NoSchedule key:node-role.kubernetes.io/control-plane]]
itrs-test-node-pool-1-bfcjk-rtfmi-khl67   <none>
itrs-test-node-pool-1-bfcjk-rtfmi-m4q2y   <none>
itrs-test-node-pool-1-bfcjk-rtfmi-p6akk   <none>

A toleration thus would need to be defined - Example Helm Chart below

daemonSet:
  probeName: "[[$env:DEFAULT_PROBE_NAME]]"

  affinity: {}
  nodeSelector: {}
  tolerations:
  - key: "node-role.kubernetes.io/control-plane"
    operator: "Exists"
    effect: "NoSchedule"

Note the NetProbe must run on the Control Plane node

["Geneos"] ["Geneos > Netprobe"] ["FAQ"]

Was this topic helpful?