This is documentation for the next version of Agent. For the latest stable release, go to the latest version.

Open source


remote.kubernetes.configmap reads a ConfigMap from the Kubernetes API server and exposes its data for other components to consume.

This can be useful anytime Grafana Agent Flow needs data from a ConfigMap that is not directly mounted to the Grafana Agent pod.


remote.kubernetes.configmap "LABEL" {


The following arguments are supported:

namespacestringKubernetes namespace containing the desired ConfigMap.yes
namestringName of the Kubernetes ConfigMapyes
poll_frequencydurationFrequency to poll the Kubernetes API."1m"no
poll_timeoutdurationTimeout when polling the Kubernetes API."15s"no

When this component performs a poll operation, it requests the ConfigMap data from the Kubernetes API. A poll is triggered by the following:

  • When the component first loads.
  • Every time the component’s arguments get re-evaluated.
  • At the frequency specified by the poll_frequency argument.

Any error while polling will mark the component as unhealthy. After a successful poll, all data is exported with the same field names as the source ConfigMap.


The following blocks are supported inside the definition of remote.kubernetes.configmap:

clientclientConfigures Kubernetes client used to find
client > basic_authbasic_authConfigure basic authentication to the Kubernetes
client > authorizationauthorizationConfigure generic authorization to the Kubernetes
client > oauth2oauth2Configure OAuth2 for authenticating to the Kubernetes
client > oauth2 > tls_configtls_configConfigure TLS settings for connecting to the Kubernetes
client > tls_configtls_configConfigure TLS settings for connecting to the Kubernetes

The > symbol indicates deeper levels of nesting. For example, client > basic_auth refers to a basic_auth block defined inside a client block.

client block

The client block configures the Kubernetes client used to discover Probes. If the client block isn’t provided, the default in-cluster configuration with the service account of the running Grafana Agent pod is used.

The following arguments are supported:

api_serverstringURL of the Kubernetes API
kubeconfig_filestringPath of the kubeconfig file to use for connecting to
bearer_token_filestringFile containing a bearer token to authenticate
proxy_urlstringHTTP proxy to proxy requests
follow_redirectsboolWhether redirects returned by the server should be followed.trueno
enable_http2boolWhether HTTP2 is supported for requests.trueno

At most, one of the following can be provided:

basic_auth block

password_filestringFile containing the basic auth
passwordsecretBasic auth
usernamestringBasic auth

password and password_file are mutually exclusive, and only one can be provided inside a basic_auth block.

authorization block

credentials_filestringFile containing the secret
typestringAuthorization type, for example, “Bearer”.no

credential and credentials_file are mutually exclusive, and only one can be provided inside an authorization block.

oauth2 block

client_idstringOAuth2 client
client_secret_filestringFile containing the OAuth2 client
client_secretsecretOAuth2 client
endpoint_paramsmap(string)Optional parameters to append to the token
proxy_urlstringOptional proxy URL for OAuth2
scopeslist(string)List of scopes to authenticate
token_urlstringURL to fetch the token

client_secret and client_secret_file are mutually exclusive, and only one can be provided inside an oauth2 block.

The oauth2 block may also contain a separate tls_config sub-block.

tls_config block

ca_pemstringCA PEM-encoded text to validate the server
ca_filestringCA certificate to validate the server
cert_pemstringCertificate PEM-encoded text for client
cert_filestringCertificate file for client
insecure_skip_verifyboolDisables validation of the server
key_filestringKey file for client
key_pemsecretKey PEM-encoded text for client
min_versionstringMinimum acceptable TLS
server_namestringServerName extension to indicate the name of the

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

  • ca_pem and ca_file
  • cert_pem and cert_file
  • key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

When min_version is not provided, the minimum acceptable TLS version is inherited from Go’s default minimum version, TLS 1.2. If min_version is provided, it must be set to one of the following strings:

  • "TLS10" (TLS 1.0)
  • "TLS11" (TLS 1.1)
  • "TLS12" (TLS 1.2)
  • "TLS13" (TLS 1.3)

Exported fields

The following fields are exported and can be referenced by other components:

datamap(string)Data from the ConfigMap obtained from Kubernetes.

The data field contains a mapping from field names to values.

Component health

Instances of remote.kubernetes.configmap report as healthy if the most recent attempt to poll the kubernetes API succeeds.

Debug information

remote.kubernetes.configmap does not expose any component-specific debug information.

Debug metrics

remote.kubernetes.configmap does not expose any component-specific debug metrics.


This example reads a Secret and a ConfigMap from Kubernetes and uses them to supply remote-write credentials.

remote.kubernetes.secret "credentials" {
  namespace = "monitoring"
  name = "metrics-secret"

remote.kubernetes.configmap "endpoint" {
  namespace = "monitoring"
  name = "metrics-endpoint"

prometheus.remote_write "default" {
  endpoint {
    url =["url"]
    basic_auth {
      username =["username"]
      password =["password"]

This example assumes that the Secret and ConfigMap have already been created, and that the appropriate field names exist in their data.