---
title: "discovery.kubernetes | Grafana Alloy documentation"
description: "Learn about discovery.kubernetes"
---

# `discovery.kubernetes`

`discovery.kubernetes` allows you to find scrape targets from Kubernetes resources. It watches cluster state and ensures targets are continually synced with what’s running in your cluster.

If you supply no connection information, this component defaults to an in-cluster configuration. You can use a `kubeconfig` file or manual connection settings to override the defaults.

## Performance considerations

By default, `discovery.kubernetes` discovers resources across all namespaces in your cluster.

> Caution
> 
> In DaemonSet deployments, each Alloy Pod discovers and watches all resources across the cluster by default. This can significantly increase API server load and memory usage, and may cause API throttling on managed Kubernetes services such as Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), or Google Kubernetes Engine (GKE).

For better performance and reduced API load:

- Use the [`namespaces`](#namespaces) block to limit discovery to specific namespaces.
- Use [`selectors`](#selectors) to filter resources by labels or fields.
- Consider the node-local example in [Limit to only Pods on the same node](#limit-to-only-pods-on-the-same-node).
- Use [`discovery.kubelet`](../discovery.kubelet/) for DaemonSet deployments to discover only Pods on the local node.
- Use clustering mode for larger deployments to distribute the discovery load.
- Monitor API server metrics like request rate, throttling, and memory usage, especially on managed clusters.

