Kubernetes access lets Foggy check pod status, inspect deployments and ReplicaSets, read cluster events, and correlate infrastructure state with application behaviour during an investigation.Documentation Index
Fetch the complete documentation index at: https://docs.foggyhq.com/llms.txt
Use this file to discover all available pages before exploring further.
Kubernetes access requires Foggy to run inside — or talk through — your cluster. Cloud Foggy alone cannot reach a private Kubernetes API server. Use one of the two paths below.
Two supported paths
| Deployment | How it connects | What you do |
|---|---|---|
| Self-hosted Foggy (in the same cluster) | Uses the pod’s in-cluster ServiceAccount. Helm installs a read-only ClusterRole (foggy-readonly) and binds it. | Nothing. It works the moment the install completes. |
| Satellite in the target cluster (cloud Foggy or self-hosted Foggy to a different cluster) | The Satellite agent runs in the cluster you want Foggy to see. It queries the local API server using its own ServiceAccount and streams results back over an outbound TLS connection. | Deploy the Satellite with the Helm command generated from Integrations → Satellite → Show Setup Command. |
What Foggy can do
| Tool | Description |
|---|---|
| Pods | Status, restart counts, OOMKills, resource usage |
| Deployments | Rollout status, replica counts, recent changes |
| Events | Warnings and errors emitted by the control plane |
| Namespaces | List and discover workloads by namespace |
foggy-readonly ClusterRole grants exactly get, list, and watch on the relevant resource kinds. See Kubernetes RBAC for the exhaustive list and any namespace-scoped installation options.
Security properties
- Read-only. Foggy never creates, updates, or deletes resources. Write verbs are not granted, regardless of which path you use.
- Credentials stay local. With self-hosted, the ServiceAccount token never leaves the cluster. With Satellite, the agent holds the credentials inside your network and only streams query results out.
- Outbound-only (Satellite path). No inbound port has to be opened on your cluster. Satellite initiates all connections.
Troubleshooting
- “No Kubernetes data” in an investigation — on self-hosted, confirm the Helm release installed the
foggy-readonlyClusterRole and that the Foggy pods mounted the ServiceAccount. On Satellite, confirm the card on Integrations → Satellite shows Connected. - Self-hosted Foggy can’t see a namespace — the install may be namespace-scoped. Check
values.yamlforrbac.namespaceand widen if needed. See Kubernetes RBAC. - Satellite is connected but Kubernetes queries time out — the Satellite pod can reach Foggy but not the API server. Check network policies and the Satellite’s own ServiceAccount permissions inside the target cluster.
Next steps
Install Foggy self-hosted
In-cluster install. Kubernetes is auto-connected on first boot.
Satellite
Outbound-only agent for any cluster you cannot expose to Foggy directly.
Kubernetes RBAC
The exact verbs and resource kinds Foggy requests.
Grafana
Pair with Grafana to correlate cluster state with metrics and logs.