diff --git a/README.md b/README.md
index bb53a0a..4c8079e 100644
--- a/README.md
+++ b/README.md
@@ -121,6 +121,7 @@ No modules.
| [cluster\_id](#input\_cluster\_id) | The ID of the cluster you wish to deploy the agent in | `string` | n/a | yes |
| [cluster\_resource\_group\_id](#input\_cluster\_resource\_group\_id) | The Resource Group ID of the cluster | `string` | n/a | yes |
| [container\_filter](#input\_container\_filter) | To filter custom containers, specify which containers to include or exclude from metrics collection for the cloud monitoring agent. See https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_filter_data. | list(object({
type = string
parameter = string
name = string
})) | `[]` | no |
+| [enable\_universal\_ebpf](#input\_enable\_universal\_ebpf) | Deploy monitoring agent with universal eBPF enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/tree/main/solutions/fully-configurable/DA-docs.md). | `bool` | `true` | no |
| [existing\_access\_key\_secret\_name](#input\_existing\_access\_key\_secret\_name) | An alternative to using the Sysdig Agent `access_key`. Specify the name of a Kubernetes secret containing an access-key entry. Either `access_key` or `existing_access_key_secret_name` is required. | `string` | `null` | no |
| [image\_registry\_base\_url](#input\_image\_registry\_base\_url) | The image registry base URL to pull the Cloud Monitoring agent images from. For example `icr.io`, `quay.io`, etc. | `string` | `"icr.io"` | no |
| [image\_registry\_namespace](#input\_image\_registry\_namespace) | The namespace within the image registry to pull the Cloud Monitoring agent images from. | `string` | `"ext/sysdig"` | no |
diff --git a/examples/obs-agent-iks/main.tf b/examples/obs-agent-iks/main.tf
index fcc1c0f..9992d85 100644
--- a/examples/obs-agent-iks/main.tf
+++ b/examples/obs-agent-iks/main.tf
@@ -110,4 +110,5 @@ module "monitoring_agents" {
# # Monitoring agent
access_key = module.cloud_monitoring.access_key
cloud_monitoring_instance_region = var.region
+ enable_universal_ebpf = true
}
diff --git a/examples/obs-agent-ocp/main.tf b/examples/obs-agent-ocp/main.tf
index be816b1..7a8e058 100644
--- a/examples/obs-agent-ocp/main.tf
+++ b/examples/obs-agent-ocp/main.tf
@@ -54,7 +54,7 @@ locals {
subnet_prefix = "default"
pool_name = "default" # ibm_container_vpc_cluster automatically names default pool "default" (See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849)
machine_type = "bx2.4x16"
- operating_system = "REDHAT_8_64"
+ operating_system = "RHEL_9_64"
workers_per_zone = 2 # minimum of 2 is allowed when using single zone
}
]
@@ -107,7 +107,8 @@ module "monitoring_agents" {
access_key = module.cloud_monitoring.access_key
cloud_monitoring_instance_region = var.region
# example of how to include / exclude metrics - more info https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_log_metrics
- metrics_filter = [{ exclude = "metricA.*" }, { include = "metricB.*" }]
- container_filter = [{ type = "exclude", parameter = "kubernetes.namespace.name", name = "kube-system" }]
- blacklisted_ports = [22, 2379, 3306]
+ metrics_filter = [{ exclude = "metricA.*" }, { include = "metricB.*" }]
+ container_filter = [{ type = "exclude", parameter = "kubernetes.namespace.name", name = "kube-system" }]
+ blacklisted_ports = [22, 2379, 3306]
+ enable_universal_ebpf = true
}
diff --git a/ibm_catalog.json b/ibm_catalog.json
index 2635530..e5d8f85 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -259,6 +259,9 @@
},
{
"key": "wait_till_timeout"
+ },
+ {
+ "key": "enable_universal_ebpf"
}
],
"install_type": "fullstack"
diff --git a/main.tf b/main.tf
index 221d5cd..5e29207 100644
--- a/main.tf
+++ b/main.tf
@@ -131,6 +131,15 @@ resource "helm_release" "cloud_monitoring_agent" {
type = "string"
value = regex("@(.*)", var.kernel_module_image_tag_digest)[0]
}
+ set {
+ name = "agent.ebpf.enabled"
+ value = var.enable_universal_ebpf
+ }
+
+ set {
+ name = "agent.ebpf.kind"
+ value = "universal_ebpf"
+ }
# Specific to SCC WP, enabled by default
set {
name = "nodeAnalyzer.enabled"
diff --git a/solutions/fully-configurable/DA-docs.md b/solutions/fully-configurable/DA-docs.md
new file mode 100644
index 0000000..5e6fff2
--- /dev/null
+++ b/solutions/fully-configurable/DA-docs.md
@@ -0,0 +1,17 @@
+## When to Enable `enable_universal_ebpf`
+
+For Clusters using Red Hat CoreOS (RHCOS) or RHEL 9 nodes with restricted outbound internet access, the monitoring agent pods may fail to start due to the inability to retrieve kernel modules which are necessary for the agent to connect with kernel.
+
+Setting the input variable `enable_universal_ebpf` to `true` ensures the agent uses eBPF-based instrumentation, which avoids the need for external downloads and allows successful deployment in restricted environments.
+
+### When Should You Enable It?
+
+Set `enable_universal_ebpf` to true if:
+
+- Your cluster nodes run on RHCOS or RHEL 9 and do not have public or outbound internet access.
+- You want to avoid relying on dynamic downloads for kernel modules.
+
+### Kernel Compatibility
+
+- **RHCOS and RHEL9**: Since kernel version **5.14 or later** is used. Default value for variable has been set to true.
+- **RHEL 8**: Although it uses kernel version **4.18**, the necessary kernel headers are pre-installed, so enabling eBPF is safe and has no impact.
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
index 20554b6..bf545aa 100644
--- a/solutions/fully-configurable/main.tf
+++ b/solutions/fully-configurable/main.tf
@@ -42,4 +42,5 @@ module "monitoring_agent" {
agent_limits_memory = var.agent_limits_memory
agent_requests_cpu = var.agent_requests_cpu
agent_requests_memory = var.agent_requests_memory
+ enable_universal_ebpf = var.enable_universal_ebpf
}
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index ad6be59..5113642 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -232,3 +232,9 @@ variable "agent_limits_memory" {
description = "Specifies the memory limit for the agent."
default = "1024Mi"
}
+
+variable "enable_universal_ebpf" {
+ type = bool
+ description = "Deploy monitoring agent with universal eBPF enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/tree/main/solutions/fully-configurable/DA-docs.md)."
+ default = true
+}
diff --git a/tests/resources/main.tf b/tests/resources/main.tf
index 1ad6f54..eb27725 100644
--- a/tests/resources/main.tf
+++ b/tests/resources/main.tf
@@ -55,7 +55,7 @@ locals {
pool_name = "default" # ibm_container_vpc_cluster automatically names default pool "default" (See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849)
machine_type = "bx2.4x16"
workers_per_zone = 2 # minimum of 2 is allowed when using single zone
- operating_system = "REDHAT_8_64"
+ operating_system = "RHCOS"
}
]
}
diff --git a/variables.tf b/variables.tf
index b7d8742..6343415 100644
--- a/variables.tf
+++ b/variables.tf
@@ -256,3 +256,9 @@ variable "agent_limits_memory" {
description = "Specifies the memory limit for the agent."
default = "1024Mi"
}
+
+variable "enable_universal_ebpf" {
+ type = bool
+ description = "Deploy monitoring agent with universal eBPF enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/tree/main/solutions/fully-configurable/DA-docs.md)."
+ default = true
+}