Need help with kubernetes-kargo-logging-monitoring?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

203 Stars 68 Forks 85 Commits 2 Opened issues


Deploy kubernetes cluster with kargo

Services available


Need anything else?

Contributors list

# 27,706
1 commit

Deploy kubernetes via kargo with logging (efk) & monitoring (prometheus) support


What you will get:

  • Kargo: a powerful and flexible way to build, hot upgrade/migrate, and scale kubernetes (k8s)
  • X number of master node running : k8s for container orchestration, it will pilot and gives work to the minions
  • Y number of minion/slave/worker nodes : running the actual containers and doing the actual work
  • Z number of etcd: database to store your k8s configuration
  • Efk: we will send all k8s container logs to an elasticsearch DB, via fluentd, and visualize dashboards with kibana
  • Prometheus will monitoring all this infra, with grafana dashbaord
  • Heapster is an alternative for monitoring your k8s cluster
  • K8s dashboard addon (not efk dashboard), where you can visualize k8s component in a GUI
  • Registry: a private docker registry deployed in the k8s cluster
  • Gitlab CI/CD: a full example of continuous integration and continuous delivery of a simple app, in k8s
  • Service-loadbalancer (static haproxy): which is the public gateway to access your internal k8s services (kibana, grafana)
  • Traefik dynamic loadbalancer: an alternative to haproxy, quite powerful with its dynamic service discovery and auto certification

Prerequisit: - Kargo support many different types of cloud. I will show you the broader way to build k8s while abstracting the OS creation. You will just need to give kargo some coreos hosts IP and ssh access.

More info: you can find an overview of that setup on my blog:


1. Deploy kubernetes

We will deploy a base k8s multi-master, etcd cluster, and dns support. You can modify the architecture depending on which values you will set later in inventory.cfg.


1.1 Clone repo

git clone k8s && cd k8s

1.2 Deploy coreos nodes


An ubuntu vm from where you will install the infra with kargo tool (which is ansible recipes in the background), and manage/pilot the k8s cluster with kubectl.

You need the latest version of ansible.

You will need Netaddr install on the bastion too:

pip install netaddr


This setup doesn't managed firewall rules yet.

Please create a security group with port 0-40000 tcp & udp open for all k8s servers inside that group.

Bastion will be ouside this group. Please give some accesses to bastion on 22,80,443 port so this ubuntu server will be able to run kargo ansible recipes(22/tcp), and run kubectl(443/tcp).

Open outside acccess to 80,443/tcp, 5601/tcp (kibana), 3000 & 3002/tcp (grafana), 8080/tcp (traefik), 9090/tcp (prometheus), 9999/tcp(k8s-dashboard).

If you need to implement firewall, a good start here:


Please install with your preferered cloud provider, or on baremetal, basic latest coreos os as much as you need nodes.

1.3 Deploy k8s

We are using the kargo powerful project. It is made of many ansible scripts to build your cloud and k8s on top. To pilot you can use: - Kargo-cli: which make even easier to provision servers (aws, cloustack) - Or fill 2 configuration files and run an ansible recipe

Kargo-cli is being rebuilded in go, so I will just use the underlying ansible recipe at the moment. Please clone in your repo k8s:

git clone kargo && cd kargo

First fill the inventory file with your node info

cp inventory/inventory.example inventory/inventory.cfg
nano inventory/inventory.cfg      

Deploy k8s

nano inventory/group_vars/all.yml   

Note: You can also modifiy nginxkubeapiserver_port instead of kubeapiserverport to something other than 443 to enable loadbalancers as well. This would leave the API server running on port 443 but the internal proxy would be on a different port.

Set ansible configuration with your key and inventory

nano ansible.cfg

private_key_file=~/.ssh/id_rsa_sbexx remote_user=core hostfile = ./inventory/inventory.cfg [privilege_escalation] become = yes become_method = sudo become_user = root

You can now add logging support (efk) out of the box when adding the following flag: ``` nano inventory/group_vars/k8s-cluster.yml

Monitoring apps for k8s

efk_enabled: enable ```

Then deploy k8s with ansible:

ansible-playbook cluster.yml

Run few times untils no more errors.

