#kubernetes (2021-04)

kubernetes

Archive: https://archive.sweetops.com/kubernetes/

2021-04-29

meirfi avatar
meirfi

Hay all,

we are facing a strange behaver of WeaveCNI in our AWS EKS cluster. for some reason our CoreDNS getting NXDOMAIN, which mean that the POD are not able to resolve the URL of the services in the cluster. after long investigation we found out that the only way to solve the DNS issue is by restarting all WeaveCNI POD.

any one have encountered the same behaver ? thanks.

Matt Gowie avatar
Matt Gowie

Don’t use WeaveCNI, so have no idea, but I believe the Weaveworks folks have their own Slack so it might make sense to post there?

Brad McCoy avatar
Brad McCoy
06:46:59 AM

Join us in the Microsoft reactor next week for a technical demonstration of provisioning AKS with Terraform and then deploying microservices with Helm!

https://www.meetup.com/Microsoft-Reactor-Sydney/events/277886892/

2021-04-23

2021-04-21

Thomas Hoefkens avatar
Thomas Hoefkens

We have deployed alpine images on EKS Fargate nodes, and have also associated a service account to an IAM role which has access to DynamoDb and some other services. When deploying the containers, we can see that AWS has automatically set these env vars on all containers AWS_ROLE_ARN=arn:aws:iam::1111111:role/my-role AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token But if we execute this command with the cli aws sts get-caller-identity  or aws dynamodb list-tables the command simply hangs and does not return any results. We have followed the docs on setting up the iam roles for the EKS (k8s) service accounts - is there anything more we need to do to check the connectivity from the containers to the DynamoDb for example? (please note, from Lambda or so we can access DynamoDb - an endpoint exists for the necessary services) When I execute this on the pod: aws sts assume-role-with-web-identity \ --role-arn $AWS_ROLE_ARN \ --role-session-name mh9test \ --web-identity-token `` ` file://$AWS_WEB_IDENTITY_TOKEN_FILE \ --duration-seconds 1000  I get this error: Connect timeout on endpoint URL: “sts.amazonaws.com>” which is strange because the vpc endpoint is sts.eu-central-1.amazonaws.com I can also not ping endpoint addresses such as <http://ec2.eu-central-1.amazonaws.com|ec2.eu-central-1.amazonaws.com

Markus Muehlberger avatar
Markus Muehlberger

First thing to check would be the route tables to make sure any VPC endpoints are actually used.

I’m guessing you don’t have any NAT gateways in the VPC, otherwise the containers should use the public internet to reach the endpoint.

Second thing to check is security groups and network ACLs.

Thomas Hoefkens avatar
Thomas Hoefkens

so for the containers to reach the VPC endpoints (in the case of no internet gateway) we would have to set up a nat gateway?

imran hussain avatar
imran hussain

Hi I think he means add some VPCE endpoints so you do not leave the AWS Network.

Thomas Hoefkens avatar
Thomas Hoefkens

VPC endpoints were already in place.. still I was not able to ping these VPC endpoints by private DNS name from within a container…

Markus Muehlberger avatar
Markus Muehlberger

Usually when you can’t ping AWS services from within the network you either have the security groups (outbound) or network ACLs (both directions) set up incorrectly or (because you don’t have a NAT gateway) the VPC endpoints are not correctly attached to the route tables.

Markus Muehlberger avatar
Markus Muehlberger

One final thing that could also be is that you don’t have DNS hostnames enabled in the VPC.

2021-04-20

jose.amengual avatar
jose.amengual

is it possible to mix ALB scheme types (internal, internet-facing) on the same alb-controller ?

jose.amengual avatar
jose.amengual

do you need two different controllers?

jose.amengual avatar
jose.amengual

are the internal-albs required to use private subnets?

2021-04-08

2021-04-06

2021-04-05

Allen Vailliencourt avatar
Allen Vailliencourt

Single-node K8S cluster for testing on GCP? What would you all think is the best option? Throw minikube on it?

Issif avatar
Issif

k3s works fine

Allen Vailliencourt avatar
Allen Vailliencourt

didn’t even think about that! Thanks!

Veyron avatar
Veyron

if you are using ubuntu it comes with a production ready kubernetes server api called micro-k8s with a ton of official plugins supported. K3s is also fine for this.

sudo snap install microk8s --classic --channel=1.19
MicroK8s - Introduction to MicroK8s | MicroK8s

MicroK8s is the simplest production-grade upstream K8s. Lightweight and focused. Single command install on Linux, Windows and macOS. Made for devops, great for edge, appliances and IoT. Full high availability Kubernetes with autonomous clusters.

2021-04-01

    keyboard_arrow_up