## Usage

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
discovery.kubernetes "<LABEL>" {
  role = "<DISCOVERY_ROLE>"
}
```

## Arguments

You can use the following arguments with `discovery.kubernetes`:

Expand table

| Name                     | Type                | Description                                                                                      | Default | Required |
|--------------------------|---------------------|--------------------------------------------------------------------------------------------------|---------|----------|
| `role`                   | `string`            | Type of Kubernetes resource to query.                                                            |         | yes      |
| `api_server`             | `string`            | URL of Kubernetes API server.                                                                    |         | no       |
| `bearer_token_file`      | `string`            | File containing a bearer token to authenticate with.                                             |         | no       |
| `bearer_token`           | `secret`            | Bearer token to authenticate with.                                                               |         | no       |
| `enable_http2`           | `bool`              | Support HTTP2 for requests.                                                                      | `true`  | no       |
| `follow_redirects`       | `bool`              | Follow redirects returned by the server.                                                         | `true`  | no       |
| `http_headers`           | `map(list(secret))` | Custom HTTP headers to send with each request. The map key is the header name.                   |         | no       |
| `kubeconfig_file`        | `string`            | Path of `kubeconfig` file to use for connecting to Kubernetes.                                   |         | no       |
| `no_proxy`               | `string`            | Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying. |         | no       |
| `proxy_connect_header`   | `map(list(secret))` | Specifies headers to send to proxies during CONNECT requests.                                    |         | no       |
| `proxy_from_environment` | `bool`              | Use the proxy URL indicated by environment variables.                                            | `false` | no       |
| `proxy_url`              | `string`            | HTTP proxy to send requests through.                                                             |         | no       |

You can provide at most one of the following:

- \[`authorization`]\[authorization] block
- \[`basic_auth`]\[basic\_auth] block
- [`bearer_token_file`](#arguments) argument
- [`bearer_token`](#arguments) argument
- \[`oauth2`]\[oauth2] block

`no_proxy` can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. `proxy_url` must be configured if `no_proxy` is configured.

`proxy_from_environment` uses the environment variables HTTP\_PROXY, HTTPS\_PROXY, and NO\_PROXY (or the lowercase versions thereof). Requests use the proxy from the environment variable matching their scheme, unless excluded by NO\_PROXY. `proxy_url` and `no_proxy` must not be configured if `proxy_from_environment` is configured.

`proxy_connect_header` should only be configured if `proxy_url` or `proxy_from_environment` are configured.

The `role` argument specifies the type of targets to discover. `role` must be one of `node`, `pod`, `service`, `endpoints`, `endpointslice`, or `ingress`.

### `node` role

The `node` role discovers one target per cluster node with the address defaulting to the HTTP port of the `kubelet` daemon. The target address defaults to the first address of the Kubernetes node object in the address type order of `NodeInternalIP`, `NodeExternalIP`, `NodeLegacyHostIP`, and `NodeHostName`.

Discovered nodes include the following labels:

- `__meta_kubernetes_node_address_<address_type>`: The first address for each node address type, if it exists.
- `__meta_kubernetes_node_annotation_<annotationname>`: Each annotation from the node object.
- `__meta_kubernetes_node_annotationpresent_<annotationname>`: Set to `true` for each annotation from the node object.
- `__meta_kubernetes_node_label_<labelname>`: Each label from the node object.
- `__meta_kubernetes_node_labelpresent_<labelname>`: Set to `true` for each label from the node object.
- `__meta_kubernetes_node_name`: The name of the node object.
- `__meta_kubernetes_node_provider_id`: The cloud provider’s name for the node object.

In addition, the component sets the `instance` label for the node to the node name retrieved from the API server.

### `service` role

The `service` role discovers a target for each port of each service. This is generally useful for externally monitoring a service. The component sets the address to the Kubernetes DNS name of the service and respective service port.

Discovered services include the following labels:

- `__meta_kubernetes_namespace`: The namespace of the service object.
- `__meta_kubernetes_service_annotation_<annotationname>`: Each annotation from the service object.
- `__meta_kubernetes_service_annotationpresent_<annotationname>`: `true` for each annotation of the service object.
- `__meta_kubernetes_service_cluster_ip`: The cluster IP address of the service. This doesn’t apply to services of type `ExternalName`.
- `__meta_kubernetes_service_external_name`: The DNS name of the service. This only applies to services of type `ExternalName`.
- `__meta_kubernetes_service_label_<labelname>`: Each label from the service object.
- `__meta_kubernetes_service_labelpresent_<labelname>`: `true` for each label of the service object.
- `__meta_kubernetes_service_name`: The name of the service object.
- `__meta_kubernetes_service_port_name`: Name of the service port for the target.
- `__meta_kubernetes_service_port_number`: Number of the service port for the target.
- `__meta_kubernetes_service_port_protocol`: Protocol of the service port for the target.
