The latest articles on Forem by Tunde Oladipupo (@simplytunde). https://forem.com/simplytunde https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F99364%2F7cd4a4ed-af20-4974-98d7-7362033a3ed7.jpeg https://forem.com/simplytunde en Tunde Oladipupo Sat, 31 Dec 2022 15:28:39 +0000 https://forem.com/simplytunde/terraform-and-aws-4l0n https://forem.com/simplytunde/terraform-and-aws-4l0n <p>This is tunde</p> beginners learning python ai Tunde Oladipupo Sat, 29 Aug 2020 04:08:46 +0000 https://forem.com/simplytunde/randomness-in-go-1ang https://forem.com/simplytunde/randomness-in-go-1ang <p>This is to discuss ways to generate random values in go using the rand package or the crypto rand. They both achieve the same end depending on your need regarding true randomness and performance. Lets start with the common <code>math/rand</code> package<br> </p> <div class="highlight"><pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"fmt"</span> <span class="s">"math/rand"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="k">for</span> <span class="n">i</span> <span class="o">:=</span> <span class="m">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="m">5</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="n">rand</span><span class="o">.</span><span class="n">Intn</span><span class="p">(</span><span class="m">50</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div> <div class="highlight"><pre class="highlight go"><code><span class="err">$</span> <span class="k">go</span> <span class="n">run</span> <span class="n">gotest</span><span class="o">.</span><span class="k">go</span> <span class="m">31</span> <span class="m">37</span> <span class="m">47</span> <span class="m">9</span> <span class="m">31</span> <span class="err">$</span> <span class="k">go</span> <span class="n">run</span> <span class="n">gotest</span><span class="o">.</span><span class="k">go</span> <span class="m">31</span> <span class="m">37</span> <span class="m">47</span> <span class="m">9</span> <span class="m">31</span> </code></pre></div> <p>As you can see from above, the run produces the same sequence because the default seeding source.Now, lets try to use a different seeding for our random sequence generation.<br> </p> <div class="highlight"><pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"fmt"</span> <span class="s">"math/rand"</span> <span class="s">"time"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">rand</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="n">rand</span><span class="o">.</span><span class="n">NewSource</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span><span class="o">.</span><span class="n">UnixNano</span><span class="p">()))</span> <span class="k">for</span> <span class="n">i</span> <span class="o">:=</span> <span class="m">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="m">5</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Intn</span><span class="p">(</span><span class="m">50</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div> <blockquote> <pre class="highlight plaintext"><code>// Random numbers are generated by a Source. Top-level functions, such as // Float64 and Int, use a default shared Source that produces a deterministic // sequence of values each time a program is run. Use the Seed function to // initialize the default Source if different behavior is required for each run. // The default Source is safe for concurrent use by multiple goroutines, but // Sources created by NewSource are not. </code></pre> </blockquote> <p>What we simply did was provide new seeding via new source. Please note this source is not safe for concurrent use unlike the shared source used globally.<br> </p> <div class="highlight"><pre class="highlight go"><code><span class="err">$</span> <span class="k">go</span> <span class="n">run</span> <span class="n">gotest</span><span class="o">.</span><span class="k">go</span> <span class="m">44</span> <span class="m">17</span> <span class="m">41</span> <span class="m">23</span> <span class="m">5</span> <span class="err">$</span> <span class="k">go</span> <span class="n">run</span> <span class="n">gotest</span><span class="o">.</span><span class="k">go</span> <span class="m">18</span> <span class="m">7</span> <span class="m">37</span> <span class="m">17</span> <span class="m">13</span> </code></pre></div> <p>Now to be truly random, you can use the better <code>crypto/rand</code> but with less performance.</p> <h2> Crypto Rand </h2> <div class="highlight"><pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="n">crypto_rand</span> <span class="s">"crypto/rand"</span> <span class="s">"encoding/base64"</span> <span class="s">"fmt"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">GenerateRandomBytes</span><span class="p">(</span><span class="n">n</span> <span class="kt">int</span><span class="p">)</span> <span class="p">([]</span><span class="kt">byte</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">b</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">([]</span><span class="kt">byte</span><span class="p">,</span> <span class="n">n</span><span class="p">)</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">crypto_rand</span><span class="o">.</span><span class="n">Read</span><span class="p">(</span><span class="n">b</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="k">return</span> <span class="n">b</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="n">GenerateRandomString</span><span class="p">(</span><span class="n">n</span> <span class="kt">int</span><span class="p">)</span> <span class="p">(</span><span class="kt">string</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">b</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">GenerateRandomBytes</span><span class="p">(</span><span class="n">n</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="s">""</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="k">return</span> <span class="n">base64</span><span class="o">.</span><span class="n">URLEncoding</span><span class="o">.</span><span class="n">EncodeToString</span><span class="p">(</span><span class="n">b</span><span class="p">),</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="k">for</span> <span class="n">i</span> <span class="o">:=</span> <span class="m">30</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="m">35</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span> <span class="p">{</span> <span class="k">if</span> <span class="n">s</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">GenerateRandomString</span><span class="p">(</span><span class="n">i</span><span class="p">);</span> <span class="n">err</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div> <p>What we doing here is very simple, we are not using clock to generate our seedling.</p> go Tunde Oladipupo Wed, 19 Feb 2020 16:04:57 +0000 https://forem.com/simplytunde/what-on-earth-is-go-mod-2fla https://forem.com/simplytunde/what-on-earth-is-go-mod-2fla <p>Go mod is the recommended way to manage packages and their dependencies in go. Go can look at your imported packages and add them to its <strong>go.mod</strong> for management. For example, in this <a href="https://github.com/knative/client/blob/master/go.mod">project</a>;<br> </p> <div class="highlight"><pre class="highlight go"><code><span class="n">module</span> <span class="n">knative</span><span class="o">.</span><span class="n">dev</span><span class="o">/</span><span class="n">client</span> <span class="n">require</span> <span class="p">(</span> <span class="n">contrib</span><span class="o">.</span><span class="k">go</span><span class="o">.</span><span class="n">opencensus</span><span class="o">.</span><span class="n">io</span><span class="o">/</span><span class="n">exporter</span><span class="o">/</span><span class="n">ocagent</span> <span class="n">v0</span><span class="m">.6.0</span> <span class="c">// indirect</span> <span class="n">contrib</span><span class="o">.</span><span class="k">go</span><span class="o">.</span><span class="n">opencensus</span><span class="o">.</span><span class="n">io</span><span class="o">/</span><span class="n">exporter</span><span class="o">/</span><span class="n">prometheus</span> <span class="n">v0</span><span class="m">.1.0</span> <span class="c">// indirect</span> <span class="n">contrib</span><span class="o">.</span><span class="k">go</span><span class="o">.</span><span class="n">opencensus</span><span class="o">.</span><span class="n">io</span><span class="o">/</span><span class="n">exporter</span><span class="o">/</span><span class="n">stackdriver</span> <span class="n">v0</span><span class="m">.12.9</span> <span class="c">// indirect</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">google</span><span class="o">/</span><span class="k">go</span><span class="o">-</span><span class="n">containerregistry</span> <span class="n">v0</span><span class="m">.0.0</span><span class="o">-</span><span class="m">20200131185320</span><span class="o">-</span><span class="n">aec8da010de2</span> <span class="c">// indirect</span> <span class="o">...</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">openzipkin</span><span class="o">/</span><span class="n">zipkin</span><span class="o">-</span><span class="k">go</span> <span class="n">v0</span><span class="m">.2.2</span> <span class="c">// indirect</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">pkg</span><span class="o">/</span><span class="n">errors</span> <span class="n">v0</span><span class="m">.8.1</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">robfig</span><span class="o">/</span><span class="n">cron</span> <span class="n">v1</span><span class="m">.2.0</span> <span class="c">// indirect</span> <span class="o">...</span> <span class="n">golang</span><span class="o">.</span><span class="n">org</span><span class="o">/</span><span class="n">x</span><span class="o">/</span><span class="n">crypto</span> <span class="n">v0</span><span class="m">.0.0</span><span class="o">-</span><span class="m">20191206172530</span><span class="o">-</span><span class="n">e9b2fee46413</span> <span class="n">gotest</span><span class="o">.</span><span class="n">tools</span> <span class="n">v2</span><span class="m">.2.0</span><span class="o">+</span><span class="n">incompatible</span> <span class="o">...</span> <span class="n">sigs</span><span class="o">.</span><span class="n">k8s</span><span class="o">.</span><span class="n">io</span><span class="o">/</span><span class="n">yaml</span> <span class="n">v1</span><span class="m">.1.0</span> <span class="p">)</span> <span class="c">// Temporary pinning certain libraries. Please check periodically, whether these are still needed</span> <span class="c">// ----------------------------------------------------------------------------------------------</span> <span class="c">// Fix for `[` in help messages and shell completion code</span> <span class="c">// See https://github.com/spf13/cobra/pull/899</span> <span class="n">replace</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">spf13</span><span class="o">/</span><span class="n">cobra</span> <span class="o">=&gt;</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">chmouel</span><span class="o">/</span><span class="n">cobra</span> <span class="n">v0</span><span class="m">.0.0</span><span class="o">-</span><span class="m">20191021105835</span><span class="o">-</span><span class="n">a78788917390</span> <span class="k">go</span> <span class="m">1.13</span> </code></pre></div> <p>The go.mod has the required modules for this module as well as their specific version. Talking about version, you can see we have different version as well as comment. Lets take a look;</p> <ul> <li> <p><strong>Semvars</strong><br> </p> <pre class="highlight plaintext"><code>github.com/pkg/errors v0.8.1 </code></pre> <p>This package is required but version <code>v0.8.1</code> of it. If this module is updated in its remote git repo with the new version, go will not used it but <code>v0.8.1</code> instead</p> </li> <li> <p><strong>Pseudo-versions</strong><br> </p> <pre class="highlight go"><code> <span class="n">knative</span><span class="o">.