This reference covers all deployment modes, configuration options, filtering behavior, and troubleshooting for the Postman Insights Agent.
Just want to get running? See the Connect with the API Catalog using Postman Insights Agent.
The agent supports two approaches for onboarding services:
Both approaches are available across DaemonSet and Sidecar deployment models.
Deploy the agent with --discovery-mode and a cluster name. The agent handles service registration automatically. See Connect with the API Catalog using Postman Insights Agent for step-by-step instructions.
To get started, you need your workspace ID and system environment ID from the Postman app. In Postman, from Home, click API Catalog > Integrated Services. Select the service and copy the IDs from the bottom of the page.
Next, deploy the agent with those IDs:
--workspace-id and --system-env with either the DaemonSet or Sidecar mode below.Both IDs must be valid UUIDs (for example, 550e8400-e29b-41d4-a716-446655440000). You can copy them directly from the Postman app.
The Postman API key must belong to a user with write access to target workspaces (workspace Admin or Super Admin). The agent creates and links applications on behalf of this user.
kube run)Deploys one agent pod per node. The agent watches pod events cluster-wide and captures traffic from all eligible pods on each node. Recommended for cluster-wide coverage.
A single API key covers the entire cluster. The agent watches for pod events and automatically starts capturing traffic for eligible pods.
All flags can also be set using environment variables. CLI flags take precedence.
Example: discover only in specific namespaces
Example: exclude pods by label
In Workspace Mode, each monitored pod is associated with a specific Postman workspace and system environment. The DaemonSet reads POSTMAN_INSIGHTS_WORKSPACE_ID and POSTMAN_INSIGHTS_SYSTEM_ENV from each target pod’s environment and starts capturing traffic for that service.
In DaemonSet Discovery Mode, pods that already have explicit service IDs in their environment are routed to their respective flow instead of auto-discovery. This allows gradual adoption alongside existing per-pod configurations.
The pod’s own POSTMAN_INSIGHTS_API_KEY is used if set. Otherwise, the DaemonSet-level key is the fallback.
Sidecar injects the agent as an additional container into an existing deployment YAML. Use this when you want per-deployment control rather than cluster-wide coverage.
Example:
The injected sidecar includes:
apidump --discovery-mode (plus --service-name if provided)POSTMAN_INSIGHTS_API_KEY, POSTMAN_INSIGHTS_CLUSTER_NAME, POSTMAN_INSIGHTS_WORKLOAD_NAME, POSTMAN_INSIGHTS_WORKLOAD_TYPE, POSTMAN_INSIGHTS_LABELS, and standard Kubernetes downward API fieldsNET_RAW capability for packet captureBy default the API key is embedded as a literal env var. Use --secret to reference it from a Kubernetes Secret named postman-agent-secrets (key: postman-api-key). Generate the Secret automatically with --secret, or create it separately with postman-insights-agent kube secret.
Exactly one of --project (legacy), --workspace-id, or --discovery-mode must be specified.
In DaemonSet Discovery Mode, the agent applies a multi-layer filtering pipeline to decide which pods to capture. A pod must pass every layer.
The agent’s own pod is always excluded to prevent feedback loops.
System and infrastructure namespaces are excluded by default. Customize with --include-namespaces and --exclude-namespaces.
The rules are applied in the following order:
--include-namespaces is set and the namespace isn’t in the list, then skip.--exclude-namespaces adds to the default exclusion list. It doesn’t replace it.
The Insights Agent skips namespaces that belong to infrastructure or platform tooling — anything that isn’t your application traffic. This includes Kubernetes system namespaces (kube-system, kube-public), cloud-provider-managed namespaces (GKE, EKS), service meshes, ingress controllers, networking plugins, certificate and secrets management, monitoring and observability stacks, security and policy engines, GitOps and CI/CD tooling, autoscalers, storage operators, and serverless runtimes. The postman-insights-namespace where the agent itself runs is also excluded.
If one of your application namespaces shares a name with a namespace in the exclusion list, use --include-namespaces to explicitly include it.
Fine-grained control at the individual pod level. It’s evaluated in the following order:
postman.com/insights-disabled: "true", then skip.postman.com/insights-enabled: "false", then skip.--exclude-labels, then skip.--include-labels is set and the pod doesn’t match all pairs, then skip.To opt out of a specific pod or deployment, add the annotation postman.com/insights-disabled: "true" to the pod spec or deployment spec:
Only the pods managed by long-running workload controllers are captured. Ephemeral workloads are excluded.
The DaemonSet automatically skips pods that already have the Postman Insights Agent sidecar container, preventing duplicate traffic capture when running alongside sidecar-injected deployments.
When a pod passes all filters, the agent derives a service name in the format {namespace}/{workload-name}.
The workload name is resolved using this fallback chain (first match wins):
Set POSTMAN_INSIGHTS_SERVICE_NAME in the pod spec to override the auto-derived name:
For sidecar deployments, use the --service-name flag with kube inject:
When a service is discovered, the agent captures traffic for 24 hours to give you time to complete onboarding in the Postman app. This prevents unnecessary traffic from consuming your plan limits for services you haven’t intentionally onboarded. If the service isn’t onboarded within that window, the agent pauses capture for it automatically.
To resume capture, onboard the service in the Postman app. The restriction is lifted and capture resumes indefinitely.
This TTL only applies to auto-discovered services that have not yet been onboarded. Services using Workspace Mode or hybrid per-pod IDs are not affected.
CLI flags always take precedence over environment variables.
kube run (DaemonSet) — Discovery Mode flagskube inject (Sidecar) — Onboarding mode flagsExactly one of --project, --workspace-id, or --discovery-mode must be specified.
If you’re having issues with service discovery, here are some common questions and answers.
Check each filtering layer in order:
--include-namespaces to explicitly include it.--exclude-labels pattern? Does it satisfy all --include-labels requirements?postman.com/insights-disabled: "true" or postman.com/insights-enabled: "false"?Add the opt-out annotation to the pod template in the Deployment:
Use --include-namespaces. Only pods in the listed namespaces are discovered (default exclusions still apply).
Use --exclude-namespaces. These are added to the built-in defaults — they do not replace them.
Set POSTMAN_INSIGHTS_SERVICE_NAME in the pod spec, or use the --service-name flag with kube inject for sidecar deployments.
No. The DaemonSet automatically detects pods that already have the Postman Insights Agent sidecar container and skips them. This is applied consistently across pod watch events, the initial pod scan, and periodic health-check reconciliation.
The backend uses the cluster name together with the namespace and workload name to build a unique service slug (cluster/namespace/workload). Without it, services with the same namespace and workload name across different clusters would collide. The agent exits at startup with a clear error if the cluster name is missing.
The agent gracefully stops capturing traffic for that service and marks it TrafficMonitoringEnded. To resume, onboard the service in the Postman app — the TTL restriction is then lifted.
Yes. The DaemonSet skips pods that already have the agent sidecar, so there is no risk of capturing traffic twice. A Discovery Mode DaemonSet can safely run alongside sidecar-injected deployments using Workspace Mode.
Yes. Pods with POSTMAN_INSIGHTS_WORKSPACE_ID + POSTMAN_INSIGHTS_SYSTEM_ENV, or POSTMAN_INSIGHTS_PROJECT_ID set in their environment are routed to their respective flow instead of auto-discovery. See Hybrid mode for details.
The API Catalog feature is not enabled for your Postman team. Contact your Postman team administrator to enable it, then redeploy the agent.
--workspace-id without --system-env?The agent exits with an error. --system-env is required whenever --workspace-id is specified.