  • Error with ansible commands? Try the param in command line:
ansible-playbook -i inventory/inventory.cfg -e ansible_ssh_user=core -e ansible_ssh_private_key_file=/root/.ssh/id_rsa_sbexx -b --become-user=root cluster.yml
  • Error with docker version? Update coreos to get latest docker version 12
ansible all -a 'docker version'
ansible node1 -a 'update_engine_client -update'

I got ansible.cfg and inventory.yml example in ./util

1.4 Install kubectl

Kubectl is your admin local client to pilot the k8s cluster. One version of kubectl is already present on master, but it is better to have it locally, on your admin/bastion. Please use the same version as server. You will be able to talk and pilot k8s with this tool.

Get kubectl

curl -O
chmod +x kubectl
mv kubectl /usr/local/bin/kubectl

Get the cert from master

mkdir kubectl
ssh -i ~/.ssh/id_rsa_sbexx [email protected]_ip sudo cat /etc/kubernetes/ssl/admin-node1.pem > kubectl/admin-node1.pem
ssh -i ~/.ssh/id_rsa_sbexx [email protected]_ip sudo cat /etc/kubernetes/ssl/admin-node1-key.pem > kubectl/admin-node1-key.pem
ssh -i ~/.ssh/id_rsa_sbexx [email protected]_ip sudo cat /etc/kubernetes/ssl/ca.pem > kubectl/ca.pem

Configure kubectl

kubectl config set-cluster kargo --server=https://master1_ip:8443 --certificate-authority=kubectl/ca.pem

kubectl config set-credentials kadmin

kubectl config set-context kargo --cluster=kargo --user=kadmin kubectl config use-context kargo

kubectl version kubectl get node kubectl get all --all-namespaces



If issues, see troubleshooting section.

Do you want to migration k8s, add new node? Please see the annexes.

2. Deploy logging (efk) to collect k8s & containers events

Please note that you may already have efk deployed if you enabled the flag efk_enabled when you installed via kargo. If it is the case, you don't need to deploy anything, but just access the right service: - Name: kibana-logging - Namespace: kube-system - Port: 5601

I didn't map yet this service to any lb (as it was added later than this doc). You can't access directly kibana UI because no host port (only internal) are declared in the service configuration.

To give access to the service you will have to modify the lb:

Nano service-loadbalancer-daemonset.yaml
    - --tcp-services=kibana-logging:5601
And deploy it (see section lb)

Same for traefik, you need to edit the name and namespace of the service:

nano traefik/logging-ingress.yaml
  name: kibana-logging 
  namespace: kube-system

2.1 Deploy elasticsearch, fluentd, kibana

kubectl apply -f logging    

2.2 Access services

From here, you should be able to access our services from your laptop, as long as your cloud server ip are public:

  • kibana: http://anyminionnode_ip:30601
  • ES: http://anyminionnode_ip:30200

To enable that access, we had set Type=NodePort and nodePort:35601/39200 in kibana/elasticsearch-service.yaml, to make it easier to learn at this point. Because we want to control how and from where we should be accessing our public services, we will set in a later section a loadbalancer.

2.3 See logs in kibana

Check logs coming in kibana, you just need to refresh, select Time-field name : @timestamps + create

Load and view your first dashboard: management > Saved Object > Import > logging/dashboards/elk-v1.json


3. Monitoring services and containers

It seems like two schools are gently fighting for container monitoring:

  • Heapster: this new player now comes as a kind of k8s addon (you can deploy it via a simple switch in some setup). It seems to be better integrated at the moment, and even more in the future with k8s component depending on it, but still young and few features
  • Prometheus: it has been around for some times, lots of nice features (alerting, application metrics) and community resources available (see the public dashboards for example)

More on which one to choose:

3.1 Monitoring with prometheus

Create monitoring containers

kubectl apply -f monitoring
kubectl get all --namespace=monitoring


Access the gui: http://anyminionnode_ip:30090

Go to status > target : you should see only some green. We got one false positive error scaping k8s-node with 2 ports 9102 and 80. As long as 9102 is good, we got the data. If you got some "context deadline exceeded" or "getsockopt connection refused", you will have to open firewall rule between the nodes. For exemple in security group k8s, you need to open 9100 and 10255.