</span><span class="n">dev</span><span class="o">/</span><span class="n">eventing</span> <span class="n">v0</span><span class="m">.12.1</span><span class="o">-</span><span class="m">0.20200206203632</span><span class="o">-</span><span class="n">b0a7d8a77cc7</span> </code></pre> <p>This is the same as semvar but with weird version generated by go in form of <code>last_tag-date-commit_hash</code>. This is done when you import a package without specifying the version to use. Go simply update with the last tagged version(v0.12.1 in the case of knative.dev/eventing), then calculate the time of last commit as well as hash of last commit in the git repo to generate its version tag to give us <code>v0.12.1-0.20200206203632-b0a7d8a77cc7</code></p> </li> </ul> <h4> replace </h4> <p>So you have an external dependency in your project that you want to make some local changes to or replace temporarily with another source for testing or specific purpose. How do you do that? You can use <code>replace</code>. This means instead of using the external dependency source, it will use the replacement instead.<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="s">replace github.com/spf13/cobra =&gt; github.com/chmouel/cobra v0.0.0-20191021105835-a78788917390</span> </code></pre></div> <p>This will make go mod use <code>github.com/chmouel/cobra</code> anywhere <code>github.com/spf13/cobra</code> is used. You can do the same locally by pointing the replacement to local path.</p> <h4> incompatible </h4> <p>Let's talk incompatible. If a repo does not have <code>go.mod</code> and it has semver that is <code>&gt;= 2</code>,it will tagged with the semver as well as incompatible to indicate this is not a go mod repo. For our case,<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="s">gotest.tools v2.2.0+incompatible</span> </code></pre></div> <p>If you look at the tagged <a href="https://github.com/gotestyourself/gotest.tools/tree/v2.2.0">repo</a>, you can see the repo is missing go.mod and its on <code>&gt;=2</code> tag.</p> <h4> go version directive </h4> <p>This simply answers the question of which golang version and features should I use? I will quote one of the <a href="https://github.com/golang/go/issues/30791#issuecomment-472217112">authority</a> on this for better explanation.</p> <blockquote> <p>The basic guideline is fairly simple: a "go" directive 1.N means that the code in that module is permitted to use language features that existed in 1.N even if those features were removed in later releases of the language. </p> <p>In other words, if the code compiles successfully at version 1.N, then it will continue to compile for all later versions of the language, even if it happens to use language features that were later removed. </p> <p>To a first approximation, nobody should ever have to worry about the "go" directive. The only likely time you might need to set it manually is if you are copying some existing code to a new module, that code uses some obsolete language feature, and you don't have time to rewrite it. In that case you might want to set the "go" directive (using <code>go mod edit -go</code>) to the version used by the original module, thus permitting your new module to use the obsolete features. When writing new code you will presumably simply avoid the obsolete language features.</p> </blockquote> <h4> go sum </h4> <p>This <code>go.sum</code> is way for go to keep cryptographic hash of the modules version in <code>go.mod</code>. It keeps a cache copy of this hashes and verifies them during run. Make sure to check in the <code>go.sum</code> file.<br> </p> <div class="highlight"><pre class="highlight go"><code><span class="n">golang</span><span class="o">.</span><span class="n">org</span><span class="o">/</span><span class="n">x</span><span class="o">/</span><span class="n">text</span> <span class="n">v0</span><span class="m">.0.0</span><span class="o">-</span><span class="m">20170915032832</span><span class="o">-</span><span class="m">14</span><span class="n">c0d48ead0c</span> <span class="n">h1</span><span class="o">:</span><span class="n">qgOY6WgZOaTkIIMiVjBQcw93ERBE4m30iBm00nkL0i8</span><span class="o">=</span> <span class="n">golang</span><span class="o">.</span><span class="n">org</span><span class="o">/</span><span class="n">x</span><span class="o">/</span><span class="n">text</span> <span class="n">v0</span><span class="m">.0.0</span><span class="o">-</span><span class="m">20170915032832</span><span class="o">-</span><span class="m">14</span><span class="n">c0d48ead0c</span><span class="o">/</span><span class="k">go</span><span class="o">.</span><span class="n">mod</span> <span class="n">h1</span><span class="o">:</span><span class="n">NqM8EUOU14njkJ3fqMW</span><span class="o">+</span><span class="n">pc6Ldnwhi</span><span class="o">/</span><span class="n">IjpwHt7yyuwOQ</span><span class="o">=</span> <span class="n">rsc</span><span class="o">.</span><span class="n">io</span><span class="o">/</span><span class="n">quote</span> <span class="n">v1</span><span class="m">.5.2</span> <span class="n">h1</span><span class="o">:</span><span class="n">w5fcysjrx7yqtD</span><span class="o">/</span><span class="n">aO</span><span class="o">+</span><span class="n">QwRjYZOKnaM9Uh2b40tElTs3Y</span><span class="o">=</span> <span class="n">rsc</span><span class="o">.</span><span class="n">io</span><span class="o">/</span><span class="n">quote</span> <span class="n">v1</span><span class="m">.5.2</span><span class="o">/</span><span class="k">go</span><span class="o">.</span><span class="n">mod</span> <span class="n">h1</span><span class="o">:</span><span class="n">LzX7hefJvL54yjefDEDHNONDjII0t9xZLPXsUe</span><span class="o">+</span><span class="n">TKr0</span><span class="o">=</span> <span class="n">rsc</span><span class="o">.</span><span class="n">io</span><span class="o">/</span><span class="n">sampler</span> <span class="n">v1</span><span class="m">.3.0</span> <span class="n">h1</span><span class="o">:</span><span class="m">7</span><span class="n">uVkIFmeBqHfdjD</span><span class="o">+</span><span class="n">gZwtXXI</span><span class="o">+</span><span class="n">RODJ2Wc4O7MPEh</span><span class="o">/</span><span class="n">QiW4</span><span class="o">=</span> <span class="n">rsc</span><span class="o">.</span><span class="n">io</span><span class="o">/</span><span class="n">sampler</span> <span class="n">v1</span><span class="m">.3.0</span><span class="o">/</span><span class="k">go</span><span class="o">.</span><span class="n">mod</span> <span class="n">h1</span><span class="o">:</span><span class="n">T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA</span><span class="o">=</span> </code></pre></div> go Tunde Oladipupo Thu, 13 Feb 2020 20:25:38 +0000 https://forem.com/simplytunde/go-dependency-management-and-dep-46g0 https://forem.com/simplytunde/go-dependency-management-and-dep-46g0 <p>You may be aware of the "official experiment" for go dependency management tool called <strong>dep</strong> but this has since be replaced by <strong>go mod</strong>. Let's explore the tool via this opensource <a href="https://github.com/knative/serving/blob/master/Gopkg.toml">project</a> usage. <code>Gopkg.toml</code> is where you define your package dependencies while <code>Gopkg.lock</code> contains snapshot of your project dependencies after evaluating <code>Gopkg.toml</code> as well as some metadata. Here is;<br> </p> <div class="highlight"><pre class="highlight go"><code><span class="err">#</span> <span class="n">Refer</span> <span class="n">to</span> <span class="n">https</span><span class="o">:</span><span class="c">//github.com/golang/dep/blob/master/docs/Gopkg.toml.md</span> <span class="err">#</span> <span class="k">for</span> <span class="n">detailed</span> <span class="n">Gopkg</span><span class="o">.</span><span class="n">toml</span> <span class="n">documentation</span><span class="o">.</span> <span class="n">required</span> <span class="o">=</span> <span class="p">[</span> <span class="o">...</span> <span class="s">"knative.dev/pkg/codegen/cmd/injection-gen"</span><span class="p">,</span> <span class="err">#</span> <span class="n">TODO</span><span class="p">(</span><span class="err">#</span><span class="m">4549</span><span class="p">)</span><span class="o">:</span> <span class="n">Drop</span> <span class="n">this</span> <span class="n">when</span> <span class="n">we</span> <span class="n">drop</span> <span class="n">our</span> <span class="n">patches</span><span class="o">.</span> <span class="s">"k8s.io/kubernetes/pkg/version"</span><span class="p">,</span> <span class="s">"knative.dev/caching/pkg/apis/caching"</span><span class="p">,</span> <span class="err">#</span> <span class="n">For</span> <span class="n">cluster</span> <span class="n">management</span> <span class="n">in</span> <span class="n">performance</span> <span class="n">testing</span><span class="o">.</span> <span class="s">"knative.dev/pkg/testutils/clustermanager/perf-tests"</span><span class="p">,</span> <span class="s">"knative.dev/test-infra/scripts"</span><span class="p">,</span> <span class="s">"knative.dev/test-infra/tools/dep-collector"</span><span class="p">,</span> <span class="err">#</span> <span class="n">For</span> <span class="n">load</span> <span class="n">testing</span><span class="o">.</span> <span class="s">"github.com/tsenart/vegeta"</span> <span class="p">]</span> <span class="p">[[</span><span class="n">constraint</span><span class="p">]]</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"github.com/tsenart/vegeta"</span> <span class="n">branch</span> <span class="o">=</span> <span class="s">"master"</span> <span class="p">[[</span><span class="n">override</span><span class="p">]]</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"gopkg.in/yaml.v2"</span> <span class="n">version</span> <span class="o">=</span> <span class="s">"v2.2.4"</span> <span class="o">...</span> <span class="p">[[</span><span class="n">override</span><span class="p">]]</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"github.com/google/mako"</span> <span class="n">version</span> <span class="o">=</span> <span class="s">"v0.1.0"</span> <span class="p">[[</span><span class="n">override</span><span class="p">]]</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"go.uber.org/zap"</span> <span class="n">revision</span> <span class="o">=</span> <span class="s">"67bc79d13d155c02fd008f721863ff8cc5f30659"</span> <span class="o">...</span> <span class="p">[[</span><span class="n">constraint</span><span class="p">]]</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"github.com/jetstack/cert-manager"</span> <span class="n">version</span> <span class="o">=</span> <span class="s">"v0.12.0"</span> <span class="o">...</span> <span class="p">[[</span><span class="n">override</span><span class="p">]]</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"k8s.io/api"</span> <span class="n">version</span> <span class="o">=</span> <span class="s">"kubernetes-1.16.4"</span> <span class="o">...</span> <span class="p">[[</span><span class="n">override</span><span class="p">]]</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"k8s.io/kube-openapi"</span> <span class="err">#</span> <span class="n">This</span> <span class="n">is</span> <span class="n">the</span> <span class="n">version</span> <span class="n">at</span> <span class="n">which</span> <span class="n">k8s</span><span class="o">.</span><span class="n">io</span><span class="o">/</span><span class="n">apiserver</span> <span class="n">depends</span> <span class="n">on</span> <span class="n">this</span> <span class="n">at</span> <span class="n">its</span> <span class="m">1.16.4</span> <span class="n">tag</span><span class="o">.</span> <span class="n">revision</span> <span class="o">=</span> <span class="s">"743ec37842bffe49dd4221d9026f30fb1d5adbc4"</span> <span class="o">...