Sentinel — Host Agent
Sentinel runs as a DaemonSet on every node in your cluster. It collects host-level telemetry: CPU, memory, disk, network metrics, process samples, journald logs, and optionally deep eBPF network flows and HTTP traces.
What it collects
| Collector | Description | Enabled by default |
|---|---|---|
| Baseline metrics | CPU, memory, disk I/O, network via procfs | ✅ |
| Process sampling | Top N processes by CPU and memory | ✅ |
| Journald logs | systemd journal with priority filtering | ✅ |
| Systemd services | Service health and state | ✅ |
| Crash detection | OOM kills, segfaults, kernel warnings | ✅ |
| Container logs | Pod log files from /var/log/pods | ✅ |
| eBPF process events | Real-time process exec/exit via eBPF | Requires sentinel.ebpf.enabled=true |
| eBPF network flows | Per-connection network flows | Requires sentinel.ebpf.enabled=true |
| eBPF HTTP tracing | L7 HTTP request tracing | Requires sentinel.ebpf.enabled=true |
Architecture
Sentinel uses hostPID: true to observe all processes on the node. In eBPF mode it requires privileged: true to load kernel programs. In baseline mode it runs with minimal capabilities (SYS_PTRACE only).