Try a query: "nodememoryActive" > Execute > Graph --> you should see 2 lines representing both nodes.



Login to the interface with login:admin | pass:admin) : http://anyminionnode_ip:30000 Load some dashboards: dashboard > home

Kubernetes pod resources grafana-k8s-pod-resources1.jpg grafana-k8s-pod-resources2.jpg

Prometheus stats grafana-prometheus-stats.jpg

Load other public dashboards

Grafana GUI > Dashboards > Import

Already loaded: - prometheus stats: - kubernetes cluster :

Other good dashboards :

  • node exporter: -

  • deployment: pod metrics: - pod resources:

3.2 Monitoring2 with heapster

kubectl apply -f monitoring2
kubectl get all --namespace=monitoring2

Access services

  • Grafana2: http://anyminionnode_ip:30002

You can load Cluster or Pods dashboards. When viewing Pods, type manually "namespace=monitoring2" to view stats for the related containers.

grafana2-pods.jpg grafana2-cluster1.jpg grafana2-cluster1.jpg grafana2-cluster1.jpg

4. Kubenetes dashboard addon

Dashboard addon let you see k8s services and containers via a nice GUI.

kubectl apply -f kubernetes-dashboard
kubectl get all --namespace=kube-system     

Access GUI: http://anyminionnode_ip:30999


5. Docker private registry addon

I use the manifests here, with some little modifications. For some reasons, I have to force the, otherwise docker can't connect to that deployed registry. We use registry without password nor tls to make it easier.

Docker daemon on nodes should already have the service network range as insecure-registry. So when you will make available registry service on k8s network, docker we will be able to use it.

To check daemon on one node: (you should see --insecure-registry= )

ps aux | grep docker

Deploy the registry:

kubectl apply -f registry

In order to target the registry from outside, or within k8s, please setup traefik (see lb section) and create a dns ( pointing to your lb node.

Then add ingress config so traefik are aware of registry service:

kubectl apply -f traefik/kube-system-ingress.yaml

kubectl get svc --namespace=kube-system

Get the ip of the service, and check service access from one node


Or from the ubuntu image:

kubectl exec -it ubuntu --namespace=kube-system -- curl registry.kube-system:5000/v2/_catalog
kubectl exec -it ubuntu --namespace=kube-system -- curl

or from anywhere


Add an image to private registry

docker pull busyboy
docker tag busybox
docker push

6. Gitlab for CI & CD

This setup is based on the great blog of lwolfs

First please edit gitlab config:

nano gitlab/gitlab/gitlab-deployment.yml
- GITLAB_ROOT_PASSWORD (if you want to change pwd)

Deploy gitlab

kubectl apply -f gitlab/gitlab
kubectl get all --namespace=gitlab     

Use traefic as a loadbalancer (see lb section), create a dns record pointing to your lb_node (ex: and deploy the related ingress:

kubectl apply -f traefik/gitlab-ingress.yaml

You should be able to access gitlab with (login:root/rootpassword) or http://aminionip:30088

Setup the cache server for docker runner builds

kubectl apply -f gitlab/minio

Create the runner cache folder

kubectl exec -it minio-1144410361-pr5ym --namespace=gitlab -- mkdir /export/runner
kubectl exec -it minio-1144410361-pr5ym --namespace=gitlab -- ls /export

Register a runner to gitlab:

kubectl run -it runner-registrator --image=gitlab/gitlab-runner:v1.5.2 --restart=Never -- register

Answer the questions:

Gitlab-ci coordinator URL: http://gitlab.gitlab/ci
Registration token: [Find it in: gitlab GUI > setting > Runners > Use the following registration token during setup...]
Description: gitlab-docker-runner 
Tags: shared,specific
Executor: docker
Default docker image: python:3.5.1

Delete that temp container:

kubectl delete po/runner-registrator

Edit your final runner config and replace:

nano gitlab/gitlab-runner/gitlab-runner-docker-configmap.yml  
- Token: [login gitlab > setting > Runners > clic on the pencil/notepad icon]
- AccessKey and SecretKey: [find the in the logs of minio container]
kubectl logs -f minio-1144410361-pr5ym --namespace=gitlab

