The NSX node agent is a DaemonSet where each pod runs two containers. One container runs the NSX node agent, whose main responsibility is to manage container network interfaces. It interacts with the CNI plugin and the Kubernetes API server. The other container runs NSX kube-proxy, whose only responsibility is to implement Kubernetes service abstraction by translating cluster IPs into pod IPs. It implements the same functionality as the upstream kube-proxy.


  1. Download the NCP Docker image.

    The filename is nsx-ncp-xxxxxxx.tar, where xxxxxxx is the build number.

  2. Download the NSX node agent DaemonSet yaml template.

    The filename is ncp-node-agent-ds.yml. You can edit this file or use it as an example for your own template file.

  3. Load the NCP Docker image to your image registry.
        docker load -i <tar file>
  4. Edit ncp-node-agent-ds.yml.

    Change the image name to the one that was loaded.

    For Ubuntu, the yaml file assumes that AppArmor is enabled. To see whether AppArmor is enabled, check the file /sys/module/apparmor/parameters/enabled. If AppArmor is not enabled, make the following changes:

    • Delete or comment out the following line: localhost/node-agent-apparmor
    • Add the line privileged:true under securityContext for the nsx-node-agent container and the nsx-kube-proxy container. For example:


    There is a known issue where if kubelet is run inside a container that uses the hyperkube image, kubelet always report AppArmor as disabled regardless of the actual state. You must make the same changes mentioned above to the yaml file.


    In the yaml file, you must specify that the ConfigMap generated for ncp.ini must be mounted as a ReadOnly volume. The downloaded yaml file already has this specification, which should not be changed.

  5. Create the NSX node agent DaemonSet with the following command.
        kubectl apply -f ncp-node-agent-ds.yml