</span> <span class="err">#</span> <span class="n">Added</span> <span class="k">for</span> <span class="n">the</span> <span class="n">custom</span><span class="o">-</span><span class="n">metrics</span><span class="o">-</span><span class="n">apiserver</span> <span class="n">specifically</span> <span class="p">[[</span><span class="n">override</span><span class="p">]]</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"github.com/kubernetes-incubator/custom-metrics-apiserver"</span> <span class="n">revision</span> <span class="o">=</span> <span class="s">"3d9be26a50eb64531fc40eb31a5f3e6720956dc6"</span> <span class="p">[[</span><span class="n">override</span><span class="p">]]</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"bitbucket.org/ww/goautoneg"</span> <span class="n">source</span> <span class="o">=</span> <span class="s">"github.com/munnerz/goautoneg"</span> <span class="p">[</span><span class="n">prune</span><span class="p">]</span> <span class="k">go</span><span class="o">-</span><span class="n">tests</span> <span class="o">=</span> <span class="no">true</span> <span class="n">unused</span><span class="o">-</span><span class="n">packages</span> <span class="o">=</span> <span class="no">true</span> <span class="n">non</span><span class="o">-</span><span class="k">go</span> <span class="o">=</span> <span class="no">true</span> <span class="p">[[</span><span class="n">prune</span><span class="o">.</span><span class="n">project</span><span class="p">]]</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"k8s.io/code-generator"</span> <span class="n">unused</span><span class="o">-</span><span class="n">packages</span> <span class="o">=</span> <span class="no">false</span> <span class="n">non</span><span class="o">-</span><span class="k">go</span> <span class="o">=</span> <span class="no">false</span> <span class="p">[[</span><span class="n">prune</span><span class="o">.</span><span class="n">project</span><span class="p">]]</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"knative.dev/test-infra"</span> <span class="n">non</span><span class="o">-</span><span class="k">go</span> <span class="o">=</span> <span class="no">false</span> <span class="o">...</span> <span class="err">#</span> <span class="n">The</span> <span class="n">dependencies</span> <span class="n">below</span> <span class="n">are</span> <span class="n">required</span> <span class="k">for</span> <span class="n">opencensus</span><span class="o">.</span> <span class="p">[[</span><span class="n">override</span><span class="p">]]</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"google.golang.org/genproto"</span> <span class="n">revision</span> <span class="o">=</span> <span class="s">"357c62f0e4bbba7e6cc403ae09edcf3e2b9028fe"</span> <span class="p">[[</span><span class="n">override</span><span class="p">]]</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"contrib.go.opencensus.io/exporter/prometheus"</span> <span class="n">version</span> <span class="o">=</span> <span class="s">"0.1.0"</span> <span class="p">[[</span><span class="n">override</span><span class="p">]]</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"contrib.go.opencensus.io/exporter/zipkin"</span> <span class="n">version</span> <span class="o">=</span> <span class="s">"0.1.1"</span> <span class="p">[[</span><span class="n">constraint</span><span class="p">]]</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"go.opencensus.io"</span> <span class="n">version</span> <span class="o">=</span> <span class="s">"0.22.0"</span> <span class="p">[[</span><span class="n">override</span><span class="p">]]</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"github.com/census-instrumentation/opencensus-proto"</span> <span class="n">version</span> <span class="o">=</span> <span class="s">"0.2.0"</span> <span class="p">[[</span><span class="n">override</span><span class="p">]]</span> <span class="n">name</span><span class="o">=</span><span class="s">"github.com/golang/protobuf"</span> <span class="n">version</span> <span class="o">=</span> <span class="s">"1.3.2"</span> </code></pre></div> <h4> required </h4> <p>Lets talk about this required section; this is where you define what dependencies are required and must be included in the vendor folder;<br> </p> <div class="highlight"><pre class="highlight shell"><code>required <span class="o">=</span> <span class="o">[</span> ... <span class="s2">"knative.dev/pkg/codegen/cmd/injection-gen"</span>, <span class="c"># TODO(#4549): Drop this when we drop our patches.</span> <span class="s2">"k8s.io/kubernetes/pkg/version"</span>, <span class="s2">"knative.dev/caching/pkg/apis/caching"</span>, <span class="c"># For cluster management in performance testing.</span> <span class="s2">"knative.dev/pkg/testutils/clustermanager/perf-tests"</span>, <span class="s2">"knative.dev/test-infra/scripts"</span>, <span class="s2">"knative.dev/test-infra/tools/dep-collector"</span>, <span class="c"># For load testing.</span> <span class="s2">"github.com/tsenart/vegeta"</span> <span class="o">]</span> </code></pre></div> <p>If you look at the folder, you will see these dependencies in the <a href="https://github.com/knative/serving/tree/master/vendor">folder</a> as these are required. </p> <h4> direct and transitive dependency </h4> <p><code>A -&gt; B -&gt; C -&gt; D</code></p> <p>These are packages that your project imports or includes the required sections. For example above, A directly import B while B imports C and D. In this case, B is the direct dependent of A while C and D are transitive dependency.</p> <h4> constraint </h4> <p>This is how you specify the version of your dependency to use for this project. In our case, we want our project to use version<code>v2.2.4</code> of the <code>gopkg.in/yaml.v2</code>. To do this,<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>[[override]] name = "gopkg.in/yaml.v2" version = "v2.2.4" </code></pre></div> <p>You can also use <code>branch</code> or <code>revision</code> to pin your dependency.</p> <h4> override </h4> <p>These are like global constraint but supersedes constraints and should be used as last resort. They apply to direct dependencies and transitive dependencies unlike constraint and advisably should be used sparingly.<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>[[override]] name="github.com/golang/protobuf" version = "1.3.2" </code></pre></div> <h4> prune </h4> <p>When your project has a dependency, it extracts the package along with other files like README.md, LEGAL etc. If you dont want any or all of these files, you can use prune to inform dep.<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>[prune] go-tests = true unused-packages = true non-go = true [[prune.project]] name = "k8s.io/code-generator" unused-packages = false non-go = false [[prune.project]] name = "knative.dev/test-infra" non-go = false </code></pre></div> <p>The setting above simply tells dep to remove test files, unused-packages as well as non-go files like LEGAL from all dependencies. This is the overriden with a different setting for <code>k8s.io/code-generator</code> that unused-packages and no-go should not be pruned.</p> <h4> dep ensure </h4> <p>Once you have configured your Gopkg.toml with your settings, you need to apply these changes, update vendor folder as well as Gopkg.lock. <code>dep ensure</code> will do that for you and you have option to tell dep not to update vendor, just Gopkg.lock.</p> go dep Tunde Oladipupo Tue, 11 Feb 2020 22:18:38 +0000 https://forem.com/simplytunde/reliability-etcd-cluster-4hlp https://forem.com/simplytunde/reliability-etcd-cluster-4hlp <h1> ETCD </h1> <ul> <li>Always benchmark your external etcd cluster using this <a href="https://github.com/etcd-io/etcd/tree/master/tools/benchmark">tool</a> </li> <li>Give etcd a higher disk <a href="https://github.com/etcd-io/etcd/blob/master/Documentation/tuning.md#disk">priority</a> if running along other processes.</li> </ul> <h2> Do </h2> <ul> <li>Take advantage of learners for re-assignement and during upgrade. Checkout upcoming features in <a href="https://github.com/etcd-io/etcd/blob/master/Documentation/learning/design-learner.md#features-in-v35">3.5</a> </li> <li>Election timeout should be 10x heart beat interval to makeup for network latency issues.</li> <li>You can only do minor upgrade for now.</li> <li>Use SSD for disk as this is the most critical resource in etcd cluster.</li> <li>You can change the default storage limit from 2GB to max of 8GB if using large cluster. <a href="https://github.com/etcd-io/etcd/blob/master/Documentation/dev-guide/limit.md">checkout</a> </li> </ul> <h2> Dont Do </h2> <ul> <li>Be careful when adding new node to etcd cluster that cannot tolerate any node failure. This is because if the new node fails, quorum is not achieved and etcd goes into read-mode. You can remove failing node before adding the new one.</li> <li>Do not route request to <a href="https://github.com/etcd-io/etcd/blob/master/Documentation/learning/design-learner.md">learner</a> especially when using load balancer.</li> <li>You risk cluster stability if you set different heartbeat and election timeout for the members.</li> </ul> <h2> Backup and Recovery </h2> <h4> Backup </h4> <div class="highlight"><pre class="highlight shell"><code>etcdctl snapshot save backup.db <span class="nt">--cacert</span><span class="o">=</span><span class="s2">"/var/lib/minikube/certs/etcd/ca.crt"</span> <span class="nt">--cert</span><span class="o">=</span><span class="s2">"/var/lib/minikube/certs/etcd/server.crt"</span> <span class="nt">--key</span><span class="o">=</span><span class="s2">"/var/lib/minikube/certs/etcd/server.key"</span> <span class="o">{</span><span class="s2">"level"</span>:<span class="s2">"warn"</span>,<span class="s2">"ts"</span>:<span class="s2">"2020-02-10T19:00:17.325Z"</span>,<span class="s2">"caller"</span>:<span class="s2">"clientv3/retry_interceptor.go:116"</span>,<span class="s2">"msg"</span>:<span class="s2">"retry stream intercept"</span><span class="o">}</span> Snapshot saved at backup.db </code></pre></div> <p>Make sure you do this periodically probably using an automated method thats saves the backup in remote storage like s3.</p> <h4> Restore </h4> <p>Remember that a snapshot restore creates a new logical member, making the node forgets its former identity. Hence you need to restore on other nodes and <a href="https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/recovery.md#restoring-a-cluster">restart the cluster</a></p> <h2> Upgrade and Downgrade </h2> <p>Before you do upgrade or downgrade, master the act of etcd backup and automated recovery unless though wishes to see what Dante was talking about.</p> <h4> Upgrade </h4> <p>Replace the cluster members one by one to avoid potential issues with upgrade. If you have any member that is unhealthy, you can remove(provided you are not violating quorum) and add the member back to the cluster.</p> <h4> Downgrade </h4> <p>You should probably read this <a href="https://gravitational.com/blog/kubernetes-and-offline-etcd-upgrades/">post</a> and <a href="https://medium.com/@mrawesomenix/tale-of-etcd-upgrade-48c580e26d60">this</a> before doing a downgrade.</p> <h2> Monitoring </h2> <p>Etcd exports metrics at <em>/metrics</em> endpoint, so you can configure prometheus to ingest data from that endpoint for display in grafana.