Deploy runner

kubectl apply -f gitlab/gitlab-runner

Gitlab CI and CD

We will now test a full continuous integration (docker build + test of a simple flask app saying helloworld) and a simplified continuous deployment (redeploy the flask container in k8s, on staging and prod, which are the same k8s)

For CD, your runner will need access to k8s, so bring over to the ci folder the kubectl certificates (for production, please be careful when sharing certificates in repo)

cp -r kargo/kubectl gitlab/ci/.
cd gitlab/ci

Create a repo (k8s-ci) in gitlab GUI, and link the ci folder to that repo, such as mine:

git init 
git remote add origin

Then edit the gitlab-ci config

nano .gitlab-ci.yml
- your docker repo registry and name (I stayed on default
- your k8s master ip

And push:

git add -A
git commit -m 'test ci'
git push --set-upstream origin master

Go to gitlab to check pipeline and the status. If you have some error, try to hit the retry button. Or remove most part of gitlab-ci.yml and try again.

Check the app to get the "hello world" message:

curl a_node_ip:30555    or
kubectl exec -it ubuntu --namespace=kube-system -- curl flask.default:5000

At the end, you should be able to edit to say "helloworld 3!", push the code, and see/curl the result later when the pipeline is finished!

7. LoadBalancers

If you are on aws or google cloud, these provider we automatically set a loadbalancer matching the *-ingress.yaml configuration. For all other cloud provider and baremetal, you will have to take care of that step. Luckyly, I will present you two types of loadlancer below ;-) - service-loadbalancer (static haproxy) - traefik (dynamic proxy)

7.1 Service-loadbalancer

Because Kargo runs an nginx proxy for kubelet to access the api on all minions, port 443 is not available for any lbs to listen for public requests by default. You should change either the kubeapiserverport or nginxkubeapiserver_port options describe in configuring Kargo above.

Create the load-balancer to be able to connect your service from the internet. Give 1 or more nodes the loadbalancer role:

kubectl label node node_name role=loadbalancer
kubectl apply -f service-loadbalancer-daemonset.yaml

If you change the config, use "kubectl delete -f service-loadbalancer.yaml" to force a delete/create, then the discovery of the newly created service. Add/remove services? please edit service-loadbalancer.yaml

Access services

  • kibana (logging): http://lbnodeip:5601
  • grafana (monitoring): http://lbnodeip:3000 (admin/admin)
  • prometheus (monitoring): http://lbnodeip:3000
  • grafana2 (monitoring2): http://lbnodeip:3002
  • kubernetes-dashboard: http://lbnodeip:9999

7.2 Traefik

Any new services, exposed by *-ingress.yaml, will be caught by traefik and made available without restart.

To experience the full power of traefik, please purchase a domain name (ex:, and point that record to the node you choose to be the lb. This record will help create the automatic certificate via the acme standard.

  • --> lbnodeip

Then for each services you will use, create a dns A record:

  • --> lbnodeip
  • --> lbnodeip
  • --> lbnodeip
  • --> lbnodeip
  • --> lbnodeip
  • --> lbnodeip

Based on which name you use to access the lb_node, traefik will forward to the right k8s service.

Now you need to edit the configuration:

nano traefik/traefik-daemonset.yaml

Label a minion as "loadbalancer" (see previous section) and create the dynamic proxy to be able to connect your service from the internet.

kubectl apply -f traefik     see troubleshooting section

Access services If set in traefik, please use login/pass: test/test You can use http or https

  • kibana (logging):
  • grafana (monitoring): (admin/admin)
  • prometheus (monitoring):
  • grafana2 (monitoring2):
  • kubernetes-dashboard:
  • traefik-console: or http://anyminionnode_ip:30080


7.3 Security considerations

These lb nodes are some kind of DMZ servers where you could balance later your DNS queries. For production environment, I would recommend that only DMZ services (service-loadbalancer, traefik, nginx, ...) could run in here, because these servers will apply some less restrictive firewall rules (ex: open 80, 433, 5601, 3000) than other minion k8s nodes. So I would create a second security group (sg): k8s-dmz with same rules as k8s, and rules between both zone, so k8s services can talk to k8s and k8s-dmz. Then open 80, 433, 5601, 3000 for k8s-dmz only. Like this, k8s sg still protect more sensitive containers from direct public access/scans.