- `__meta_kubernetes_service_type`: The type of the service.

### `pod` role

The `pod` role discovers all Pods and exposes their containers as targets. The component generates a single target for each declared port of a container.

If a container has no specified ports, the component creates a port-free target per container. You must manually inject a port using a [`discovery.relabel` component](../discovery.relabel/) before you can collect metrics from these targets.

Discovered Pods include the following labels:

- `__meta_kubernetes_namespace`: The namespace of the Pod object.
- `__meta_kubernetes_pod_annotation_<annotationname>`: Each annotation from the Pod object.
- `__meta_kubernetes_pod_annotationpresent_<annotationname>`: `true` for each annotation from the Pod object.
- `__meta_kubernetes_pod_container_id`: ID of the container the target address points to. The ID is in the form `<type>://<container_id>`.
- `__meta_kubernetes_pod_container_image`: The container image.
- `__meta_kubernetes_pod_container_init`: `true` if the container is an `InitContainer`.
- `__meta_kubernetes_pod_container_name`: Name of the container the target address points to.
- `__meta_kubernetes_pod_container_port_name`: Name of the container port.
- `__meta_kubernetes_pod_container_port_number`: Number of the container port.
- `__meta_kubernetes_pod_container_port_protocol`: Protocol of the container port.
- `__meta_kubernetes_pod_controller_kind`: Object kind of the Pod controller.
- `__meta_kubernetes_pod_controller_name`: Name of the Pod controller.
- `__meta_kubernetes_pod_host_ip`: The current host IP of the Pod object.
- `__meta_kubernetes_pod_ip`: The Pod IP of the Pod object.
- `__meta_kubernetes_pod_label_<labelname>`: Each label from the Pod object.
- `__meta_kubernetes_pod_labelpresent_<labelname>`: `true` for each label from the Pod object.
- `__meta_kubernetes_pod_name`: The name of the Pod object.
- `__meta_kubernetes_pod_node_name`: The name of the node where the Pod runs.
- `__meta_kubernetes_pod_phase`: Set to `Pending`, `Running`, `Succeeded`, `Failed`, or `Unknown` in the lifecycle.
- `__meta_kubernetes_pod_ready`: Set to `true` or `false` for the Pod’s ready state.
- `__meta_kubernetes_pod_uid`: The UID of the Pod object.

### `endpoints` role

The `endpoints` role discovers targets from listed endpoints of a service. The component discovers one target per port for each endpoint address. If a Pod backs the endpoint, the component discovers all container ports of the Pod as targets even if they aren’t bound to an endpoint port.

> Warning
> 
> The Endpoints API is deprecated in Kubernetes v1.33+. Use the EndpointSlice API instead, and switch to the `endpointslice` role below.

Discovered endpoints include the following labels:

- `__meta_kubernetes_endpoints_label_<labelname>`: Each label from the endpoints object.
- `__meta_kubernetes_endpoints_labelpresent_<labelname>`: `true` for each label from the endpoints object.
- `__meta_kubernetes_endpoints_name`: The name of the endpoints object.
- `__meta_kubernetes_namespace`: The namespace of the endpoints object.
- The component attaches the following labels to all targets discovered directly from the endpoints list:
  
  - `__meta_kubernetes_endpoint_address_target_kind`: Kind of the endpoint address target.
  - `__meta_kubernetes_endpoint_address_target_name`: Name of the endpoint address target.
  - `__meta_kubernetes_endpoint_hostname`: Hostname of the endpoint.
  - `__meta_kubernetes_endpoint_node_name`: Name of the node hosting the endpoint.
  - `__meta_kubernetes_endpoint_port_name`: Name of the endpoint port.
  - `__meta_kubernetes_endpoint_port_protocol`: Protocol of the endpoint port.
  - `__meta_kubernetes_endpoint_ready`: Set to `true` or `false` for the endpoint’s ready state.
- If the endpoints belong to a service, all labels of the `service` role discovery are also included.
- If a Pod backs the target, all labels of the `pod` role discovery are also included.

### `endpointslice` role

The `endpointslice` role discovers targets from Kubernetes endpoint slices. The component discovers one target for each endpoint address referenced in the `EndpointSlice` object. If a Pod backs the endpoint, the component discovers all container ports of the Pod as targets even if they’re not bound to an endpoint port.

Discovered endpoint slices include the following labels:

- `__meta_kubernetes_endpointslice_name`: The name of the endpoint slice object.
- `__meta_kubernetes_namespace`: The namespace of the endpoints object.
- The component attaches the following labels to all targets discovered directly from the endpoint slice list:
  
  - `__meta_kubernetes_endpointslice_address_target_kind`: Kind of the referenced object.
  - `__meta_kubernetes_endpointslice_address_target_name`: Name of the referenced object.
  - `__meta_kubernetes_endpointslice_address_type`: The IP protocol family of the target address.
  - `__meta_kubernetes_endpointslice_endpoint_conditions_ready`: Set to `true` or `false` for the referenced endpoint’s ready state.
  - `__meta_kubernetes_endpointslice_endpoint_topology_kubernetes_io_hostname`: Name of the node hosting the referenced endpoint.
  - `__meta_kubernetes_endpointslice_endpoint_topology_present_kubernetes_io_hostname`: `true` if the referenced object has a `kubernetes.io/hostname` annotation.
  - `__meta_kubernetes_endpointslice_endpoint_hostname`: Hostname of the referenced endpoint.
  - `__meta_kubernetes_endpointslice_endpoint_node_name`: Name of the node hosting the referenced endpoint.
  - `__meta_kubernetes_endpointslice_endpoint_zone`: The zone where the referenced endpoint exists. Only available when using the `discovery.k8s.io/v1` API group.
  - `__meta_kubernetes_endpointslice_port_name`: Name of the port for the referenced endpoint.
  - `__meta_kubernetes_endpointslice_port_protocol`: Protocol of the referenced endpoint.
  - `__meta_kubernetes_endpointslice_port`: Port of the referenced endpoint.
- If the endpoints belong to a service, all labels of the `service` role discovery are also included.