</p> <h2> GitOps </h2> reliability etcd Tunde Oladipupo Tue, 11 Feb 2020 22:15:19 +0000 https://forem.com/simplytunde/etcd-cluster-and-non-voting-learners-4l0b https://forem.com/simplytunde/etcd-cluster-and-non-voting-learners-4l0b <p>In 3.4, etcd introduced raft learner for those looking to add new members to the cluster without giving them voting right. These are particularly useful because we can add members to the cluster without causing disruption then promote them to voting members once everything is good to go. Check this <a href="https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/runtime-configuration.md#add-a-new-member-as-learner">out</a></p> <p>Steps to add a learner to the cluster;</p> <ul> <li>Add the learner to existing cluster as below; </li> </ul> <div class="highlight"><pre class="highlight shell"><code>etcdctl member add etcd-node-3 <span class="nt">--peer-urls</span><span class="o">=</span><span class="s2">"http://192.168.13.10:2380"</span> <span class="nt">--learner</span> Member 14d2e95e16c995c7 added to cluster 7ef1685daf3d8f18 <span class="nv">ETCD_NAME</span><span class="o">=</span><span class="s2">"etcd-node-3"</span> <span class="nv">ETCD_INITIAL_CLUSTER</span><span class="o">=</span><span class="s2">"etcd-node-3=http://192.168.13.10:2380,etcd-node-1=http://192.168.11.10:2380,etcd-node-0=http://192.168.10.10:2380,etcd-node-2=http://192.168.12.10:2380"</span> <span class="nv">ETCD_INITIAL_ADVERTISE_PEER_URLS</span><span class="o">=</span><span class="s2">"http://192.168.13.10:2380"</span> <span class="nv">ETCD_INITIAL_CLUSTER_STATE</span><span class="o">=</span><span class="s2">"existing"</span> </code></pre></div> <p>Once add, you can check this status;<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="c"># etcdctl member list -w table </span> +------------------+---------+-------------+---------------------------+---------------------------+------------+ | ID | STATUS | NAME | PEER ADDRS | CLIENT ADDRS | IS LEARNER | +------------------+---------+-------------+---------------------------+---------------------------+------------+ | 14d2e95e16c995c7 | started | etcd-node-3 | http://192.168.13.10:2380 | http://192.168.13.10:2379 | <span class="nb">true</span> | | 4c3c38d6652b5d75 | started | etcd-node-1 | http://192.168.11.10:2380 | http://192.168.11.10:2379 | <span class="nb">false</span> | | a00eaaf5194c573d | started | etcd-node-0 | http://192.168.10.10:2380 | http://192.168.10.10:2379 | <span class="nb">false</span> | | fdd13ca43538c5a2 | started | etcd-node-2 | http://192.168.12.10:2380 | http://192.168.12.10:2379 | <span class="nb">false</span> | +------------------+---------+-------------+---------------------------+---------------------------+------------+ </code></pre></div> <p>You can see our new member is a learner, meaning it syncs with the cluster but does not have voting right or accept read or write request but it is not started yet.<br> </p> <div class="highlight"><pre class="highlight shell"><code>etcdctl member list 16f23207f1b6cfc0, unstarted, , http://192.168.13.10:2379, , <span class="nb">true </span>4c3c38d6652b5d75, started, etcd-node-1, http://192.168.11.10:2380, http://192.168.11.10:2379, <span class="nb">false </span>a00eaaf5194c573d, started, etcd-node-0, http://192.168.10.10:2380, http://192.168.10.10:2379, <span class="nb">false </span>fdd13ca43538c5a2, started, etcd-node-2, http://192.168.12.10:2380, http://192.168.12.10:2379, <span class="nb">false</span> </code></pre></div> <p>You can now start the learner with the outputted configuration.<br> </p> <div class="highlight"><pre class="highlight shell"><code> /usr/local/bin/etcd <span class="se">\</span> <span class="nt">--data-dir</span><span class="o">=</span>/etcd-data <span class="nt">--name</span> etcd-node-3 <span class="se">\</span> <span class="nt">--initial-advertise-peer-urls</span> http://192.168.13.10<span class="o">}</span>:2380 <span class="nt">--listen-peer-urls</span> http://0.0.0.0:2380 <span class="se">\</span> <span class="nt">--advertise-client-urls</span> http://192.168.13.10:2379 <span class="nt">--listen-client-urls</span> http://0.0.0.0:2379 <span class="se">\</span> <span class="nt">--initial-cluster</span> <span class="s2">"etcd-node-3=http://192.168.13.10:2380,etcd-node-1=http://192.168.11.10:2380,etcd-node-0=http://192.168.10.10:2380,etcd-node-2=http://192.168.12.10:2380"</span> <span class="se">\</span> <span class="nt">--initial-cluster-state</span> existing <span class="se">\</span> <span class="nt">--initial-cluster-token</span> my-etcd-token </code></pre></div> <p>Now, it should show the learner as started;<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="c"># etcdctl member list -w table</span> +------------------+---------+-------------+---------------------------+---------------------------+------------+ | ID | STATUS | NAME | PEER ADDRS | CLIENT ADDRS | IS LEARNER | +------------------+---------+-------------+---------------------------+---------------------------+------------+ | 14d2e95e16c995c7 | started | etcd-node-3 | http://192.168.13.10:2380 | http://192.168.13.10:2379 | <span class="nb">true</span> | | 4c3c38d6652b5d75 | started | etcd-node-1 | http://192.168.11.10:2380 | http://192.168.11.10:2379 | <span class="nb">false</span> | | a00eaaf5194c573d | started | etcd-node-0 | http://192.168.10.10:2380 | http://192.168.10.10:2379 | <span class="nb">false</span> | | fdd13ca43538c5a2 | started | etcd-node-2 | http://192.168.12.10:2380 | http://192.168.12.10:2379 | <span class="nb">false</span> | +------------------+---------+-------------+---------------------------+---------------------------+------------+ </code></pre></div> <p>This is where learner is of importance; if any of our voting members goes down and our cluster is in inconsistent quorum state. You can promote the learner to replace the unstable voting member.<br> </p> <div class="highlight"><pre class="highlight shell"><code>etcdctl member promote 14d2e95e16c995c7 Member 14d2e95e16c995c7 promoted <span class="k">in </span>cluster 7ef1685daf3d8f18 </code></pre></div> etcd docker reliability Tunde Oladipupo Tue, 11 Feb 2020 08:56:11 +0000 https://forem.com/simplytunde/downgrading-etcd-cluster-4875 https://forem.com/simplytunde/downgrading-etcd-cluster-4875 <p>This process describes how you can downgrade etcd cluster. If you follow my <a href="https://dev.to/simplytunde/etcd-multinode-cluster-using-docker-d36">post</a> earlier, I was able to setup a 3-node cluster using script. In this post, I will be using script to initiate the snapshot, downgrade and restart. If you try to downgrade the cluster without doing restore, you will get something along<br> </p> <div class="highlight"><pre class="highlight shell"><code>... 2020-02-11 08:40:47.532292 I | rafthttp: added peer a00eaaf5194c573d 2020-02-11 08:40:47.532577 I | etcdserver/membership: added member fdd13ca43538c5a2 <span class="o">[</span>http://192.168.12.10:2380] to cluster 7ef1685daf3d8f18 2020-02-11 08:40:47.533041 N | etcdserver/membership: <span class="nb">set </span>the initial cluster version to 3.0 2020-02-11 08:40:47.533121 I | etcdserver/api: enabled capabilities <span class="k">for </span>version 3.0 2020-02-11 08:40:47.533524 N | etcdserver/membership: updated the cluster version from 3.0 to 3.2 2020-02-11 08:40:47.533747 I | etcdserver/api: enabled capabilities <span class="k">for </span>version 3.2 2020-02-11 08:40:47.534324 N | etcdserver/membership: updated the cluster version from 3.2 to 3.3 2020-02-11 08:40:47.534417 C | etcdserver/membership: cluster cannot be downgraded <span class="o">(</span>current version: 3.2.28 is lower than determined cluster version: 3.3<span class="o">)</span><span class="nb">.</span> </code></pre></div> <p>First, take a snapshot of the cluster;<br> </p> <div class="highlight"><pre class="highlight shell"><code> <span class="c"># etcdctl snapshot save /etcd-data/snapshot.db</span> Snapshot saved at /etcd-data/snapshot.db </code></pre></div> <p>Copy this snapshot to similar location on other nodes. Once this is done, let us tell etcd to do a restore from this snapshot into a different directory(in case of failure). I changed my data-dir to /etcd-data/new for demo purpose. Use the script below<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">REGISTRY</span><span class="o">=</span>quay.io/coreos/etcd <span class="c"># available from v3.2.5</span> <span class="c"># REGISTRY=gcr.io/etcd-development/etcd</span> <span class="c"># For each machine</span> <span class="nv">ETCD_VERSION</span><span class="o">=</span>v3.2.28 <span class="nv">TOKEN</span><span class="o">=</span>my-etcd-token <span class="nv">CLUSTER_STATE</span><span class="o">=</span>new <span class="nv">NAME_1</span><span class="o">=</span>etcd-node-0 <span class="nv">NAME_2</span><span class="o">=</span>etcd-node-1 <span class="nv">NAME_3</span><span class="o">=</span>etcd-node-2 <span class="nv">HOST_1</span><span class="o">=</span>192.168.10.10 <span class="nv">HOST_2</span><span class="o">=</span>192.168.11.10 <span class="nv">HOST_3</span><span class="o">=</span>192.168.12.10 <span class="nv">CLUSTER</span><span class="o">=</span><span class="k">${</span><span class="nv">NAME_1</span><span class="k">}</span><span class="o">=</span>http://<span class="k">${</span><span class="nv">HOST_1</span><span class="k">}</span>:2380,<span class="k">${</span><span class="nv">NAME_2</span><span class="k">}</span><span class="o">=</span>http://<span class="k">${</span><span class="nv">HOST_2</span><span class="k">}</span>:2380,<span class="k">${</span><span class="nv">NAME_3</span><span class="k">}</span><span class="o">=</span>http://<span class="k">${</span><span class="nv">HOST_3</span><span class="k">}</span>:2380 <span class="nv">DATA_DIR</span><span class="o">=</span>/mydatadir/etcd <span class="c">#make sure to change this</span> <span class="c"># For node 1</span> <span class="nv">THIS_NAME</span><span class="o">=</span><span class="k">${</span><span class="nv">NAME_1</span><span class="k">}</span> <span class="nv">THIS_IP</span><span class="o">=</span><span class="k">${</span><span class="nv">HOST_1</span><span class="k">}</span> docker run <span class="se">\</span> <span class="nt">-e</span> <span class="nv">ETCDCTL_API</span><span class="o">=</span>3 <span class="se">\</span> <span class="nt">-p</span> <span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2379:2379 <span class="se">\</span> <span class="nt">-p</span> <span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2380:2380 <span class="se">\</span> <span class="nt">--volume</span><span class="o">=</span><span class="k">${</span><span class="nv">DATA_DIR</span><span class="k">}</span>/<span class="k">${</span><span class="nv">THIS_NAME</span><span class="k">}</span>:/etcd-data <span class="se">\</span> <span class="nt">--name</span> <span class="k">${</span><span class="nv">THIS_NAME</span><span class="k">}</span> <span class="k">${</span><span class="nv">REGISTRY</span><span class="k">}</span>:<span class="k">${</span><span class="nv">ETCD_VERSION</span><span class="k">}</span> <span class="se">\</span> /usr/local/bin/etcdctl snapshot restore /etcd-data/snapshot.db <span class="se">\</span> <span class="nt">--name</span> <span class="k">${</span><span class="nv">THIS_NAME</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--initial-cluster</span> <span class="k">${</span><span class="nv">CLUSTER</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--initial-cluster-token</span> <span class="k">${</span><span class="nv">TOKEN</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--initial-advertise-peer-urls</span> http://<span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2380 <span class="se">\</span> <span class="nt">--data-dir</span> /etcd-data/new <span class="c"># For node 2</span> <span class="nv">THIS_NAME</span><span class="o">=</span><span class="k">${</span><span class="nv">NAME_2</span><span class="k">}</span> <span class="nv">THIS_IP</span><span class="o">=</span><span class="k">${</span><span class="nv">HOST_2</span><span class="k">}</span> docker run <span class="se">\</span> <span class="nt">-e</span> <span class="nv">ETCDCTL_API</span><span class="o">=</span>3 <span class="se">\</span> <span class="nt">-p</span> <span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2379:2379 <span class="se">\</span> <span class="nt">-p</span> <span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2380:2380 <span class="se">\</span> <span class="nt">--volume</span><span class="o">=</span><span class="k">${</span><span class="nv">DATA_DIR</span><span class="k">}</span>/<span class="k">${</span><span class="nv">THIS_NAME</span><span class="k">}</span>:/etcd-data <span class="se">\</span> <span class="nt">--name</span> <span class="k">${</span><span class="nv">THIS_NAME</span><span class="k">}</span> <span class="k">${</span><span class="nv">REGISTRY</span><span class="k">}</span>:<span class="k">${</span><span class="nv">ETCD_VERSION</span><span class="k">}</span> <span class="se">\</span> /usr/local/bin/etcdctl snapshot restore /etcd-data/snapshot.db <span class="se">\</span> <span class="nt">--name</span> <span class="k">${</span><span class="nv">THIS_NAME</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--initial-cluster</span> <span class="k">${</span><span class="nv">CLUSTER</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--initial-cluster-token</span> <span class="k">${</span><span class="nv">TOKEN</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--initial-advertise-peer-urls</span> http://<span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2380 <span class="se">\</span> <span class="nt">--data-dir</span> /etcd-data/new <span class="c"># # For node 3</span> <span class="nv">THIS_NAME</span><span class="o">=</span><span class="k">${</span><span class="nv">NAME_3</span><span class="k">}</span> <span class="nv">THIS_IP</span><span class="o">=</span><span class="k">${</span><span class="nv">HOST_3</span><span class="k">}</span> docker run <span class="se">\</span> <span class="nt">-e</span> <span class="nv">ETCDCTL_API</span><span class="o">=</span>3 <span class="se">\</span> <span class="nt">-p</span> <span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2379:2379 <span class="se">\</span> <span class="nt">-p</span> <span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2380:2380 <span class="se">\</span> <span class="nt">--volume</span><span class="o">=</span><span class="k">${</span><span class="nv">DATA_DIR</span><span class="k">}</span>/<span class="k">${</span><span class="nv">THIS_NAME</span><span class="k">}</span>:/etcd-data <span class="se">\</span> <span class="nt">--name</span> <span class="k">${</span><span class="nv">THIS_NAME</span><span class="k">}</span> <span class="k">${</span><span class="nv">REGISTRY</span><span class="k">}</span>:<span class="k">${</span><span class="nv">ETCD_VERSION</span><span class="k">}</span> <span class="se">\</span> /usr/local/bin/etcdctl snapshot restore /etcd-data/snapshot.db <span class="se">\</span> <span class="nt">--name</span> <span class="k">${</span><span class="nv">THIS_NAME</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--initial-cluster</span> <span class="k">${</span><span class="nv">CLUSTER</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--initial-cluster-token</span> <span class="k">${</span><span class="nv">TOKEN</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--initial-advertise-peer-urls</span> http://<span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2380 <span class="se">\</span> <span class="nt">--data-dir</span> /etcd-data/new </code></pre></div> <p>Once your run the script, you should get something like this<br> </p> <div class="highlight"><pre class="highlight shell"><code>./etcd-restore.sh 2020-02-11 08:39:28.391951 I | etcdserver/membership: added member 4c3c38d6652b5d75 <span class="o">[</span>http://192.168.11.10:2380] to cluster 7ef1685daf3d8f18 2020-02-11 08:39:28.392657 I | etcdserver/membership: added member a00eaaf5194c573d <span class="o">[</span>http://192.168.10.10:2380] to cluster 7ef1685daf3d8f18 2020-02-11 08:39:28.392672 I | etcdserver/membership: added member fdd13ca43538c5a2 <span class="o">[</span>http://192.168.12.10:2380] to cluster 7ef1685daf3d8f18 2020-02-11 08:39:29.407616 I | etcdserver/membership: added member 4c3c38d6652b5d75 <span class="o">[</span>http://192.168.11.10:2380] to cluster 7ef1685daf3d8f18 2020-02-11 08:39:29.407817 I | etcdserver/membership: added member a00eaaf5194c573d <span class="o">[</span>http://192.168.10.10:2380] to cluster 7ef1685daf3d8f18 2020-02-11 08:39:29.407847 I | etcdserver/membership: added member fdd13ca43538c5a2 <span class="o">[</span>http://192.168.12.10:2380] to cluster 7ef1685daf3d8f18 2020-02-11 08:39:30.365027 I | etcdserver/membership: added member 4c3c38d6652b5d75 <span class="o">[</span>http://192.168.11.10:2380] to cluster 7ef1685daf3d8f18 2020-02-11 08:39:30.365130 I | etcdserver/membership: added member a00eaaf5194c573d <span class="o">[</span>http://192.168.10.10:2380] to cluster 7ef1685daf3d8f18 2020-02-11 08:39:30.365213 I | etcdserver/membership: added member fdd13ca43538c5a2 <span class="o">[</span>http://192.168.12.10:2380] to cluster 7ef1685daf3d8f18 </code></pre></div> <p>Once the restore is complete, you simply start the cluster up and make sure the data-dir is pointing to the new restore location. You can use the same script as in this <a href="https://dev.to/simplytunde/etcd-multinode-cluster-using-docker-d36">post</a> but make sure to update the data dir.<br> Once our cluster is up, you should check the health of the cluster<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span>docker <span class="nb">exec</span> <span class="nt">-it</span> etcd-node-0 /bin/sh / <span class="c"># export ETCDCTL_API=3</span> / <span class="c"># etcdctl -w table --endpoints=[192.168.11.10:2379,192.168.10.10:2379,192.168.12.10:2379] endpoint status</span> +--------------------+------------------+---------+---------+-----------+-----------+------------+ | ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | RAFT TERM | RAFT INDEX | +--------------------+------------------+---------+---------+-----------+-----------+------------+ | 192.168.11.10:2379 | 4c3c38d6652b5d75 | 3.2.28 | 25 kB | <span class="nb">false</span> | 2 | 8 | | 192.168.10.10:2379 | a00eaaf5194c573d | 3.2.28 | 25 kB | <span class="nb">true</span> | 2 | 8 | | 192.168.12.10:2379 | fdd13ca43538c5a2 | 3.2.28 | 25 kB | <span class="nb">false</span> | 2 | 8 | +--------------------+------------------+---------+---------+-----------+-----------+------------+ </code></pre></div> etcd docker Tunde Oladipupo Tue, 11 Feb 2020 06:48:16 +0000 https://forem.com/simplytunde/etcd-multinode-cluster-using-docker-d36 https://forem.com/simplytunde/etcd-multinode-cluster-using-docker-d36 <p>In this post, I will be showing how to create a 3-node cluster with each node represented by a docker container. First, lets create our nodes IP.<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nb">sudo </span>ifconfig en0 <span class="nb">alias </span>192.168.10.10/24 up <span class="nb">sudo </span>ifconfig en0 <span class="nb">alias </span>192.168.11.10/24 up <span class="nb">sudo </span>ifconfig en0 <span class="nb">alias </span>192.168.12.10/24 up </code></pre></div> <p>Once they are created, you can use script below which is a modified version of <a href="https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/container.md#running-a-3-node-etcd-cluster-1">this</a><br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">REGISTRY</span><span class="o">=</span>quay.io/coreos/etcd <span class="c"># available from v3.2.5</span> <span class="c"># REGISTRY=gcr.io/etcd-development/etcd</span> <span class="c"># For each machine</span> <span class="nv">ETCD_VERSION</span><span class="o">=</span>latest <span class="nv">TOKEN</span><span class="o">=</span>my-etcd-token <span class="nv">CLUSTER_STATE</span><span class="o">=</span>new <span class="nv">NAME_1</span><span class="o">=</span>etcd-node-0 <span class="nv">NAME_2</span><span class="o">=</span>etcd-node-1 <span class="nv">NAME_3</span><span class="o">=</span>etcd-node-2 <span class="nv">HOST_1</span><span class="o">=</span>192.168.10.10 <span class="nv">HOST_2</span><span class="o">=</span>192.168.11.10 <span class="nv">HOST_3</span><span class="o">=</span>192.168.12.10 <span class="nv">CLUSTER</span><span class="o">=</span><span class="k">${</span><span class="nv">NAME_1</span><span class="k">}</span><span class="o">=</span>http://<span class="k">${</span><span class="nv">HOST_1</span><span class="k">}</span>:2380,<span class="k">${</span><span class="nv">NAME_2</span><span class="k">}</span><span class="o">=</span>http://<span class="k">${</span><span class="nv">HOST_2</span><span class="k">}</span>:2380,<span class="k">${</span><span class="nv">NAME_3</span><span class="k">}</span><span class="o">=</span>http://<span class="k">${</span><span class="nv">HOST_3</span><span class="k">}</span>:2380 <span class="nv">DATA_DIR</span><span class="o">=</span>/mydir/etcd <span class="c">#make sure to change this</span> <span class="c"># For node 1</span> <span class="nv">THIS_NAME</span><span class="o">=</span><span class="k">${</span><span class="nv">NAME_1</span><span class="k">}</span> <span class="nv">THIS_IP</span><span class="o">=</span><span class="k">${</span><span class="nv">HOST_1</span><span class="k">}</span> docker run <span class="se">\</span> <span class="nt">-d</span> <span class="se">\</span> <span class="nt">-p</span> <span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2379:2379 <span class="se">\</span> <span class="nt">-p</span> <span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2380:2380 <span class="se">\</span> <span class="nt">--volume</span><span class="o">=</span><span class="k">${</span><span class="nv">DATA_DIR</span><span class="k">}</span>/<span class="k">${</span><span class="nv">THIS_NAME</span><span class="k">}</span>:/etcd-data <span class="se">\</span> <span class="nt">--name</span> <span class="k">${</span><span class="nv">THIS_NAME</span><span class="k">}</span> <span class="k">${</span><span class="nv">REGISTRY</span><span class="k">}</span>:<span class="k">${</span><span class="nv">ETCD_VERSION</span><span class="k">}</span> <span class="se">\</span> /usr/local/bin/etcd <span class="se">\</span> <span class="nt">--data-dir</span><span class="o">=</span>/etcd-data <span class="nt">--name</span> <span class="k">${</span><span class="nv">THIS_NAME</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--initial-advertise-peer-urls</span> http://<span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2380 <span class="nt">--listen-peer-urls</span> http://0.0.0.0:2380 <span class="se">\</span> <span class="nt">--advertise-client-urls</span> http://<span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2379 <span class="nt">--listen-client-urls</span> http://0.0.0.0:2379 <span class="se">\</span> <span class="nt">--initial-cluster</span> <span class="k">${</span><span class="nv">CLUSTER</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--initial-cluster-state</span> <span class="k">${</span><span class="nv">CLUSTER_STATE</span><span class="k">}</span> <span class="nt">--initial-cluster-token</span> <span class="k">${</span><span class="nv">TOKEN</span><span class="k">}</span> <span class="c"># For node 2</span> <span class="nv">THIS_NAME</span><span class="o">=</span><span class="k">${</span><span class="nv">NAME_2</span><span class="k">}</span> <span class="nv">THIS_IP</span><span class="o">=</span><span class="k">${</span><span class="nv">HOST_2</span><span class="k">}</span> docker run <span class="se">\</span> <span class="nt">-d</span> <span class="se">\</span> <span class="nt">-p</span> <span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2379:2379 <span class="se">\</span> <span class="nt">-p</span> <span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2380:2380 <span class="se">\</span> <span class="nt">--volume</span><span class="o">=</span><span class="k">${</span><span class="nv">DATA_DIR</span><span class="k">}</span>/<span class="k">${</span><span class="nv">THIS_NAME</span><span class="k">}</span>:/etcd-data <span class="se">\</span> <span class="nt">--name</span> <span class="k">${</span><span class="nv">THIS_NAME</span><span class="k">}</span> <span class="k">${</span><span class="nv">REGISTRY</span><span class="k">}</span>:<span class="k">${</span><span class="nv">ETCD_VERSION</span><span class="k">}</span> <span class="se">\</span> /usr/local/bin/etcd <span class="se">\</span> <span class="nt">--data-dir</span><span class="o">=</span>/etcd-data <span class="nt">--name</span> <span class="k">${</span><span class="nv">THIS_NAME</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--initial-advertise-peer-urls</span> http://<span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2380 <span class="nt">--listen-peer-urls</span> http://0.0.0.0:2380 <span class="se">\</span> <span class="nt">--advertise-client-urls</span> http://<span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2379 <span