The same applies for the master node. I would create a new sg for it: k8s-master, so only this group will permit access from kubectt (port 80, 443).

Then you should remove all NodePort from the services configuration, so no service will be available when scanning a classic minion. For that please comment the section "# type: NodePort" for all *-service.yaml

7.4 Scaling loadbalancers

Add more loadbalancers, by adding more loadbalancers nodes. Because we use Daemonset type of job, all new nodes tagged with loadbalancer will spawn a loadbalancer container.

Use ansible to add a node

nano ansible/k8s.yml     

Label it as a loadbalancer node

kubectl label node your_new_lb_minion_node role=loadbalancer

Then just check the new containers getting created kubectl get all --all-namespaces

For service-loadbalancer, try to access newlbminion_ip:5601

For trafik, add a dns A-record --> newlbminionip so we will balance dns resolution to the old and new lbnode. Test some ping, and access few times...

8. Data persistence

In this setup, if you loose influxdb or elasticsearch containers, k8s will restart the container but you will loose the data. You got few options to make your data persistent:

  • Emptydir
  • Hostpath
  • Nfs
  • And many other solutions like: glusterfs, ceph, flocker, gcePersistentDisk, awsElasticBlockStore...

I will demonstrate the first 3 solutions. More info on volume types:

8.1 EmptyDir

if you open influxdb deployment, you will notice that it is already configured for "emptyDir". So if the container crashes, and get restarted on the same node, your data will stay. But if you delete the container, or the reschedule happens on another node, you will loose the data.

cat monitoring2/influxdb-deployment.yaml
  - name: influxdb-storage
    emptyDir: {}

8.2 HostPath

We mount in the container a folder physically on the node where the container runs. This data is persistent, so you can kill the container and restart it to get the data, as long as you don't change nodes. Could be good then to label one node to always deploy influxdb on the node where the data live.

kubectl label node your_static_influx_node role=influxdb
nano monitoring2/influxdb-deployment.yaml

and use the tag below

role: influxdb

The storage config:

      - name: influxdb-storage
        #emptyDir: {}
          path: /srv/influxdb

Check the data are indeed on the host: ssh -i ~/.ssh/idrsasbexx [email protected]influxnode sudo ls /srv/influxdb

8.3 Nfs

In order to not care about where containers run, nfs is able to offer persistent data over the network. Data will not reside on node, but on a separate nfs server.

nfs storage server You will have then to configure a storage server, it can be your ubuntu bastion to make tests easier:

apt-get install nfs-kernel-server
mkdir -p /export/influxdb /export/es
chmod -R 777 /export/
nano /etc/default/nfs-kernel-server    

Configure rights (we leave it very open, but please restrict everything for prod)

nano /etc/exports

/export *(rw,sync,crossmnt,no_subtree_check) /export/es *(rw,sync,crossmnt,no_subtree_check) /export/influxdb *(rw,sync,crossmnt,no_subtree_check)

service nfs-kernel-server restart

Nfs client

Try it locally on bastion

apt-get install nfs-common 
mkdir /mnt/nfs
mount -t nfs -o proto=tcp,port=2049 /mnt/nfs
ls -l /mnt/nfs

Test a mount on coreos client:

sudo mount --types nfs /test
ls -l /test
sudo umount /test

k8s configuration

nano monitoring2/influxdb-deployment.yaml

  - name: influxdb-storage
    #emptyDir: {}
      #path: /srv/influxdb
      path: /export/influxdb

Deploy and check data are in nfs share:

ls -l /export/influx 

You can now, stop the node where influx is running, wait k8s to reschedule your container to another node, and check again the data. Note: for elasticseach on nfs, I got that annoying "chown error" when trying to start the container. Need investigations.

9. Secure your k8s access with certificates (optional demonstration)

kubectl pilot k8s via the api server already on a secured port 443 in https. We will now create a certicate autority, to issue a certificate for the api, and for your admin client, to get even higher level of authentification.

The lines below are based on the work of Kelsey and the cloudflare easy CA.

