Back to Details

verify-ssi

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Verify APM SSI on Kubernetes

在Kubernetes上验证APM SSI

Before doing anything else: Fully resolve all variables in 
## Context to resolve before acting
. Do not begin Step 1 until every variable has a concrete value.
操作前注意事项: 先完全解析
## 操作前需确定的上下文
中的所有变量。所有变量都有具体值后再开始步骤1。

Triggers

触发条件

Invoke this skill when the user expresses intent to:
  • Confirm SSI is working after enabling APM
  • Check whether pods are being instrumented
  • Verify the tracer is running and reporting telemetry
  • Confirm tracer config is applied correctly
Do NOT invoke this skill if:
  • SSI has not been enabled yet — run 
    enable-ssi
    first
  • Pods are not being instrumented at all — use 
    troubleshoot-ssi
当用户表达以下意图时调用此技能:
  • 确认启用APM后SSI是否正常工作
  • 检查Pod是否已被插桩
  • 验证追踪器是否正在运行并上报遥测数据
  • 确认追踪器配置已正确应用
以下情况请勿调用此技能:
  • SSI尚未启用——请先执行
    enable-ssi
  • Pod完全未被插桩——请使用
    troubleshoot-ssi

Prerequisites

前置条件

  • enable-ssi
    is complete
  • Application pods have been restarted since SSI was enabled
  • enable-ssi
    已执行完成
  • 启用SSI后已重启应用Pod

pup-cli: check, install, and authenticate

pup-cli:检查、安装与认证

Claude runs

Claude执行

bash
pup --version
If not found:
bash
pup --version
若未找到:

Claude runs

Claude执行

bash
brew tap datadog-labs/pack
brew install pup
Check auth:
bash
pup auth status --site <DD_SITE>
If not authenticated:
bash
brew tap datadog-labs/pack
brew install pup
检查认证状态:
bash
pup auth status --site <DD_SITE>
若未认证:

Claude runs

Claude执行

bash
pup auth login --site <DD_SITE>
This opens a browser tab for OAuth. Complete the login there — Claude will continue once the command exits.
If valid token — proceed. ERROR: No browser available — use API key fallback: 
export DD_APP_KEY=<your-app-key>
bash
pup auth login --site <DD_SITE>
此命令会打开浏览器标签页进行OAuth认证。完成登录后,Claude将继续执行后续操作。
若存在有效令牌——继续执行。 错误:无可用浏览器——使用API密钥备选方案:
export DD_APP_KEY=<your-app-key>

Context to resolve before acting

操作前需确定的上下文

VariableHow to resolve
CLUSTER_NAME
Check 
spec.global.clusterName
in 
datadog-agent.yaml
, or 
kubectl config current-context
ENV
Check 
tags.datadoghq.com/env
label on the application Deployment
SERVICE_NAME
Check 
tags.datadoghq.com/service
label on the application Deployment
变量确定方式
CLUSTER_NAME
查看
datadog-agent.yaml
中的
spec.global.clusterName
,或执行
kubectl config current-context
ENV
查看应用Deployment上的
tags.datadoghq.com/env
标签
SERVICE_NAME
查看应用Deployment上的
tags.datadoghq.com/service
标签

Step 1: Confirm Pods are Instrumented

步骤1:确认Pod已被插桩

Claude runs

Claude执行

bash
kubectl get pod -l app=<APP_LABEL> -n <APP_NAMESPACE> \
  -o jsonpath='{.items[0].spec.initContainers[*].name}'
If the output includes 
datadog-lib-<language>-init
and 
datadog-init-apm-inject
— SSI init containers are injected.
ERROR: Init containers missing — pod was not restarted after SSI was enabled, or namespace targeting is not matching. Restart the pod and recheck.
bash
kubectl get pod -l app=<APP_LABEL> -n <APP_NAMESPACE> \
  -o jsonpath='{.items[0].spec.initContainers[*].name}'
若输出包含
datadog-lib-<language>-init
datadog-init-apm-inject
——说明SSI初始化容器已注入。
错误:缺少初始化容器——启用SSI后未重启Pod,或命名空间匹配规则不正确。请重启Pod后重新检查。