- If a Pod backs the target, all labels of the `pod` role discovery are also included.

### `ingress` role

The `ingress` role discovers a target for each path of each ingress. This is generally useful for externally monitoring an ingress. The component sets the address to the host specified in the Kubernetes `Ingress`’s `spec` block.

Discovered ingress objects include the following labels:

- `__meta_kubernetes_ingress_annotation_<annotationname>`: Each annotation from the ingress object.
- `__meta_kubernetes_ingress_annotationpresent_<annotationname>`: `true` for each annotation from the ingress object.
- `__meta_kubernetes_ingress_class_name`: Class name from ingress spec, if present.
- `__meta_kubernetes_ingress_label_<labelname>`: Each label from the ingress object.
- `__meta_kubernetes_ingress_labelpresent_<labelname>`: `true` for each label from the ingress object.
- `__meta_kubernetes_ingress_name`: The name of the ingress object.
- `__meta_kubernetes_ingress_path`: Path from ingress spec. Defaults to `/`.
- `__meta_kubernetes_ingress_scheme`: Protocol scheme of ingress, `https` when using TLS. Defaults to `http`.
- `__meta_kubernetes_namespace`: The namespace of the ingress object.

## Blocks

You can use the following blocks with `discovery.kubernetes`:

No valid configuration blocks found.

### `attach_metadata`

The `attach_metadata` block allows you to attach node metadata to discovered targets.

Expand table

| Name        | Type   | Description                                                                                                                                                  | Default | Required |
|-------------|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------|
| `node`      | `bool` | Attach node metadata. Valid for the `pod`, `endpoints`, and `endpointslice` roles. Requires permissions to list/watch Nodes.                                 |         | no       |
| `namespace` | `bool` | Attach namespace metadata. Valid for the `pod`, `endpoints`, `endpointslice`, `service`, and `ingress` roles. Requires permissions to list/watch Namespaces. |         | no       |

### `authorization`

The `authorization` block configures generic authorization to the endpoint.

Expand table

| Name               | Type     | Description                                | Default | Required |
|--------------------|----------|--------------------------------------------|---------|----------|
| `credentials_file` | `string` | File containing the secret value.          |         | no       |
| `credentials`      | `secret` | Secret value.                              |         | no       |
| `type`             | `string` | Authorization type, for example, “Bearer”. |         | no       |

`credential` and `credentials_file` are mutually exclusive, and only one can be provided inside an `authorization` block.

> Warning
> 
> Using `credentials_file` causes the file to be read on every outgoing request. Use the `local.file` component with the `credentials` attribute instead to avoid unnecessary reads.

### `basic_auth`

The `basic_auth` block configures basic authentication to the endpoint.

Expand table

| Name            | Type     | Description                              | Default | Required |
|-----------------|----------|------------------------------------------|---------|----------|
| `password_file` | `string` | File containing the basic auth password. |         | no       |
| `password`      | `secret` | Basic auth password.                     |         | no       |
| `username`      | `string` | Basic auth username.                     |         | no       |

`password` and `password_file` are mutually exclusive, and only one can be provided inside a `basic_auth` block.

> Warning
> 
> Using `password_file` causes the file to be read on every outgoing request. Use the `local.file` component with the `password` attribute instead to avoid unnecessary reads.

### `namespaces`

The `namespaces` block limits the namespaces to discover resources in. If you omit this block, the component searches all namespaces.

Expand table

| Name            | Type           | Description                                | Default | Required |
|-----------------|----------------|--------------------------------------------|---------|----------|
| `names`         | `list(string)` | List of namespaces to search.              |         | no       |
| `own_namespace` | `bool`         | Include the namespace Alloy is running in. |         | no       |

### `oauth2`

The `oauth2` block configures OAuth 2.0 authentication to the endpoint.

Expand table

| Name                     | Type                | Description                                                                                      | Default | Required |
|--------------------------|---------------------|--------------------------------------------------------------------------------------------------|---------|----------|
| `client_id`              | `string`            | OAuth2 client ID.                                                                                |         | no       |
| `client_secret_file`     | `string`            | File containing the OAuth2 client secret.                                                        |         | no       |
| `client_secret`          | `secret`            | OAuth2 client secret.                                                                            |         | no       |
| `endpoint_params`        | `map(string)`       | Optional parameters to append to the token URL.                                                  |         | no       |
| `no_proxy`               | `string`            | Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying. |         | no       |
| `proxy_connect_header`   | `map(list(secret))` | Specifies headers to send to proxies during CONNECT requests.                                    |         | no       |