Install your own PKI infra tool: cfssl You need GO 1.6+ and the GOPATH set

apt install golang-go
export GOPATH=$HOME/work
export PATH=$PATH:/usr/local/go/bin
export PATH=$PATH:$GOPATH/bin

go get -u go get -u

cd tls mkdir kubectl master minion

Declare your master Ip (or domain) to the server cert

nano kube-apiserver-server-csr.json     

Initialize a CA

cfssl gencert -initca ca-csr.json | cfssljson -bare ca/ca

Create an api server cert

cfssl gencert \
-ca=ca/ca.pem \
-ca-key=ca/ca-key.pem \
-config=ca-config.json \
-profile=server \
kube-apiserver-server-csr.json | cfssljson -bare master/kube-apiserver-server
cp ca/ca.pem master

Create kubectl client cert

cfssl gencert \
-ca=ca/ca.pem \
-ca-key=ca/ca-key.pem \
-config=ca-config.json \
-profile=client \
kubernetes-admin-user.csr.json | cfssljson -bare kubectl/kubernetes-admin-user
kubectl config set-cluster secure --server= --certificate-authority=master/ca.pem --embed-certs=true
kubectl config set-credentials admin \
--client-key=kubectl/kubernetes-admin-user-key.pem \
--client-certificate=kubectl/kubernetes-admin-user.pem \
kubectl config set-context secure --cluster=secure --user=admin
kubectl config use-context secure

Copy tls/master folder to node master

scp -r -i ~/.ssh/id_rsa_foobar master [email protected]:/home/core

Edit master

ssh -i ~/.ssh/id_rsa_foobar [email protected]

mkdir /etc/kubernetes mv master/* /etc/kubernetes/.

sudo vim /etc/systemd/system/kube-apiserver.service


sudo systemctl daemon-reload
sudo systemctl restart kube-apiserver.service

Note: this systemclt config will be erased at the next reboot. If you want to use cert, edit ansible master node template with the right config, then deploy a new master. Then generate certs...


curl --cert kubectl/kubernetes-admin-user.pem --key kubectl/kubernetes-admin-user-key.pem --cacert master/ca.pem -v
kubectl get node

Create kubelet client cert

cfssl gencert \
-ca=ca/ca.pem \
-ca-key=ca/ca-key.pem \
-config=ca-config.json \
-profile=client \
kubelet-client-csr.json | cfssljson -bare minion/kubelet/kubelet-client

Edit minion node

Copy and mv the file:

scp -r -i ~/.ssh/id_rsa_foobar minion [email protected]:/home/core
ssh -i ~/.ssh/id_rsa_foobar [email protected]

mkdir /etc/kubernetes mv minion/* /etc/kubernetes/.

sudo vim /etc/systemd/system/kube-kubelet.service
sudo systemctl daemon-reload
sudo systemctl restart kube-apiserver.service

Check logs:

journalctl --since "10 minutes ago" -u kube-kubelet --no-pager


kubectl get node

All services (kube-proxy, kube-client, kube-controller) can be set to use certificate. But this is a subject for another setup.

10. Troubleshooting

Kubectl autocompletion not working

Probably your custom bash profile is interfering with the sourcing. - Use kubectl completion bash > /etc/bashcompletion.d/kubectl - And make sure that lines are uncomment in ``` nano ~/.bashrc if [ -f /etc/bashcompletion ] && ! shopt -oq posix; then . /etc/bash_completion fi ``` Then logon and try again.

If problem starting elasticsearch v5: (fix present in roles/k8s/templates/k8s-node.j2)

  • fix with ansible:


cd kargo
ansible all -a "ls /etc/sysctl.d"


ansible all -m copy -a 'content=vm.max_map_count=262144 dest=/etc/sysctl.d/elasticsearch.conf'

Reboot all minions:

ansible [node2-6] -a "sudo reboot"
  • Manually on all node:
    ssh -i ~/.ssh/id_rsa_foobar [email protected]
    sudo sysctl -w vm.max_map_count=262144

Make it persistent:

sudo vi /etc/sysctl.d/elasticsearch.conf
sudo sysctl --system

If issue connecting to svc (for example elasticsearch), use ubuntu container:

