Container Installation

Deploy the OnePAM agent in Docker and Kubernetes environments.

Container Image

Pull the official OnePAM agent Docker image. Available for amd64 and arm64 architectures.

View Package
Pull Image
docker pull ghcr.io/onepam/onepam-agent:latest
Available Tags
latest, v1.x.x, v1.x.x-alpine

Overview

Run the OnePAM agent as a Docker container alongside your existing containerised workloads. The agent container monitors the host system and reports to your OnePAM instance.

Docker / Podman
Kubernetes
Docker Compose

Quick Start

Run the OnePAM agent container with a single command: 

docker run -d \
  --name onepam-agent \
  --restart unless-stopped \
  --pid host \
  --network host \
  -v /proc:/host/proc:ro \
  -v /sys:/host/sys:ro \
  -v /etc:/host/etc:ro \
  -e AGENT_API_URL=https://onepam.com \
  -e AGENT_TENANT_ID=00000000-0000-0000-0000-000000000000 \
  ghcr.io/onepam/onepam-agent:latest

Docker Run

Full Configuration
docker run -d \
  --name onepam-agent \
  --restart unless-stopped \
  --pid host \
  --network host \
  -v /proc:/host/proc:ro \
  -v /sys:/host/sys:ro \
  -v /etc:/host/etc:ro \
  -v onepam-data:/opt/onepam/data \
  -e AGENT_API_URL=https://onepam.example.com \
  -e AGENT_TENANT_ID=00000000-0000-0000-0000-000000000000 \
  -e AGENT_LOG_LEVEL=info \
  ghcr.io/onepam/onepam-agent:latest
Using an Environment File

Store configuration in a file for easier management:

# agent.env
AGENT_API_URL=https://onepam.example.com
AGENT_TENANT_ID=00000000-0000-0000-0000-000000000000
AGENT_LOG_LEVEL=info
docker run -d \
  --name onepam-agent \
  --restart unless-stopped \
  --pid host \
  --network host \
  -v /proc:/host/proc:ro \
  -v /sys:/host/sys:ro \
  -v /etc:/host/etc:ro \
  -v onepam-data:/opt/onepam/data \
  --env-file agent.env \
  ghcr.io/onepam/onepam-agent:latest

Docker Compose

docker-compose.yml
version: "3.8"

services:
  onepam-agent:
    image: ghcr.io/onepam/onepam-agent:latest
    container_name: onepam-agent
    restart: unless-stopped
    pid: host
    network_mode: host
    volumes:
      - /proc:/host/proc:ro
      - /sys:/host/sys:ro
      - /etc:/host/etc:ro
      - onepam-data:/opt/onepam/data
    environment:
      AGENT_API_URL: "https://onepam.example.com"
      AGENT_TENANT_ID: "00000000-0000-0000-0000-000000000000"
      AGENT_LOG_LEVEL: "info"

volumes:
  onepam-data:
Alongside Your Application Stack
version: "3.8"

services:
  webapp:
    image: your-app:latest
    ports:
      - "8080:8080"

  database:
    image: postgres:16
    volumes:
      - pgdata:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: "${DB_PASSWORD}"

  onepam-agent:
    image: ghcr.io/onepam/onepam-agent:latest
    restart: unless-stopped
    pid: host
    network_mode: host
    volumes:
      - /proc:/host/proc:ro
      - /sys:/host/sys:ro
      - /etc:/host/etc:ro
      - onepam-data:/opt/onepam/data
    env_file:
      - .env.onepam

volumes:
  pgdata:
  onepam-data:

Kubernetes

Deploy the OnePAM agent as a DaemonSet to run on every node in your cluster:

Secret (store credentials)
apiVersion: v1
kind: Secret
metadata:
  name: onepam-agent
  namespace: onepam
type: Opaque
stringData:
  AGENT_TENANT_ID: "00000000-0000-0000-0000-000000000000"
DaemonSet
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: onepam-agent
  namespace: onepam
  labels:
    app: onepam-agent
spec:
  selector:
    matchLabels:
      app: onepam-agent
  template:
    metadata:
      labels:
        app: onepam-agent
    spec:
      hostPID: true
      hostNetwork: true
      containers:
        - name: agent
          image: ghcr.io/onepam/onepam-agent:latest
          env:
            - name: AGENT_API_URL
              value: "https://onepam.example.com"
            - name: AGENT_TENANT_ID
              valueFrom:
                secretKeyRef:
                  name: onepam-agent
                  key: AGENT_TENANT_ID
            - name: AGENT_LOG_LEVEL
              value: "info"
          volumeMounts:
            - name: proc
              mountPath: /host/proc
              readOnly: true
            - name: sys
              mountPath: /host/sys
              readOnly: true
            - name: etc
              mountPath: /host/etc
              readOnly: true
          resources:
            requests:
              cpu: 50m
              memory: 64Mi
            limits:
              cpu: 200m
              memory: 128Mi
      volumes:
        - name: proc
          hostPath:
            path: /proc
        - name: sys
          hostPath:
            path: /sys
        - name: etc
          hostPath:
            path: /etc
# Apply the manifests
kubectl create namespace onepam
kubectl apply -f secret.yml
kubectl apply -f daemonset.yml

# Verify pods are running on each node
kubectl -n onepam get pods -o wide

Configuration

Environment Variables
Variable Default Description
AGENT_API_URL https://onepam.com OnePAM server URL
AGENT_TENANT_ID - Organisation UUID (required)
AGENT_LOG_LEVEL info Logging verbosity (debug, info, warn, error)
AGENT_DATA_DIR /opt/onepam/data Persistent data directory
Required Volume Mounts
Host Path Container Path Mode Purpose
/proc /host/proc read-only Process and system metrics
/sys /host/sys read-only Hardware and device information
/etc /host/etc read-only Host configuration and OS detection
Security Note: The --pid host and --network host flags are required for full host visibility. In Kubernetes, use hostPID: true and hostNetwork: true in your pod spec. Store the AGENT_TENANT_ID in Kubernetes Secrets or Docker secrets.