class="nt">--listen-client-urls</span> http://0.0.0.0:2379 <span class="se">\</span> <span class="nt">--initial-cluster</span> <span class="k">${</span><span class="nv">CLUSTER</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--initial-cluster-state</span> <span class="k">${</span><span class="nv">CLUSTER_STATE</span><span class="k">}</span> <span class="nt">--initial-cluster-token</span> <span class="k">${</span><span class="nv">TOKEN</span><span class="k">}</span> <span class="c"># # For node 3</span> <span class="nv">THIS_NAME</span><span class="o">=</span><span class="k">${</span><span class="nv">NAME_3</span><span class="k">}</span> <span class="nv">THIS_IP</span><span class="o">=</span><span class="k">${</span><span class="nv">HOST_3</span><span class="k">}</span> docker run <span class="se">\</span> <span class="nt">-d</span> <span class="se">\</span> <span class="nt">-p</span> <span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2379:2379 <span class="se">\</span> <span class="nt">-p</span> <span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2380:2380 <span class="se">\</span> <span class="nt">--volume</span><span class="o">=</span><span class="k">${</span><span class="nv">DATA_DIR</span><span class="k">}</span>/<span class="k">${</span><span class="nv">THIS_NAME</span><span class="k">}</span>:/etcd-data <span class="se">\</span> <span class="nt">--name</span> <span class="k">${</span><span class="nv">THIS_NAME</span><span class="k">}</span> <span class="k">${</span><span class="nv">REGISTRY</span><span class="k">}</span>:<span class="k">${</span><span class="nv">ETCD_VERSION</span><span class="k">}</span> <span class="se">\</span> /usr/local/bin/etcd <span class="se">\</span> <span class="nt">--data-dir</span><span class="o">=</span>/etcd-data <span class="nt">--name</span> <span class="k">${</span><span class="nv">THIS_NAME</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--initial-advertise-peer-urls</span> http://<span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2380 <span class="nt">--listen-peer-urls</span> http://0.0.0.0:2380 <span class="se">\</span> <span class="nt">--advertise-client-urls</span> http://<span class="k">${</span><span class="nv">THIS_IP</span><span class="k">}</span>:2379 <span class="nt">--listen-client-urls</span> http://0.0.0.0:2379 <span class="se">\</span> <span class="nt">--initial-cluster</span> <span class="k">${</span><span class="nv">CLUSTER</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--initial-cluster-state</span> <span class="k">${</span><span class="nv">CLUSTER_STATE</span><span class="k">}</span> <span class="nt">--initial-cluster-token</span> <span class="k">${</span><span class="nv">TOKEN</span><span class="k">}</span> </code></pre></div> <p>Once the cluster is created, you can use the command below to check this cluster status.<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>$ docker exec -it etcd-node-0 /bin/sh / # etcdctl -w table --endpoints=192.168.11.10:2379,192.168.10.10:2379,192.168.12.10:2379 endpoint status +--------------------+------------------+---------+---------+-----------+-----------+------------+ | ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | RAFT TERM | RAFT INDEX | +--------------------+------------------+---------+---------+-----------+-----------+------------+ | 192.168.11.10:2379 | 4c3c38d6652b5d75 | 3.2.28 | 25 kB | false | 5 | 17 | | 192.168.10.10:2379 | a00eaaf5194c573d | 3.2.28 | 25 kB | true | 5 | 17 | | 192.168.12.10:2379 | fdd13ca43538c5a2 | 3.2.28 | 25 kB | false | 5 | 17 | +--------------------+------------------+---------+---------+-----------+-----------+------------+ </code></pre></div> etcd docker Tunde Oladipupo Mon, 28 Oct 2019 01:37:13 +0000 https://forem.com/simplytunde/install-istio-with-kubectl-453l https://forem.com/simplytunde/install-istio-with-kubectl-453l <p>To install Istio on EKS with <code>kubectl</code>, we will need to use helm to generate the manifest and use <code>kubectl</code>to apply.</p> <h3> Install Istio Init </h3> <div class="highlight"><pre class="highlight yaml"><code><span class="s">curl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.3.3 sh -</span> <span class="s">cd istio-1.3.3</span> <span class="s">helm template install/kubernetes/helm/istio-init --namespace istio-system | kubectl apply -f -</span> </code></pre></div> <h3> Install Istio Demo </h3> <div class="highlight"><pre class="highlight yaml"><code><span class="s">kubectl apply -f install/kubernetes/istio-demo.yaml</span> </code></pre></div> <p>Output<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="s">$ kubectl get pods -n istio-system</span> <span class="s">NAME READY STATUS RESTARTS AGE</span> <span class="s">grafana-9bdbcc98d-gzntp 1/1 Running 0 23m</span> <span class="s">istio-citadel-6759c5c4d4-7wlnw 1/1 Running 0 23m</span> <span class="s">istio-egressgateway-c7776cf56-zjnx8 1/1 Running 0 23m</span> <span class="s">istio-galley-8544f4ff94-9qj4m 1/1 Running 0 23m</span> <span class="s">istio-grafana-post-install-1.3.3-l989d 0/1 Completed 0 23m</span> <span class="s">istio-ingressgateway-8469cb69c5-kjvkc 1/1 Running 0 23m</span> <span class="s">istio-pilot-748dd866dc-rh25k 2/2 Running 0 23m</span> <span class="s">istio-policy-5c564f5bfb-8hvgc 2/2 Running 1 23m</span> <span class="s">istio-security-post-install-1.3.3-7pp5z 0/1 Completed 0 23m</span> <span class="s">istio-sidecar-injector-59c8999585-lqlj7 1/1 Running 0 23m</span> <span class="s">istio-telemetry-5fc579cb56-sjd9d 2/2 Running 1 23m</span> <span class="s">istio-tracing-6f585d8877-24974 0/1 Running 10 23m</span> <span class="s">kiali-5764f9c44d-c7ftg 1/1 Running 0 23m</span> <span class="s">prometheus-85d75b5f6b-fn7f2 1/1 Running 0 23m</span> </code></pre></div> <h3> Bookinfo application </h3> <div class="highlight"><pre class="highlight yaml"><code><span class="s">kubectl label ns istio-system istio-injection=disabled</span> <span class="s">kubectl label ns istio-demo istio-injection=enabled</span> <span class="s">kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml</span> </code></pre></div> <div class="highlight"><pre class="highlight yaml"><code><span class="s">$ kubectl get pods</span> <span class="s">NAME READY STATUS RESTARTS AGE</span> <span class="s">details-v1-c5b5f496d-p5lr7 1/2 Running 0 98m</span> <span class="s">helloworld-v1-7bb88866c4-hj8m2 2/2 Running 0 108m</span> <span class="s">helloworld-v2-6cd449dff4-mxjwn 1/2 Running 0 108m</span> <span class="s">productpage-v1-c7765c886-tbd2c 2/2 Running 0 98m</span> <span class="s">ratings-v1-f745cf57b-qpthv 2/2 Running 0 98m</span> <span class="s">reviews-v1-75b979578c-6hslt 2/2 Running 0 98m</span> <span class="s">reviews-v2-597bf96c8f-q92v7 2/2 Running 0 98m</span> <span class="s">reviews-v3-54c6c64795-9gc9q 2/2 Running 0 98m</span> </code></pre></div> eks istio Tunde Oladipupo Sat, 01 Jun 2019 00:41:56 +0000 https://forem.com/simplytunde/kubernetes-podsecuritypolicy-and-kubeadm-26i3 https://forem.com/simplytunde/kubernetes-podsecuritypolicy-and-kubeadm-26i3 <p>I will assume you have a little background about PodSecurityPolicy and now its time to setup your cluster with PodSecurityPolicy admission controller enabled. For our setup, here is the kubeadm config;<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">kind</span><span class="pi">:</span> <span class="s">InitConfiguration</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kubeadm.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">InitConfiguration</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kubelet.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">KubeletConfiguration</span> <span class="na">featureGates</span><span class="pi">:</span> <span class="na">AppArmor</span><span class="pi">:</span> <span class="no">true</span> <span class="na">cpuManagerPolicy</span><span class="pi">:</span> <span class="s">static</span> <span class="na">systemReserved</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">256M</span> <span class="na">kubeReserved</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">256M</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kubeadm.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterConfiguration</span> <span class="na">apiServer</span><span class="pi">:</span> <span class="na">extraArgs</span><span class="pi">:</span> <span class="na">enable-admission-plugins</span><span class="pi">:</span> <span class="s">PodSecurityPolicy,LimitRanger,ResourceQuota,AlwaysPullImages,DefaultStorageClass</span> </code></pre></div> <p>Let's start the cluster,<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="s">$ sudo kubeadm init --config kubeadm.json</span> <span class="s">$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config</span> <span class="c1">#join a worker node to the master</span> <span class="s">$ sudo kubeadm join 10.100.11.231:6443 --token 6yel1a.ce3le6eel3kfnxsz --discovery-token-ca-cert-hash sha256:99ee2e4ea</span> <span class="s">302c5270f2047c7a0093533b69105a8c91bf20f48b230dce9fd3f3a</span> <span class="s">$ kubectl get no</span> <span class="s">NAME STATUS ROLES AGE VERSION</span> <span class="s">ip-10-100-11-199 NotReady &lt;none&gt; 109s v1.13.1</span> <span class="s">ip-10-100-11-231 NotReady master 3m3s v1.13.1</span> </code></pre></div> <p>As you can see, our cluster is not ready because we need to install a network plugin which you can see if you describe the node.<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span>kubectl describe no ip-10-100-11-231 ... Conditions: Type Status LastHeartbeatTime LastTransitionTime Reason Message <span class="nt">----</span> <span class="nt">------</span> <span class="nt">-----------------</span> <span class="nt">------------------</span> <span class="nt">------</span> <span class="nt">-------</span> MemoryPressure False Fri, 31 May 2019 22:50:36 +0000 Fri, 31 May 2019 22:46:39 +0000 KubeletHasSufficientMemory kubelet has sufficient memory available DiskPressure False Fri, 31 May 2019 22:50:36 +0000 Fri, 31 May 2019 22:46:39 +0000 KubeletHasNoDiskPressure kubelet has no disk pressure PIDPressure False Fri, 31 May 2019 22:50:36 +0000 Fri, 31 May 2019 22:46:39 +0000 KubeletHasSufficientPID kubelet has sufficient PID available Ready False Fri, 31 May 2019 22:50:36 +0000 Fri, 31 May 2019 22:46:39 +0000 KubeletNotReady runtime network not ready: <span class="nv">NetworkReady</span><span class="o">=</span><span class="nb">false </span>reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized Addresses: ... </code></pre></div> <p>We will be using calico as our network plugin and you can follow the install instruction right <a href="https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/">here</a><br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> https://docs.projectcalico.org/v3.7/manifests/calico.yaml configmap/calico-config created customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/ipamblocks.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/blockaffinities.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/ipamhandles.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/ipamconfigs.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/bgppeers.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/networksets.crd.projectcalico.org created clusterrole.rbac.authorization.k8s.io/calico-kube-controllers created clusterrolebinding.rbac.authorization.k8s.io/calico-kube-controllers created clusterrole.rbac.authorization.k8s.io/calico-node created clusterrolebinding.rbac.authorization.k8s.io/calico-node created daemonset.extensions/calico-node created serviceaccount/calico-node created deployment.extensions/calico-kube-controllers created serviceaccount/calico-kube-controllers created </code></pre></div> <p>To our surprise, there is no pod running in kube-system as we would expect. Let look at calico-node daemonset;<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="s">$ kubectl describe daemonset calico-node -n kube-system</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">calico-node</span> <span class="na">Selector</span><span class="pi">:</span> <span class="s">k8s-app=calico-node</span> <span class="na">Node-Selector</span><span class="pi">:</span> <span class="s">beta.kubernetes.io/os=linux</span> <span class="na">Labels</span><span class="pi">:</span> <span class="s">k8s-app=calico-node</span> <span class="nn">...