This article explains how to deploy your Telemetry Collector in a Kubernetes environment and assumes you have already configured your Telemetry Collector, met the required system requirements, have a Kubernetes cluster available that can be configured via helm and have already deployed a Gateway Sensor Collector to work with your Telemetry Collector.
Step 1. Retrieve Telemetry Collector Helm Charts
Download the Telemetry Collector helm charts to a local file and transfer to the working directory on the machine where you configure your Kubernetes cluster via helm.
Step 2. Retrieve The Telemetry Collector Docker Image (Required only for Air gapped deployments)
Download the docker image for the Telemetry Collector to a local file and transfer to the working directory on the machine where you configure your Kubernetes cluster via helm.
Command for pulling the image:
docker pull gcr.io/sky-agents/agent-telemetry-amd64:ca
Example for saving image to a file:
docker save -o agent-telemetry-amd64-ca.tar gcr.io/sky-agents/agent-telemetry-amd64:ca
Load the saved docker image into the helm machine's local docker registry.
Example:
docker load -i agent-telemetry-amd64-ca.tar
Step 3. Import The Telemetry Collector Image Into The Kubernetes Cluster (Required only for Air gapped deployments)
The Telemetry Collector docker image must be uploaded to the Kubernetes cluster's OCI registry. If you're using the Provider Connectivity Assurance Kubernetes cluster, you can follow the example below. If you're using your own registry, you must upload the image to it.
Example:
kubectl get secret kotsadm-replicated-registry -n pca -o jsonpath='{.data.\.dockerconfigjson}' | base64 -d
{"auths":{"10.244.128.11:5000":{"auth":"ZW1iZWRkZWQtY2x1c3RlcjpsRFVkTWRqZjg5dWlGcHV6ODBvQQ=="}}}
In this case 10.244.128.11:5000 is the address of our internal registry. We will use that below.
Decode the Base64 from the previous response to get our authentication credentials:
Example:
echo 'ZW1iZWRkZWQtY2x1c3RlcjpsRFVkTWRqZjg5dWlGcHV6ODBvQQ==' | base64 -d
embedded-cluster:lDUdMdjf89uiFpuz80oA
Use the extracted address and credentials to log into the docker registry.
Example:
docker login 10.244.128.11:5000 -u embedded-cluster -p password
Re-tag the Telemetry Collector image for the PCA cluster's internal registry.
Example:
docker tag gcr.io/sky-agents/agent-telemetry-amd64:ca 10.244.128.11:5000/pca-dev/agent-telemetry-amd64:ca
Push the re-tagged image to the PCA cluster's internal registry:
Example:
docker push 10.244.128.11:5000/pca-dev/agent-telemetry-amd64:ca
Step 4. Create Agent CA Secret (For Connecting To Sensor Collector)
Create a Kubernetes secret for the trusted certificate authority that will be added to the Telemetry Collector's trust store to ensure that the TLS connection to the sensor collector can be established.
If you used the Configure Sensor Collector steps to create your certificates, you will need the myNewCa.pem file produced in step 6. If your certificate was created another way, you will have to obtain the PEM file of the certificate authority. Run the following command with your {CA_FILE} substituted in on your Kubernetes cluster. Note that you can specify your own namespace or re-use the namespace you used when setting up a Sensor Collector.
Example:
kubectl create secret generic ca-certificate-secret --from-file=ca.pem=${CA_FILE} --namespace cisco-sensor-collectors
Step 5. Create Values File
Create a values.yaml file that will be used by helm during the install. It must contain the following information:
agentAgentId: {agent id retreived from PCA UI}
agentAuthenticationToken: {agent token retrieved from PCA UI}
agentManagement: {IP address of your sensor collector instance}
agentManagementPort: {management port from the sensor collector provisioning}
custom_ca_certificates:
ca:
enabled: true
secretName: ca-certificate-secret
secretKey: ca.pem
image:
repository: {In air gapped environments, image location updated to the local registry. For online installs gcr.io/sky-agents/agent-telemetry-amd64}
imagePullSecrets:
- name: {registry secret for registry setup in step 3. imagePullSecrets not required if using gcr.io/sky-agents}
NOTE: This assumes that you have already run through the deployment steps for the sensor collector. If using PCA's registry, the pca-dev-registry pull secret is created automatically as part of the Sensor Collector installation
process so you must create your telemetry collector in the same namespace. This secret provides helm the credentials to pull the Telemetry Collector image from the PCA cluster's internal registry.
If you are deploying into a different namespace, you will need to create a pull secret in that namespace with the same credentials as pca-dev-registry and update the values.yaml accordingly.
Step 6. Install The Telemetry Collector
Helm install the Telemetry Collector, referencing the locally pulled chart and the values.yaml file that you just created. Note that you can specify your own namespace or re-use the namespace you used when setting up a Sensor Collector but you must use the same namespace as selected in Step 4.
Example:
helm install telemetry-collector ./telemetry-collector-ca.tgz -f ./values.yaml -n cisco-sensor-collectors
© 2026 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms