#kubernetes (2019-07)
Archive: https://archive.sweetops.com/kubernetes/
2019-07-02
Sanic is an omni-tool which lets you build, deploy, and manage Kubernetes clusters.
reminds me of #geodesic
Looks like a go cli tool that can be added to geodesic
2019-07-03
anyone running a container with 200GB+ memory ?
bad idea ?
just curious, why do you need that size of container?
somebody mentioned a tool for setting ENV variables for docker with support for different environments ?
with some template support
for the life of me I can’t recall the name….
dockerize?
it was something like systemenv ro something with env
env consule?
nop
probably that? https://github.com/mumoshu/variant
I think so…
2019-07-04
2019-07-06
2019-07-08
2019-07-09
Anyone know if it’s possible to pass settings in the config to run commands on startup (like with kops)?
…in eksctl
(@mumoshu)
e.g. in kops, we can do:
hooks:
# Mitigate CVE-2019-5736
- before:
- docker.service
manifest: |
Type=oneshot
ExecStart=/usr/bin/chattr +i /usr/bin/docker-runc
There’s no easy way to add systemd units like that in eksctl. Technically there’re two options though -
-
use
preBootstrapCommandsto write systemd units(https://github.com/weaveworks/eksctl/blob/cf5e078273d8d0d8fa802ae704f038d9c56ad8d7/pkg/apis/eksctl.io/v1alpha5/types.go#L457) or -
deploy a privileged daemonset that mount host volumes and writes unit files(https://github.com/mumoshu/kube-node-init)
Hi, has anyone tried the bitnami kubeprod.io stack? (https://github.com/bitnami/kube-prod-runtime)
2019-07-10
hi, anyone here knows about use boolean value with k8s ?
i’m trying to read the value from Environment variable, and i realize that when setting the env var inside a pod, it’s always format it as a string
for example MY_VAR=abc will be MY_VAR=‘abc’ inside a pod
if any program is expecting the boolean type, it will throw error
is there a way to solve this ?
thanks
environment variables are always strings
it needs to be handled by your program or whatever library you are using
thanks @MiLk
2019-07-11
Higher container density is coming
2019-07-14
2019-07-17
Hi, I have an idea about how I’m going to implement config templating for our containers and I will like some feedback :
- Secrets and non secrets will be stored in aws Parameter Store+KMS
- Chamber will be used to update/create secrets
- Path IAM roles will be created for every environment /dev/secrets /prod/secrets etc
- ECS Task per environment will have access to the /env path that have secrets and not secrets ( no shared configs)
- Dev will use chamber to set ENV variable to run their local containers
- confd might be use to create the config templates on Docker build
most Jenkins will be doing the initial push and CodeDeploy will do the rest for Blue Green
any comments ?
2019-07-18
Anyone familiar enough with Kubernetes API to maybe know a way to get the resourceVersion of the parent for a given pod? Trying to ignore events in the watch if the change was initiated by its parent (I am not the controller). This is related to a ReplicaSet
2019-07-19
saw this at kubecon
my gripes wit this is the feedback loop for rebuilding an image is slow
what were your thoughts?
so during development esp. if you save alot assuming youre doing some web dev you’d typically want to refresh your browser right after you save
and see the changes right away
even during their demo at kubecon there was a bit of waiting
for the demo image (prob really small) to rebuild
I think developers mostly want live reloading
e.g. what you get with telepresence
yep
most prob use docker compose to spin up dependencies
and run their app locally
i think itd be awesome if you could have that type of live reloading but your app is hosted on a k8s cluster in the cloud
each developer would have their own namespace
yep - that’s what we’re working on
but haven’t yet tackled telepresence
are you able to do live reloading comparable to running it locally
cause thats a gamebreaker i think for most devs
so with telepresence you run “the” service locally
but all your backing services run in k8s (e.g. in a developer namespace)
ah
telepresence is like a reverse proxy. it sits in k8s and any requests it gets it sends back to the service on your laptop
so it’s like teleporting your local service into the cluster
plus your local service can access everything running in k8s (e.g. database or other backing services)
since it runs on your local laptop, you get all the benefits
easier debugging, attaching debuggers, live reloads, etc
ah yeah
but i guess other than the fact that dependent services hosted in cloud
is there any other benefit than running those in a docker compose
you’re testing your services in an environment that’s closer to staging/prod
if you have 30-40 microservices as part of your stack, good luck doing that on your laptop
if you need large datasets for development, can’t do that easily locally
maybe it’s nicer to have all the data stay in AWS from a security perspective
truee
multiple developers can be working on pieces of the project at the same time
and using a shared environment
so you host the db remotely as well
assume youre working on an API
its easier for others to QA changes in a public environment (e.g. if your laptop is offline, no one can review)
yea, usually run db as a container for these env
nice
yeah the large dataset hosted remotely one is actually really useful
allowing multiple devs on same project
Has anyone here been able to get Istio installed to EKS? I’m trying to get it installed with my worker nodes all residing in private subnets and I’m running into weird issues.
@Vidhi Virmani I think did
Most of the examples I come across online assume you’re in public subnets with ELBs and security groups open to the world
@Vidhi Virmani if you’ve installed Istio on EKS in private subnets, ping me!
2019-07-22
Is there a way to have helm chart create external resources?(RDS/Elasticache)
Then use the Helm raw chart to provision
The CRDs for RDS
Thank you!
What are people using as an oauth2 provider to login to their apps like k8 dashboard?
keycloak
- gatekeeper proxies
keycloak too but not for k8 but for pretty much anything
2019-07-23
I’m interested to hear how people are using CD in Kubernetes. Is anyone doing Canary deployments on their EKS cluster? How?
i can’t answer your question, but is that commander keen as your profile pic?
I’d imagine a lot of people are using a service mesh like istio to manage the networking side of the canary deployment, but how they wrap all that in CD I’ve got no experience with
Rio by Rancher. Check it out.
2019-07-25
last year spent a few months troubleshooting and improving apps running in ElasticBeanstalk. with help from guys here (thank you). This year I’m deleting those ElasticBeanstalk stacks one by one after moving the apps to K8s. #lifeofadevopsengineer
haha too true. Thanks @i5okie for the update.
2019-07-29
I am looking at starting to use Kubernetes for the first time for a small system that I would eventually grow. Would you suggest using Kubernetes directly or using AWS EKS?
I would give eksctl a shot
Probably the most turn key way to get up and running with EKS for a small project.
(we still use kops)
i was playing around with kops over the weekend
worked really well, just unsure at this point how to manage everything
kops is easy to get up and running.
the challenge with kubernetes is updates between major releases can be tricky
e.g. 1.11 -> 1.12 upgraded to etcd3 and there was no automated way to easily upgrade
while on EKS, those kinds of upgrade challenges are handled by the platform
also, i believe the upgrade from 1.14 to 1.15 is also that way
Thanks that is really good to know. I’ll give EKS a go. Much appreciated
we also have TF modules for EKS
Awesome
Thanks so much!
Just found this as well, seems like a good beginner resource https://eksworkshop.com/introduction/
yes, I saw that - looks amazing
2019-07-30
module "eks_cluster" {
source = "git::<https://github.com/cloudposse/terraform-aws-eks-cluster.git?ref=master>"
namespace = "eg"
stage = "testing"
name = "cluster"
tags = "${var.tags}"
vpc_id = "<YOUR VPC ID>"
subnet_ids = ["<YOUR PUBLIC SUBNET ID'S>"]
# `workers_security_group_count` is needed to prevent `count can't be computed` errors
workers_security_group_ids = ["${module.eks_workers.security_group_id}"]
workers_security_group_count = 1
}
2019-07-31
I’m looking for a minimally-hacky way to restart running pods in order pickup a change in config data
1
here’s the use case: pods bootup and source some envrionment vars from SSM
now I change a config value in SSM and would like pods to pick up that value
I’m looking for a minimally-hacky way
I’m okay with some amount of hack tbh
1 idea is to delete pods 1 by 1. They get restarted and when they run they fetch the data fresh from SSM and viola, config data is up to date
We use this https://github.com/stakater/Reloader
cool thanks @Erik Osterman (Cloud Posse) I’ve heard of it and will check it out.
it was very easy to setup
our helmfile for it is here: https://github.com/cloudposse/helmfiles/blob/master/releases/reloader.yaml
I wonder if there’s a way to hook it into Prometheus somehow, so it would only restart a pod if the app overall is healthy. A cursory look at this suggests I’d have to roll my own
assuming health is only determined by prometheus…
however, services should have a healthcheck endpoint
per the Reloader README.md, it says:
then perform a rolling upgrade
the only way to do a rolling upgrade is to wait for new pods to become healthy before moving on
thus if the new secrets cause problems, that should cause the rollout to hang
then the prometheus alerts for a pod crash loop should fire on the unhealthy pod
to me, it looks like what they do is update an environment variable which causes k8s to do the rolling update
thus all rolling update semantics are handled by k8s.
Yeah, this gets more complicated with distributed applications such as Kafka, hence the need for external monitoring