Nsight Streamer#
Nsight Streamer deployment and usage guide.
Overview#
Nsight Streamer provides a self-hosted, web-based GUI for NVIDIA Nsight
Systems. It lets you open .nsys-rep reports captured by
Nsight Operator directly in your browser, without transferring large
report files to your local machine.
Note
Nsight Operator integrates with Nsight Systems only. Other Nsight tools (Nsight Compute, Nsight Graphics, Nsight Deep Learning Designer) are out of scope for the operator.
See also: nsight-streamer-nsys container on NGC for the upstream container image, release notes, and licence information.
Benefits#
Handling Large Data: Profiling reports can be extremely large. Nsight Streamer lets you analyze data in place without transferring files.
Enhanced Performance: Leverage server-side computational resources for faster analysis.
Security Compliance: Data remains within your cluster while still providing full analysis capabilities.
How It Works#
Nsight Streamer runs the Nsight Systems desktop application inside a container and streams its display to your browser over WebRTC. The browser client handles keyboard, mouse, and clipboard input; the server handles rendering, either in software or on a GPU.
The streamer Service exposes a single HTTP port (default 30080) that
serves the web UI, WebRTC signalling, and authentication. WebRTC media
is relayed through the cluster’s shared STUNner TURN gateway when
required; see STUNner TURN Gateway.
Reports are loaded directly from the
NsightCloudStorageConfig referenced
by the NsightStreamer CR. When a storage config exists in the same
namespace, it is auto-discovered and mounted read-only into the streamer
container. No file transfer between your laptop and the cluster is required.
Hardware Acceleration Prerequisites#
Software rendering is always available. For higher FPS and lower latency, enable GPU hardware acceleration (see Hardware Acceleration). GPU acceleration additionally requires:
An NVIDIA GPU with AV1 encode support (Ada Lovelace architecture or newer, e.g. L4, L40, RTX 4000 series).
A node-level NVIDIA driver providing CUDA and NVENC. The NVIDIA GPU Operator is the easiest way to provide this.
runtimeClassName: nvidiaon the streamer Pod (set via the CRspec.runtimeClassName).At least one free
nvidia.com/gpuon the scheduled node.
Deploying Nsight Streamer#
Nsight Streamer is deployed by applying a NsightStreamer Custom
Resource (CR) in the namespace where you want to view profiling reports.
The operator reconciles the CR into a Deployment and Service, and
auto-discovers the namespace’s
NsightCloudStorageConfig so the
streamer can read reports directly from cloud storage.
Note
nsight-streamer.enabled in the parent Helm chart is false by
default, so no streamer is created as part of helm install.
Applying a NsightStreamer CR yourself (as shown below) is the
normal way to deploy a streamer.
Deploy the streamer#
Create a NsightStreamer CR – the minimal spec only needs the tool
name:
apiVersion: nvidia.com/v1alpha1
kind: NsightStreamer
metadata:
name: nsight-viewer
namespace: my-namespace
kubectl apply -f nsight-streamer.yaml
Warning
The NsightStreamer CR ships with demo default credentials
(webUsername / webPassword = nvidia / nvidia). Do
not use these defaults in production and do not disable
authentication on a streamer that is reachable from outside the
cluster. Override the credentials with a strong secret, ideally via
a Kubernetes Secret – see Authentication for the
webUsername / webPassword field shapes and the
NsightStreamer CRD Reference for all
supported options.
When a NsightCloudStorageConfig already exists in the same namespace, the operator auto-discovers it and mounts profiling reports into the streamer read-only.
See Accessing Nsight Streamer for how to open the streamer UI in a browser, and the NsightStreamer CRD Reference for all available fields (service type, GPU acceleration, custom credentials, extra volumes, etc.).
Remote access via STUNner#
For local testing (kubectl port-forward), no extra configuration is
needed. If you plan to expose the streamer to browsers outside the
cluster – for example, when launching streamers from the
Nsight Cloud UI – the operator chart also ships a
shared STUNner TURN gateway that relays WebRTC media traffic. See
STUNner TURN Gateway for when STUNner is required and how to configure it.
Additional references#
nsight-streamer-nsys container on NGC – the upstream Nsight Systems streamer image used by the operator, including full release notes, image tags, and licence information.
Accessing Nsight Streamer#
The streamer exposes a single HTTP port (default 30080) that serves
the web UI, the WebRTC signalling channel, and the authentication
endpoint. For most workflows you only need to make this HTTP port
reachable from your browser.
Using Port-Forward (ClusterIP service, default)#
The simplest way to view a streamer locally is to forward its HTTP port:
kubectl port-forward -n my-namespace svc/nsight-viewer-service 30080:30080
Open http://localhost:30080 in your browser (default credentials:
nvidia / nvidia).
Using NodePort#
Expose the streamer’s HTTP port directly on each node:
apiVersion: nvidia.com/v1alpha1
kind: NsightStreamer
metadata:
name: nsight-viewer
namespace: my-namespace
spec:
service:
type: NodePort
nodeHttpPort: 30080
Access via http://<node-ip>:30080.
Using LoadBalancer#
apiVersion: nvidia.com/v1alpha1
kind: NsightStreamer
metadata:
name: nsight-viewer
namespace: my-namespace
spec:
service:
type: LoadBalancer
export STREAMER_IP=$(kubectl get svc nsight-viewer-service -n my-namespace \
-o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo "Open http://${STREAMER_IP}:30080"
External browser access#
When the streamer is reached from a browser outside the cluster – for example when it is launched by the Nsight Cloud UI – WebRTC media is relayed through the shared STUNner TURN gateway that ships with the operator chart. See STUNner TURN Gateway for when STUNner is required and the network configuration it expects.
Hardware Acceleration#
For improved streaming performance, enable GPU hardware acceleration (requires NVIDIA GPU with AV1 encoding support – Ada Lovelace architecture or newer):
apiVersion: nvidia.com/v1alpha1
kind: NsightStreamer
metadata:
name: nsight-viewer-gpu
namespace: my-namespace
spec:
runtimeClassName: nvidia
resources:
limits:
nvidia.com/gpu: 1
Authentication#
By default, Nsight Streamer uses basic authentication:
Username:
nvidiaPassword:
nvidia
Warning
The nvidia / nvidia credentials above are demo-only. Before
exposing Nsight Streamer outside the cluster:
Override
webUsername/webPasswordwith a strong secret, ideally via a Kubernetes Secret (shown below).Enable TLS on the gateway – see TLS Configuration.
Rotate credentials periodically.
To customize credentials:
apiVersion: nvidia.com/v1alpha1
kind: NsightStreamer
metadata:
name: nsight-viewer
namespace: my-namespace
spec:
webUsername:
value: "myuser"
webPassword:
value: "mypassword"
To reference a Kubernetes secret:
apiVersion: nvidia.com/v1alpha1
kind: NsightStreamer
metadata:
name: nsight-viewer
namespace: my-namespace
spec:
webUsername:
secretName: streamer-auth
secretKey: username
webPassword:
secretName: streamer-auth
secretKey: password
STUNner TURN Gateway#
When a Nsight Streamer is reachable over a network path that does not allow direct peer-to-peer WebRTC (typical for cross-VPC, NAT, or strict firewall environments), a TURN server is required to relay media packets. Nsight Operator bundles the open-source STUNner Kubernetes TURN gateway as a subchart so that a single public port serves TURN traffic for all streamers in the cluster.
When to Enable STUNner#
You want to expose Nsight Streamer to users outside the cluster and some of those users sit behind restrictive NATs or corporate firewalls.
You are running on a cloud provider where UDP hole punching across the VPC boundary is unreliable.
If every client can connect directly to the streamer’s HTTP and TURN
NodePort / LoadBalancer, STUNner is not required. Leave it
disabled in that case to avoid the extra load balancer.
Enabling STUNner#
STUNner is enabled by default when the Helm chart is installed. The key
values live under nsight-tenant-operator.stunner.* in the parent chart:
nsight-tenant-operator:
stunner:
enabled: true
# Install the Kubernetes Gateway API CRDs needed by STUNner. Set to
# false if these CRDs are already installed by another controller
# (Envoy Gateway, Istio, etc.).
installGatewayApiCRDs: true
nsight-gateway:
service:
turnPort: 3478
Key Settings#
Setting |
Description |
|---|---|
|
Enable or disable the STUNner subchart. Default: |
|
When true (default), the operator installs the Kubernetes Gateway
API CRDs required by STUNner if they do not already exist. Set to
|
|
Public TURN port. Default: |
|
Required on AWS / EKS. The default STUNner Service uses
|
|
Extra annotations added to the STUNner Gateway resource and the resulting LoadBalancer Service. Use for cloud-specific configuration (AWS NLB scheme, GCP health checks, etc.). |
Dataplane Pod Configuration#
The STUNner Gateway controls the public TURN listener, but the actual
TURN relay runs in STUNner Dataplane Pods created by the bundled
stunner-gateway-operator subchart. Configure those Pods through the
subchart values under
stunner-gateway-operator.stunnerGatewayOperator.dataplane.spec:
stunner-gateway-operator:
stunnerGatewayOperator:
dataplane:
spec:
resources:
requests:
cpu: 500m
memory: 256Mi
limits:
cpu: "2"
memory: 512Mi
tolerations:
- key: dedicated
operator: Equal
value: stunner
effect: NoSchedule
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/network
operator: Exists
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
seccompProfile:
type: RuntimeDefault
containerSecurityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 65534
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
The bundled STUNner Dataplane API supports resources,
tolerations, affinity, securityContext, and
containerSecurityContext.
Cloud Provider Examples#
AWS / EKS (NLB):
nsight-tenant-operator:
stunner:
enabled: true
disableSessionAffinity: true
gatewayAnnotations:
service.beta.kubernetes.io/aws-load-balancer-type: "external"
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
GCP / GKE:
nsight-tenant-operator:
stunner:
enabled: true
gatewayAnnotations:
cloud.google.com/neg: '{"ingress": true}'
Verifying STUNner#
kubectl get gateways.gateway.networking.k8s.io -n stunner-system
kubectl get svc -n stunner-system
The TURN LoadBalancer service should have an assigned external IP and the configured port. Direct TURN connectivity can be tested with any standard STUN/TURN test tool.
See Streamer Troubleshooting for common issues such as media connection failures or clients stuck in the “connecting” state.
Streamer Troubleshooting#
Browser Issues#
Clipboard not working in Chrome:
Enable chrome://flags/#unsafely-treat-insecure-origin-as-secure and add the
Nsight Streamer URL.
Connection failed on Firefox:
Navigate to about:config, search for media.peerconnection.ice.loopback,
and set it to true.
GUI too small on HDPI screen:
Go to File > Exit in the Nsight Tool menu bar. The tool will restart
with proper scaling.
WebRTC / TURN Issues#
Stuck at “Connecting…” screen:
The browser cannot establish a WebRTC connection to the streamer. Check in order:
HTTP reachable: confirm you can load the streamer URL. If not, see Troubleshooting for gateway connectivity issues.
TURN reachable: when using STUNner, verify the TURN LoadBalancer has an external IP and the configured port is open in the cloud provider security group. See STUNner TURN Gateway.
Correct protocol: restrictive networks may block UDP. Switch
stunner.protocoltoTURN-TCP(orTURN-TLSfor TLS-only networks).Browser WebRTC logs: open
chrome://webrtc-internals/(Chrome) orabout:webrtc(Firefox) during the connection attempt to see ICE candidate gathering and failures.
AWS / EKS: TURN LoadBalancer stuck pending:
AWS Classic/Network Load Balancers do not support
sessionAffinity: ClientIP. Set
nsight-tenant-operator.stunner.disableSessionAffinity: true. See
STUNner TURN Gateway.
Report Access Issues#
Reports list is empty or missing files:
Nsight Streamer auto-discovers cloud storage in the same namespace via
cloudStorageConfigRef (or uses the explicit reference when set). Check:
kubectl get nsightstreamer -n <namespace>
kubectl describe nsightstreamer <name> -n <namespace> | grep -A5 cloudStorage
Confirm the referenced NsightCloudStorageConfig
exists in the same namespace and that its Secret and MinIO / S3 service are
reachable. For local storage type, Nsight Streamer cannot read reports –
use kubectl cp to move them to a supported backend first.
Authentication dialog rejects credentials:
The default credentials are nvidia / nvidia. If you overrode them via
webUsername / webPassword or secretName / secretKey, verify
the Secret exists and the keys match:
kubectl get secret -n <namespace> <secret-name> -o yaml
GPU Acceleration Issues#
Streamer fails to start with “no GPU available”:
Check that the Pod has:
runtimeClassName: nvidia.resources.limits.nvidia.com/gpu: 1.Been scheduled on a node with a free GPU. Use
kubectl describe podto see scheduling events.
For software rendering, remove the GPU resource limit and
runtimeClassName from the NsightStreamer CR.
Black screen / low FPS with GPU enabled:
Confirm the node GPU supports AV1 encode (Ada Lovelace or newer). Older GPUs can still run the streamer in software mode but will not benefit from hardware acceleration.