Step 2: Confirm the Tracer is Reporting Telemetry

步骤2:确认追踪器正在上报遥测数据

Claude runs

Claude执行

bash
DD_SITE=<DD_SITE> pup apm services list --env <ENV> --from 1h
If 
<SERVICE_NAME>
appears in the services list with 
isTraced: true
— continue to Step 3.
ERROR: Service missing — send some traffic to the app first, then retry:
bash
DD_SITE=<DD_SITE> pup apm services list --env <ENV> --from 1h
若服务列表中出现
<SERVICE_NAME>
isTraced: true
——继续步骤3。
错误:服务未出现——先向应用发送一些流量,然后重试:

Claude runs

Claude执行

bash
undefined
bash
undefined

Port-forward and send test traffic

端口转发并发送测试流量

kubectl port-forward deployment/<DEPLOYMENT_NAME> 8099:8000 -n <APP_NAMESPACE> & sleep 2 && for i in $(seq 1 10); do curl -s -o /dev/null http://localhost:8099/; done sleep 30 && kill %1 2>/dev/null DD_SITE=<DD_SITE> pup apm services list --env <ENV> --from 10m

ERROR: Still missing after traffic — check the agent's trace receiver: `kubectl exec -n <AGENT_NAMESPACE> <AGENT_POD> -c agent -- agent status | grep -A 10 "Receiver (previous minute)"`. If receiver shows 0 traces, go to `troubleshoot-ssi`.

---
kubectl port-forward deployment/<DEPLOYMENT_NAME> 8099:8000 -n <APP_NAMESPACE> & sleep 2 && for i in $(seq 1 10); do curl -s -o /dev/null http://localhost:8099/; done sleep 30 && kill %1 2>/dev/null DD_SITE=<DD_SITE> pup apm services list --env <ENV> --from 10m

错误:发送流量后仍未出现——检查Agent的追踪接收器:`kubectl exec -n <AGENT_NAMESPACE> <AGENT_POD> -c agent -- agent status | grep -A 10 "Receiver (previous minute)"`。若接收器显示0条追踪数据,请执行`troubleshoot-ssi`。

---

Step 3: Confirm Tracer Configuration

步骤3:确认追踪器配置

Only run this step if 
ddTraceConfigs
was explicitly configured in 
enable-ssi
 (e.g. profiling, AppSec, Data Streams). If basic SSI was set up without 
ddTraceConfigs
, skip this step — an empty response here is expected and not a failure.
仅当在
enable-ssi
中明确配置了
ddTraceConfigs
时才执行此步骤(例如性能分析、AppSec、数据流)。如果基础SSI设置未配置
ddTraceConfigs
,请跳过此步骤——此处返回空响应是预期情况,不属于失败。

Claude runs

Claude执行

bash
pup apm service-library-config get \
  --service-name <SERVICE_NAME> \
  --env <ENV>
If the output shows expected environment variables matching what was configured in 
ddTraceConfigs
— done.
If the output is empty and 
ddTraceConfigs
was not configured — expected, not a failure.
ERROR: Config missing but 
ddTraceConfigs
was configured — check it is present in the 
DatadogAgent
manifest under the correct target, and that pods were restarted after the config change.
bash
pup apm service-library-config get \
  --service-name <SERVICE_NAME> \
  --env <ENV>
若输出显示与
ddTraceConfigs
中配置一致的预期环境变量——验证完成。
若输出为空且未配置
ddTraceConfigs
——属于预期情况,不属于失败。
错误:已配置
ddTraceConfigs
但配置缺失——检查
DatadogAgent
清单中对应目标下是否存在该配置,以及配置变更后是否重启了Pod。

Done

完成标志

Exit when ALL of the following are true:
  • Step 1: target pods appear in 
    instrumented-pods list
  • Step 2: service appears in 
    tracers list
    with active status
  • Step 3: tracer config matches what was set in 
    DatadogAgent
If any check fails, go to 
troubleshoot-ssi
.
When all steps pass, automatically proceed to 
onboarding-summary
now — do not ask the user for permission.
满足以下所有条件时退出:
  • 步骤1:目标Pod出现在
    instrumented-pods list
  • 步骤2:服务出现在
    tracers list
    中且状态为活跃
  • 步骤3:追踪器配置与
    DatadogAgent
    中的设置一致
若任意检查失败,请执行
troubleshoot-ssi
当所有步骤通过后,自动进入
onboarding-summary
——无需询问用户许可。

Security constraints

安全约束

  • Never write a raw API key into any file or chat message
  • Never run 
    kubectl delete
    without user confirmation
  • 切勿将原始API密钥写入任何文件或聊天消息
  • 未经用户确认,切勿执行
    kubectl delete
    命令