| `proxy_from_environment` | `bool`              | Use the proxy URL indicated by environment variables.                                            | `false` | no       |
| `proxy_url`              | `string`            | HTTP proxy to send requests through.                                                             |         | no       |
| `scopes`                 | `list(string)`      | List of scopes to authenticate with.                                                             |         | no       |
| `token_url`              | `string`            | URL to fetch the token from.                                                                     |         | no       |

`client_secret` and `client_secret_file` are mutually exclusive, and only one can be provided inside an `oauth2` block.

> Warning
> 
> Using `client_secret_file` causes the file to be read on every outgoing request. Use the `local.file` component with the `client_secret` attribute instead to avoid unnecessary reads.

The `oauth2` block may also contain a separate `tls_config` sub-block.

`no_proxy` can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. `proxy_url` must be configured if `no_proxy` is configured.

`proxy_from_environment` uses the environment variables HTTP\_PROXY, HTTPS\_PROXY, and NO\_PROXY (or the lowercase versions thereof). Requests use the proxy from the environment variable matching their scheme, unless excluded by NO\_PROXY. `proxy_url` and `no_proxy` must not be configured if `proxy_from_environment` is configured.

`proxy_connect_header` should only be configured if `proxy_url` or `proxy_from_environment` are configured.

### `selectors`

The `selectors` block contains optional label and field selectors to limit the discovery process to a subset of resources.

Expand table

| Name    | Type     | Description            | Default | Required |
|---------|----------|------------------------|---------|----------|
| `role`  | `string` | Role of the selector.  |         | yes      |
| `field` | `string` | Field selector string. |         | no       |
| `label` | `string` | Label selector string. |         | no       |

Refer to Kubernetes’ documentation for [Field selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors/) and [Labels and selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) to learn more about the filters you can use.

The endpoints role supports Pod, service, and endpoints selectors. The Pod role supports node selectors when configured with `attach_metadata: {node: true}`. Other roles only support selectors matching the role itself. For example, node role can only contain node selectors.

> Note
> 
> Using multiple `discovery.kubernetes` components with different selectors may increase load on the Kubernetes API.
> 
> Use selectors to retrieve a small set of resources in a very large cluster. For smaller clusters, use a [`discovery.relabel` component](../discovery.relabel/) to filter targets instead.

### `tls_config`

The `tls_config` block configures TLS settings for connecting to the endpoint.

Expand table

| Name                   | Type     | Description                                              | Default | Required |
|------------------------|----------|----------------------------------------------------------|---------|----------|
| `ca_pem`               | `string` | CA PEM-encoded text to validate the server with.         |         | no       |
| `ca_file`              | `string` | CA certificate to validate the server with.              |         | no       |
| `cert_pem`             | `string` | Certificate PEM-encoded text for client authentication.  |         | no       |
| `cert_file`            | `string` | Certificate file for client authentication.              |         | no       |
| `insecure_skip_verify` | `bool`   | Disables validation of the server certificate.           |         | no       |
| `key_file`             | `string` | Key file for client authentication.                      |         | no       |
| `key_pem`              | `secret` | Key PEM-encoded text for client authentication.          |         | no       |
| `min_version`          | `string` | Minimum acceptable TLS version.                          |         | no       |
| `server_name`          | `string` | ServerName extension to indicate the name of the server. |         | no       |

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

- `ca_pem` and `ca_file`
- `cert_pem` and `cert_file`
- `key_pem` and `key_file`

When configuring client authentication, both the client certificate (using `cert_pem` or `cert_file`) and the client key (using `key_pem` or `key_file`) must be provided.

When `min_version` isn’t provided, the minimum acceptable TLS version is inherited from Go’s default minimum version, TLS 1.2. If `min_version` is provided, it must be set to one of the following strings:

- `"TLS10"` (TLS 1.0)
- `"TLS11"` (TLS 1.1)
- `"TLS12"` (TLS 1.2)
- `"TLS13"` (TLS 1.3)

## Exported fields

`discovery.kubernetes` exports the following fields that other components can reference:

Expand table

| Name      | Type                | Description                                            |
|-----------|---------------------|--------------------------------------------------------|
| `targets` | `list(map(string))` | The set of targets discovered from the Kubernetes API. |

## Component health

`discovery.kubernetes` reports as unhealthy when you provide an invalid configuration. In those cases, exported fields retain their last healthy values.

## Debug information

`discovery.kubernetes` doesn’t expose any component-specific debug information.

## Debug metrics

`discovery.kubernetes` doesn’t expose any component-specific debug metrics.

## Examples

### In-cluster discovery

This example uses in-cluster authentication to discover all Pods:

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
discovery.kubernetes "k8s_pods" {
  role = "pod"
}

prometheus.scrape "demo" {
  targets    = discovery.kubernetes.k8s_pods.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}
```

