Skip to main content

Kubetrace Operator

Overview

The Kubetrace Operator is a critical component that manages cluster tracing and automates secure token refresh operations. This operator is dynamically generated based on your cluster configuration and integrates with Vultr Container Registry for secure credential management. Important: The operator YAML manifest is not static. It is generated after your kubeconfig file is created and includes:
  • Cluster-specific configuration
  • Dynamically fetched registry credentials from Vultr
  • Automated token refresh mechanism that periodically updates Kubernetes authentication tokens
This ensures your cluster maintains secure, up-to-date credentials without manual intervention.

Steps

1. Generate and Install Kubetrace Operator

Description:
Deploy the Kubetrace operator to manage cluster tracing and automate token refresh for secure operations. 
# Copy the operator yaml from STEP 6 of 'Add cluster' or copy it from Operator config from Clusters page.
---
apiVersion: v1
data:
  .dockerconfigjson: "BASE64_DOCKER_CONFIG" # hidden
  operator_token: "BASE64_OPERATOR_TOKEN" # hidden
kind: Secret
metadata:
  name: kubetrace-dataclap-secrets
  namespace: kubetrace-readonly
type: kubernetes.io/dockerconfigjson
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kubetrace-operator
  namespace: kubetrace-readonly
spec:
  replicas: 1
  selector:
    matchLabels:
      app: kubetrace-operator
  template:
    metadata:
      labels:
        app: kubetrace-operator
    spec:
      serviceAccountName: kubetrace-readonly-user
      imagePullSecrets:
        - name: kubetrace-dataclap-secrets
      containers:
        - name: operator
          image: "YOUR_OPERATOR_IMAGE" # hidden for security
          imagePullPolicy: Always
          env:
            - name: API_URL
              value: "YOUR_API_URL" # hidden
            - name: CLUSTER_ID
              value: "YOUR_CLUSTER_ID" # hidden
          resources:
            requests:
              cpu: "50m"
              memory: "128Mi"
            limits:
              cpu: "500m"
              memory: "512Mi"
  1. Review the Manifest (Optional): The generated manifest will include:
    • A Secret containing base64-encoded Docker registry credentials and operator tokens
    • A Deployment configured with your cluster-specific environment variables
    • Appropriate service account bindings
  2. Apply the Operator Manifest:
Run the following command to deploy the operator: 
kubectl apply -f kubetrace-operator.yaml
  1. Verify the Operator is Running: 
    kubectl get pods -n kubetrace-readonly
    Expected output: 
    NAME                                  READY   STATUS    RESTARTS   AGE
kubetrace-operator-xxxxxxxxxx-xxxxx   1/1     Running   0          30s
  2. Check Operator Logs: 
    kubectl logs -f deployment/kubetrace-operator -n kubetrace-readonly
    You should see logs indicating successful token refresh and API connectivity.

Operator Configuration

The operator manifest includes the following key components: Secret Configuration:
  • Contains encrypted Docker registry credentials for pulling operator images from Vultr Container Registry
  • Includes the operator token used for authenticating with the Kubetrace API
  • All sensitive data is base64-encoded and should never be committed to version control
Deployment Configuration:
  • Uses a dedicated service account (kubetrace-readonly-user) with minimal required permissions
  • Configured with environment variables including:
    • API_URL: Kubetrace API endpoint for token refresh operations
    • CLUSTER_ID: Your unique cluster identifier
  • Resource requests and limits ensure stable operation without excessive resource consumption
Token Refresh Mechanism:
  • The operator automatically communicates with the Kubetrace API at regular intervals
  • Fetches fresh authentication tokens and updates the kubeconfig secret
  • Ensures uninterrupted monitoring without manual token management

Security Considerations

  • Never share your operator manifest: It contains sensitive credentials specific to your cluster
  • Regenerate tokens if compromised: Use the Kubetrace dashboard to revoke and regenerate operator credentials
  • Monitor operator logs: Regularly check logs for any authentication failures or connectivity issues
  • Keep operator updated: Apply updates when new versions are released to maintain security patches

Troubleshooting

Operator Pod Not Starting

Issue: Operator pod is in ImagePullBackOff or ErrImagePull state Solution:
  • Verify the image pull secret exists: 
    kubectl get secret kubetrace-dataclap-secrets -n kubetrace-readonly
  • Check if the secret is correctly referenced in the deployment
  • Ensure network connectivity to Vultr Container Registry (blr.vultrcr.com), and verify that port 443 is open.

Token Refresh Failures

Issue: Logs show authentication errors when refreshing tokens Solution:
  • Check if the operator_token in the secret is valid
  • Verify the API_URL environment variable is correct
  • Ensure the operator has network access to gateway.kubetrace.net
  • Regenerate operator credentials from the Kubetrace dashboard if needed

Service Account Permissions

Issue: Operator logs show permission denied errors Solution:
  • Verify the service account exists: 
    kubectl get sa kubetrace-readonly-user -n kubetrace-readonly
  • Check role bindings: 
    kubectl get rolebinding,clusterrolebinding -n kubetrace-readonly | grep kubetrace
  • Reapply the service account and RBAC configuration

Checking Operator Health

Commands to verify operator status: 
# Check pod status
kubectl get pods -n kubetrace-readonly

# View recent logs
kubectl logs deployment/kubetrace-operator -n kubetrace-readonly --tail=50

# Describe deployment for detailed information
kubectl describe deployment kubetrace-operator -n kubetrace-readonly

# Check secret configuration
kubectl get secret kubetrace-dataclap-secrets -n kubetrace-readonly -o yaml

Best Practices

  1. Regular Monitoring: Set up alerts for operator pod restarts or failures
  2. Backup Configuration: Keep a secure backup of your operator credentials (encrypted)
  3. Update Strategy: Follow a rolling update strategy when upgrading the operator
  4. Resource Allocation: Monitor and adjust resource requests/limits based on cluster size
  5. Network Policies: Ensure network policies allow operator communication with Kubetrace APIs

Kubetrace Support