</span> <span class="na">Events</span><span class="pi">:</span> <span class="s">Type Reason Age From Message</span> <span class="s">---- ------ ---- ---- -------</span> <span class="s">Warning FailedCreate 20s (x15 over 102s) daemonset-controller Error creating</span><span class="pi">:</span> <span class="s">pods "calico-node-" is forbidden</span><span class="pi">:</span> <span class="s">no providers available to validate pod request</span> </code></pre></div> <p>Ok, it says no provider and that means you do not have any PSP defined that will validate the daemonset pods. It is a very confusing error message.<br> Now, we will apply this PSP below.<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">policy/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PodSecurityPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">calico-psp</span> <span class="na">annotations</span><span class="pi">:</span> <span class="s">seccomp.security.alpha.kubernetes.io/allowedProfileNames</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">privileged</span><span class="pi">:</span> <span class="no">false</span> <span class="na">allowPrivilegeEscalation</span><span class="pi">:</span> <span class="no">true</span> <span class="na">allowedCapabilities</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">hostNetwork</span><span class="pi">:</span> <span class="no">true</span> <span class="na">hostPorts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">min</span><span class="pi">:</span> <span class="m">0</span> <span class="na">max</span><span class="pi">:</span> <span class="m">65535</span> <span class="na">hostIPC</span><span class="pi">:</span> <span class="no">true</span> <span class="na">hostPID</span><span class="pi">:</span> <span class="no">true</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s1">'</span><span class="s">RunAsAny'</span> <span class="na">seLinux</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s1">'</span><span class="s">RunAsAny'</span> <span class="na">supplementalGroups</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s1">'</span><span class="s">RunAsAny'</span> <span class="na">fsGroup</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s1">'</span><span class="s">RunAsAny'</span> </code></pre></div> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> calico-psp.yaml podsecuritypolicy.policy/calico-psp created <span class="nv">$ </span>kubectl get psp NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES calico-psp <span class="nb">false </span>RunAsAny RunAsAny RunAsAny RunAsAny <span class="nb">false</span> <span class="k">*</span> </code></pre></div> <p>Ok everything should be good now? Well, if you describe the daemonset, you will still see the same message as above. You need to delete and re-apply the calico plugin manifest. After this, let's go ahead and describe our daemonset again.<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="s">$ kubectl describe daemonset calico-node -n kube-system</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">calico-node</span> <span class="na">Selector</span><span class="pi">:</span> <span class="s">k8s-app=calico-node</span> <span class="na">Node-Selector</span><span class="pi">:</span> <span class="s">beta.kubernetes.io/os=linux</span> <span class="na">Labels</span><span class="pi">:</span> <span class="s">k8s-app=calico-node</span> <span class="nn">...</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">HostPath (bare host directory volume)</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/var/lib/cni/networks</span> <span class="na">HostPathType</span><span class="pi">:</span> <span class="na">Events</span><span class="pi">:</span> <span class="s">Type Reason Age From Message</span> <span class="s">---- ------ ---- ---- -------</span> <span class="s">Warning FailedCreate 4s (x12 over 14s) daemonset-controller Error creating</span><span class="pi">:</span> <span class="s">pods "calico-node-" is forbidden</span><span class="pi">:</span> <span class="na">unable to validate against any pod security policy</span><span class="pi">:</span> <span class="pi">[]</span> </code></pre></div> <p>The error means we have a psp but not something we can use to validate our daemonset. This is because our daemonset pod container cannot use our PSP and we need to modify the daemonset clusterrole to be able to use this specific PSP and add this rule. Yep, you need to recreate.<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="c1"># Include a clusterrole for the calico-node DaemonSet,</span> <span class="c1"># and bind it to the calico-node serviceaccount.</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1beta1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">calico-node</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">extensions"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">podsecuritypolicies</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">calico-psp</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">use</span> <span class="c1"># The CNI plugin needs to get pods, nodes, and namespaces.</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pods</span> <span class="pi">-</span> <span class="s">nodes</span> <span class="pi">-</span> <span class="s">namespaces</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="nn">---</span> <span class="nn">...</span> </code></pre></div> <p>After the clusterrole has been modified, we will run into another error;<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="nn">...</span> <span class="na">host-local-net-dir</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">HostPath (bare host directory volume)</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/var/lib/cni/networks</span> <span class="na">HostPathType</span><span class="pi">:</span> <span class="na">Events</span><span class="pi">:</span> <span class="s">Type Reason Age From Message</span> <span class="s">---- ------ ---- ---- -------</span> <span class="s">Warning FailedCreate 3s (x11 over 9s) daemonset-controller Error creating</span><span class="pi">:</span> <span class="s">pods "calico-node-" is forbidden</span><span class="pi">:</span> <span class="na">unable to validate against any pod security policy</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">spec.containers</span><span class="pi">[</span><span class="nv">0</span><span class="pi">]</span><span class="nv">.securityContext.privileged</span><span class="pi">:</span> <span class="nv">Invalid value</span><span class="pi">:</span> <span class="nv">true</span><span class="pi">:</span> <span class="nv">Privileged containers are not allowed</span><span class="pi">]</span> <span class="nn">...</span> </code></pre></div> <p>Our calico pods are forbidden because the PSP it is using forbids privileged container and Calico needs one to handle network policy. Now, lets go ahead and fix that in our PSP by updating;<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">policy/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PodSecurityPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">calico-psp</span> <span class="na">annotations</span><span class="pi">:</span> <span class="s">seccomp.security.alpha.kubernetes.io/allowedProfileNames</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">privileged</span><span class="pi">:</span> <span class="no">true</span> <span class="c1">#update this to true</span> <span class="na">allowPrivilegeEscalation</span><span class="pi">:</span> <span class="no">true</span> <span class="nn">...</span> </code></pre></div> <p>Once the update has been applied, calico will create the pods and our node will become healthy.<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="nn">...</span> <span class="na">Events</span><span class="pi">:</span> <span class="s">Type Reason Age From Message</span> <span class="s">---- ------ ---- ---- -------</span> <span class="s">Warning FailedCreate 3m10s (x16 over 5m54s) daemonset-controller Error creating</span><span class="pi">:</span> <span class="s">pods "calico-node-" is forbidden</span><span class="pi">:</span> <span class="na">unable to validate against any pod security policy</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">spec.containers</span><span class="pi">[</span><span class="nv">0</span><span class="pi">]</span><span class="nv">.securityContext.privileged</span><span class="pi">:</span> <span class="nv">Invalid value</span><span class="pi">:</span> <span class="nv">true</span><span class="pi">:</span> <span class="nv">Privileged containers are not allowed</span><span class="pi">]</span> <span class="na">Normal SuccessfulCreate 26s daemonset-controller Created pod</span><span class="pi">:</span> <span class="s">calico-node-hwb2b</span> <span class="na">Normal SuccessfulCreate 26s daemonset-controller Created pod</span><span class="pi">:</span> <span class="s">calico-node-gtrm2</span> <span class="s">$ kubectl get no</span> <span class="s">NAME STATUS ROLES AGE VERSION</span> <span class="s">ip-10-100-11-199 Ready &lt;none&gt; 7m2s v1.13.1</span> <span class="s">ip-10-100-11-231 Ready master 7m33s v1.13.1</span> </code></pre></div> <p>Yayy!!! Our nodes are ready.</p> kubernetes kubeadm psp Tunde Oladipupo Mon, 27 May 2019 16:28:39 +0000 https://forem.com/simplytunde/lets-talk-about-terraform-0-12-32j0 https://forem.com/simplytunde/lets-talk-about-terraform-0-12-32j0 <p>Terraform 0.12 was recently released and you can check out the details more in-dept at <a href="https://www.hashicorp.com/blog/announcing-terraform-0-12">terraform blogs</a>. The focus of this blog post will be the new features released and how to use them. You can find the code used in this <a href="https://github.com/simplytunde/tutorial/tree/master/terraform">Github repo</a>. Below is the content of the ec2 main.tf.<br> </p> <div class="highlight"><pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"test_ec2"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./ec2_module"</span> <span class="c1">//I am passing the subnet object instead of the id</span> <span class="nx">subnet</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="err">.</span><span class="nx">private</span><span class="err">.</span><span class="mi">0</span> <span class="nx">instance_tags</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Key</span> <span class="p">=</span> <span class="s2">"Name"</span> <span class="nx">Value</span> <span class="p">=</span> <span class="s2">"Test"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Key</span> <span class="p">=</span> <span class="s2">"Environment"</span> <span class="nx">Value</span> <span class="p">=</span> <span class="s2">"prd"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> </code></pre></div> <p>Here is the content of the ec2 module;<br> </p> <div class="highlight"><pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"aws_ami"</span> <span class="s2">"ubuntu"</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"name"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-*"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"virtualization-type"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"hvm"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">owners</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"099720109477"</span><span class="p">]</span> <span class="c1"># Canonical</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">data</span><span class="err">.</span><span class="nx">aws_ami</span><span class="err">.</span><span class="nx">ubuntu</span><span class="err">.</span><span class="nx">id</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t2.micro"</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">subnet</span><span class="err">.