Replace the following:

- *`<PROMETHEUS_REMOTE_WRITE_URL>`* : The URL of the Prometheus remote\_write-compatible server to send metrics to.
- *`<USERNAME>`* : The username to use for authentication to the `remote_write` API.
- *`<PASSWORD>`* : The password to use for authentication to the `remote_write` API.

### `kubeconfig` file authentication

This example uses a `kubeconfig` file to authenticate to the Kubernetes API:

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
discovery.kubernetes "k8s_pods" {
  role = "pod"
  kubeconfig_file = "/etc/k8s/kubeconfig.yaml"
}

prometheus.scrape "demo" {
  targets    = discovery.kubernetes.k8s_pods.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}
```

Replace the following:

- *`<PROMETHEUS_REMOTE_WRITE_URL>`* : The URL of the Prometheus remote\_write-compatible server to send metrics to.
- *`<USERNAME>`* : The username to use for authentication to the `remote_write` API.
- *`<PASSWORD>`* : The password to use for authentication to the `remote_write` API.

### Limit searched namespaces and filter by label

This example limits the searched namespaces and selects only Pods with a specific label:

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
discovery.kubernetes "k8s_pods" {
  role = "pod"

  selectors {
    role = "pod"
    label = "app.kubernetes.io/name=prometheus-node-exporter"
  }

  namespaces {
    names = ["myapp"]
  }
}

prometheus.scrape "demo" {
  targets    = discovery.kubernetes.k8s_pods.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}
```

Replace the following:

- *`<PROMETHEUS_REMOTE_WRITE_URL>`* : The URL of the Prometheus remote\_write-compatible server to send metrics to.
- *`<USERNAME>`* : The username to use for authentication to the `remote_write` API.
- *`<PASSWORD>`* : The password to use for authentication to the `remote_write` API.

### Limit to only Pods on the same node

This example limits the search to Pods on the same node as this Alloy. Use this configuration when running Alloy as a DaemonSet to significantly reduce API server load and memory usage by only watching local Pods instead of all Pods cluster-wide.

> Note
> 
> This example assumes you used the Helm chart to deploy Alloy in Kubernetes, which sets `HOSTNAME` to the Kubernetes host name. If you have a custom Kubernetes Deployment, you must adapt this example to your configuration.
> 
> As an alternative, you can use [`discovery.kubelet`](../discovery.kubelet/) which queries the local `kubelet` API directly and only returns Pods running on the same node.

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
discovery.kubernetes "k8s_pods" {
  role = "pod"
  selectors {
    role = "pod"
    field = "spec.nodeName=" + coalesce(sys.env("HOSTNAME"), constants.hostname)
  }
}

prometheus.scrape "demo" {
  targets    = discovery.kubernetes.k8s_pods.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}
```

Replace the following:

- *`<PROMETHEUS_REMOTE_WRITE_URL>`* : The URL of the Prometheus remote\_write-compatible server to send metrics to.
- *`<USERNAME>`* : The username to use for authentication to the `remote_write` API.
- *`<PASSWORD>`* : The password to use for authentication to the `remote_write` API.

## Compatible components

`discovery.kubernetes` has exports that can be consumed by the following components:

- Components that consume [Targets](../../../compatibility/#targets-consumers)

> Note
> 
> Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.