terraform-ibm-modules · ocofaigh · Jul 10, 2025 · Jul 9, 2025 · Jul 9, 2025 · Jul 9, 2025
@@ -121,6 +121,7 @@ No modules.
 | <a name="input_cluster_id"></a> [cluster\_id](#input\_cluster\_id) | The ID of the cluster you wish to deploy the agent in | `string` | n/a | yes |
 | <a name="input_cluster_resource_group_id"></a> [cluster\_resource\_group\_id](#input\_cluster\_resource\_group\_id) | The Resource Group ID of the cluster | `string` | n/a | yes |
 | <a name="input_container_filter"></a> [container\_filter](#input\_container\_filter) | To filter custom containers, specify which containers to include or exclude from metrics collection for the cloud monitoring agent. See https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_filter_data. | <pre>list(object({<br/>    type      = string<br/>    parameter = string<br/>    name      = string<br/>  }))</pre> | `[]` | no |
+| <a name="input_enable_universal_ebpf"></a> [enable\_universal\_ebpf](#input\_enable\_universal\_ebpf) | Deploy sysdig agent with universal eBPF enabled. It requires kernel version 5.8+. | `bool` | `true` | no |
 | <a name="input_existing_access_key_secret_name"></a> [existing\_access\_key\_secret\_name](#input\_existing\_access\_key\_secret\_name) | An alternative to using the Sysdig Agent `access_key`. Specify the name of a Kubernetes secret containing an access-key entry. Either `access_key` or `existing_access_key_secret_name` is required. | `string` | `null` | no |
 | <a name="input_image_registry_base_url"></a> [image\_registry\_base\_url](#input\_image\_registry\_base\_url) | The image registry base URL to pull the Cloud Monitoring agent images from. For example `icr.io`, `quay.io`, etc. | `string` | `"icr.io"` | no |
 | <a name="input_image_registry_namespace"></a> [image\_registry\_namespace](#input\_image\_registry\_namespace) | The namespace within the image registry to pull the Cloud Monitoring agent images from. | `string` | `"ext/sysdig"` | no |

@@ -110,4 +110,5 @@ module "monitoring_agents" {
   # # Monitoring agent
   access_key                       = module.cloud_monitoring.access_key
   cloud_monitoring_instance_region = var.region
+  enable_universal_ebpf            = true
 }
@@ -54,7 +54,7 @@ locals {
       subnet_prefix    = "default"
       pool_name        = "default" # ibm_container_vpc_cluster automatically names default pool "default" (See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849)
       machine_type     = "bx2.4x16"
-      operating_system = "REDHAT_8_64"
+      operating_system = "RHEL_9_64"
       workers_per_zone = 2 # minimum of 2 is allowed when using single zone
     }
   ]
@@ -107,7 +107,8 @@ module "monitoring_agents" {
   access_key                       = module.cloud_monitoring.access_key
   cloud_monitoring_instance_region = var.region
   # example of how to include / exclude metrics - more info https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_log_metrics
-  metrics_filter    = [{ exclude = "metricA.*" }, { include = "metricB.*" }]
-  container_filter  = [{ type = "exclude", parameter = "kubernetes.namespace.name", name = "kube-system" }]
-  blacklisted_ports = [22, 2379, 3306]
+  metrics_filter        = [{ exclude = "metricA.*" }, { include = "metricB.*" }]
+  container_filter      = [{ type = "exclude", parameter = "kubernetes.namespace.name", name = "kube-system" }]
+  blacklisted_ports     = [22, 2379, 3306]
+  enable_universal_ebpf = true
 }
@@ -259,6 +259,9 @@
             },
             {
               "key": "wait_till_timeout"
+            },
+            {
+              "key": "enable_universal_ebpf"
             }
           ],
           "install_type": "fullstack"

@@ -131,6 +131,15 @@ resource "helm_release" "cloud_monitoring_agent" {
     type  = "string"
     value = regex("@(.*)", var.kernel_module_image_tag_digest)[0]
   }
+  set {
+    name  = "agent.ebpf.enabled"
+    value = var.enable_universal_ebpf
+  }
+
+  set {
+    name  = "agent.ebpf.kind"
+    value = "universal_ebpf"
+  }
   # Specific to SCC WP, enabled by default
   set {
     name  = "nodeAnalyzer.enabled"

@@ -0,0 +1,18 @@
+## When to Enable `enable_universal_ebpf`
+
+For Clusters using Red Hat CoreOS (RHCOS) or RHEL 9 nodes with restricted outbound internet access, the monitoring agent pods may fail to start due to the inability to retrieve kernel modules which are necessary for the agent to connect with kernel.
+
+Setting the Terraform variable `enable_universal_ebpf` to `true` ensures the agent uses eBPF-based instrumentation, which avoids the need for external downloads and allows successful deployment in restricted environments.
+
+### When Should You Enable It?
+
+Set `enable_universal_ebpf` to true if:
+
+- Your cluster nodes run on RHCOS or RHEL 9 and do not have public or outbound internet access.
+- You want to avoid relying on dynamic downloads for kernel modules.
+
+### Kernel Compatibility
+
+- **RHCOS and RHEL9**: Since kernel version **5.14** is used. Default value for variable has been set to true.
+- **RHEL 8**: Although it uses kernel version **4.18**, the necessary kernel headers are pre-installed, so enabling eBPF is safe and has no impact.
+
@@ -42,4 +42,5 @@ module "monitoring_agent" {
   agent_limits_memory                     = var.agent_limits_memory
   agent_requests_cpu                      = var.agent_requests_cpu
   agent_requests_memory                   = var.agent_requests_memory
+  enable_universal_ebpf                   = var.enable_universal_ebpf
 }
@@ -232,3 +232,9 @@ variable "agent_limits_memory" {
   description = "Specifies the memory limit for the agent."
   default     = "1024Mi"
 }
+
+variable "enable_universal_ebpf" {
+  type        = bool
+  description = "Deploy monitoring agent with universal eBPF enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/tree/main/solutions/fully-configurable/DA-docs.md)."
+  default     = true
+}
@@ -55,7 +55,7 @@ locals {
       pool_name        = "default" # ibm_container_vpc_cluster automatically names default pool "default" (See https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2849)
       machine_type     = "bx2.4x16"
       workers_per_zone = 2 # minimum of 2 is allowed when using single zone
-      operating_system = "REDHAT_8_64"
+      operating_system = "RHCOS"
     }
   ]
 }

@@ -256,3 +256,9 @@ variable "agent_limits_memory" {
   description = "Specifies the memory limit for the agent."
   default     = "1024Mi"
 }
+
+variable "enable_universal_ebpf" {
+  type        = bool
+  description = "Deploy monitoring agent with universal eBPF enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/tree/main/solutions/fully-configurable/DA-docs.md)."
+  default     = true
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -259,6 +259,9 @@ @@
                 },
                 {
                   "key": "wait_till_timeout"
+                },
+                {
+                  "key": "enable_universal_ebpf"
                 }
               ],
               "install_type": "fullstack"
@@ Expand Down @@