</span><span class="nx">id</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="nx">templatefile</span><span class="err">(</span><span class="s2">"${path.module}/userdata.tpl"</span><span class="err">,</span> <span class="p">{</span> <span class="nx">instance_tags</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">instance_tags</span> <span class="p">}</span><span class="err">)</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">tag</span> <span class="nx">in</span> <span class="nx">var</span><span class="err">.</span><span class="nx">instance_tags</span><span class="err">:</span> <span class="nx">tag</span><span class="err">.</span><span class="nx">Key</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">tag</span><span class="err">.</span><span class="nx">Value</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"t2.micro"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_tags"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">object</span><span class="err">(</span><span class="p">{</span> <span class="nx">id</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span><span class="err">)</span> <span class="p">}</span> </code></pre></div> <h3> For expression </h3> <p>From my perspective, this is one of the best feature of 0.12 which allows you to iterate over a list or map and you can do whatever you want with each item. From above, you can see that we generated the instance tags property from the user passed in list of maps.<br> </p> <div class="highlight"><pre class="highlight yaml"><code> <span class="s">tags = {</span> <span class="s">for tag in var.instance_tags</span><span class="pi">:</span> <span class="s">tag.Key =&gt; tag.Value</span> <span class="err">}</span> </code></pre></div> <h3> First class expression </h3> <p>You can see from above that we did not have to interpolate over the variables or object values instead they were used directly as first class variable. This will save some ink and allows for more complex operational usage with terraform.<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="nn">...</span> <span class="s">ami = data.aws_ami.ubuntu.id</span> <span class="s">instance_type = "t2.micro"</span> <span class="s">subnet_id = var.subnet.id</span> <span class="nn">...</span> </code></pre></div> <h3> Rich Value Type </h3> <p>My impression of this feature so far is that we can have user-defined type and existing type are supported as first class type without quote. We defined a type that expects map with id attribute and if passing a non-matching object, it will be rejected which is pretty cool.<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="s">variable "instance_tags" {</span> <span class="s">type = list</span> <span class="err">}</span> <span class="s">variable "subnet" {</span> <span class="s">type = object({</span> <span class="s">id = string</span> <span class="s">})</span> <span class="err">}</span> </code></pre></div> <h3> New Type Interpolation </h3> <p>New terraform now gives you the capability to loop in your user data. For our example, here is the userdata;<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>#!/bin/bash %{ for tag in instance_tags~} cat ${tag.Key}=${tag.Value} %{ endfor ~} </code></pre></div> <p>We were able to use forloop to go over the tags and use it in instance user data which is lovely without having to through hacks.</p> <p>One other feature that was not discussed here is the <em>dynamic block</em> which you can checkout on terraform <a href="https://www.hashicorp.com/blog/hashicorp-terraform-0-12-preview-for-and-for-each">blog page</a>.</p> terraform aws Tunde Oladipupo Fri, 24 May 2019 02:33:38 +0000 https://forem.com/simplytunde/logging-with-aws-kubernetes-eks-cluster-1m5l https://forem.com/simplytunde/logging-with-aws-kubernetes-eks-cluster-1m5l <h2> Logs </h2> <p>EKS is the managed kubernetes offering by AWS that saves you the stress of managing your own control plane with a twist of offboarding some controls like what goes on in your control. The feature was not available when the service went GA but was recently made available recently. Here are the kinds of logs that it provides;</p> <ul> <li>API server component logs: You know that component of your cluster that validates requests, provides api rest endpoint and so on? These are the logs from the apiserver which are very critical when trying to diagnose things like why your pods are not creating, admission controller issues etc. </li> </ul> <div class="highlight"><pre class="highlight yaml"><code><span class="s">E0523 03:27:22.258958 1 memcache.go:134] couldn't get resource list for metrics.k8s.io/v1beta1</span><span class="pi">:</span> <span class="s">the server is currently unable to handle the request</span> </code></pre></div> <ul> <li>Audit Logs: People make changes in your cluster and you want to know who, what and when. This logs gives you the ability to this. </li> </ul> <div class="highlight"><pre class="highlight yaml"><code><span class="pi">{</span> <span class="s2">"</span><span class="s">kind"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Event"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">apiVersion"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">audit.k8s.io/v1beta1"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">metadata"</span><span class="pi">:</span> <span class="pi">{</span> <span class="s2">"</span><span class="s">creationTimestamp"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2019-05-23T02:08:34Z"</span> <span class="pi">},</span> <span class="s2">"</span><span class="s">level"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Request"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">timestamp"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2019-05-23T02:08:34Z"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">auditID"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">84662c40-8d4f-4d3e-99b2-0d4005e44375"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">stage"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ResponseComplete"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">requestURI"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/api/v1/namespaces/default/services/kubernetes"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">verb"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">user"</span><span class="pi">:</span> <span class="pi">{</span> <span class="s2">"</span><span class="s">username"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">system:apiserver"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">uid"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2d8ad7ed-25ed-4f37-a2f0-416d2af705e9"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">groups"</span><span class="pi">:</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">system:masters"</span> <span class="pi">]</span> <span class="pi">},</span> <span class="s2">"</span><span class="s">sourceIPs"</span><span class="pi">:</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">::1"</span> <span class="pi">],</span> <span class="s2">"</span><span class="s">userAgent"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">kube-apiserver/v1.12.6</span><span class="nv"> </span><span class="s">(linux/amd64)</span><span class="nv"> </span><span class="s">kubernetes/d69f1bf"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">objectRef"</span><span class="pi">:</span> <span class="pi">{</span> <span class="s2">"</span><span class="s">resource"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">services"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">namespace"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">default"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">name"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">kubernetes"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">apiVersion"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">v1"</span> <span class="pi">},</span> <span class="s2">"</span><span class="s">responseStatus"</span><span class="pi">:</span> <span class="pi">{</span> <span class="s2">"</span><span class="s">metadata"</span><span class="pi">:</span> <span class="pi">{},</span> <span class="s2">"</span><span class="s">code"</span><span class="pi">:</span> <span class="nv">200</span> <span class="pi">},</span> <span class="s2">"</span><span class="s">requestReceivedTimestamp"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2019-05-23T02:08:34.498973Z"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">stageTimestamp"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2019-05-23T02:08:34.501446Z"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">annotations"</span><span class="pi">:</span> <span class="pi">{</span> <span class="s2">"</span><span class="s">authorization.k8s.io/decision"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">allow"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">authorization.k8s.io/reason"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">}</span> <span class="pi">}</span> </code></pre></div> <ul> <li>Authenticator Logs: EKS uses this thing called aws-iam-authenticator to guess what? Authenticate against the EKS cluster using AWS credentials and roles. These logs contains event from these activities </li> </ul> <div class="highlight"><pre class="highlight yaml"><code><span class="s">time="2019-05-16T22:19:48Z" level=info msg="Using assumed role for EC2 API" roleARN="arn:aws:iam::523447765480:role/idaas-kubernetes-cluster-idauto-dev-masters-role"</span> </code></pre></div> <ul> <li>Controller manager: For those familiar with kubernetes objects such as Deployments, Replicas etc; these are managed by controllers which ships with kubernetes controller manager. To see what these controllers are doing under the hood, you need these. </li> </ul> <div class="highlight"><pre class="highlight yaml"><code><span class="s">E0523 02:07:55.486872 1 horizontal.go:212] failed to compute desired number of replicas based on listed metrics for Deployment/routing/rapididentity-default-backend</span><span class="pi">:</span> <span class="na">failed to get memory utilization</span><span class="pi">:</span> <span class="na">unable to get metrics for resource memory</span><span class="pi">:</span> <span class="na">unable to fetch metrics from resource metrics API</span><span class="pi">:</span> <span class="s">the server is currently unable to handle the request (get pods.metrics.k8s.io)</span> </code></pre></div> <ul> <li>Scheduler: This component of the control plane does what it name says, put pods on the right node after factoring a number of constraints and resources available. To see information on how this component is making its decision, check these logs. </li> </ul> <div class="highlight"><pre class="highlight yaml"><code><span class="s">E0523 02:07:55.486872 1 horizontal.go:212] failed to compute desired number of replicas based on listed metrics for Deployment/routing/rapididentity-default-backend</span><span class="pi">:</span> <span class="na">failed to get memory utilization</span><span class="pi">:</span> <span class="na">unable to get metrics for resource memory</span><span class="pi">:</span> <span class="na">unable to fetch metrics from resource metrics API</span><span class="pi">:</span> <span class="s">the server is currently unable to handle the request (get pods.metrics.k8s.io)</span> </code></pre></div> <h1> Enabling Logs </h1> <p>You can easily enable the logs in your EKS cluser console and AWS updates your cluster to enable those logs to ship to cloudwatch. The corresponding cloudwatch log group will be displayed in your console. For those using terraform to provision their cluster, you can just pass in the types of logs that you want to provision and also create the log group to ship it to.<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="s">resource "aws_eks_cluster" "my_cluster" {</span> <span class="s">depends_on = ["aws_cloudwatch_log_group.eks_log_group"]</span> <span class="s">enabled_cluster_log_types = ["api", "audit"]</span> <span class="s">name = "${var.cluster_name}"</span> <span class="s"># ... other configuration ...</span> <span class="err">}</span> </code></pre></div> kubernetes aws eks