  • First see if ubuntu will be in the same namespace as the service you want to check:
nano util/ubuntu.yaml
kubectl apply -f util/ubuntu.yaml
  • Depending in which namespace ubuntu runs, you can check services with one of these commands:
kubectl exec ubuntu -- curl elasticseach:9200   
  • Check port 9200 on the node running elasticsearch container: ssh -i ~/.ssh/idrsafoobar [email protected] netstat -plunt
  • Uncomment type: NodePort and nodePort: 39200 if you want to access elasticsearch from any node_ip
  • Check data in elasticsearch kubectl exec ubuntu -- curl es:9200/search?q=* curl nodeip:39200/_search?q=* <-- if type: NodePort set in es.yaml

No log coming in kibana:

  • check that there are file in node: ssh -i ~/.ssh/idrsafoobar [email protected] ls /var/log/containers

Can't connect to k8s-dashboard addon: - Carefull, addon are in kube-system namespace! If stuck use type: NodePort and - Find the node public port: kubectl describe service kubernetes-dashboard --namespace=kube-system - Access it from nodes :

DNS resolution not working? Svc kube-dns.kube-system should take care of the resolution

kubectl exec ubuntu -- nslookup
kubectl exec ubuntu -- nslookup kubernetes
kubectl exec ubuntu -- nslookup kubernetes.default
kubectl exec ubuntu -- nslookup kubernetes-dashboard.kube-system

Pod can't get created? See more logs:

kubectl describe po/elastcisearch
kubectl logs -f elasticsearch-ret5zg

Prometheus can't scrape node_exporter

Possibly firewall issues! You need to open firewall internal rules between all nodes port 9100 (endpoint) and 10255 (node)

Check influxdb

kubectl exec ubuntu --namespace=monitoring2 -- curl -sl -I influxdb:8086/ping

Traefik pod cant get created: port 443 already used

Not very sure yet what the issue on lb_node, but try to start traefik on another minion:

kubectl label node role=minion     nodeSelector: > role: minion

Then delete and recreate traefik, should be all good.

Check traefik protected access

apt install httpie
http --verify=no --auth test:test -v

11. Annexes

Shell Alias for K8s

alias k='kubectl'
alias kk='kubectl get all'
alias wk='watch kubectl get all'
alias ka='kubectl get all --all-namespaces'
alias kc='kubectl create -f'
alias kdel='kubectl delete -f'
alias kcdel='kubectl delete configmap'
alias kd='kubectl describe'
alias kl='kubectl logs'

Need another minion node?

Edit kargo/inventory/inventory.cfg and run again the deploy

Want to upgrade k8s version?

cd kargo
nano inventory/group_vars/all.yml   

Run the install again:

ansible-playbook cluster.yml

Migrate the whole k8s to a new environment

You need to consider these steps: - backup etcd - Export namespaces and services - Backup your persistant data (not covered here, it is a classic database dump or flat file backup. It is not specific to k8s)


Please Backup etcd in case something fails during a migration. But it is a bad idea to backup and restore etcd on another environment because all sorts of things (endpoints, node names, IP, etc) are different between clusters. So better export and import namespaces and services only.

Dump Namespace and services states

--> Careful: simple pod are not dump in these lines, you need to have: deploy, rc, or daemonset, svc. So need to transfort all simple pods to deployment if needed.

mkdir ./dump

Export all namespaces (not kube-system):

kubectl get --export -o=json ns | \
jq '.items[] |
    select(!="kube-system") |
    select(!="default") |
    )' > ./dump/ns.json

Export all services, controllers (rc,ds,replicaset,deploy), secrets and daemonsets
Simple pod and job are not migrated.

for ns in $(jq -r '' < ./dump/ns.json);do
    echo "Namespace: $ns"
    kubectl --namespace="${ns}" get --export -o=json svc,deploy,rc,secrets,configmap,ds | \
    jq '.items[] |
        select(.type!="") |
        )' >> "./dump/cluster-dump.json"

Backup etcd

To complete...

Restore namespaces and services on a new fresh k8s


kubectl create -f dump/ns.json

Resources state:

kubectl create -f dump/cluster-dump.json

You will have to reimport db dump or flat data on host folder if you had persistent data.

Want to start containers from scratch?

Delete the corresponding namespace, all related containers/services will be destroyed.

kubectl delete namespace monitoring
kubectl delete namespace logging

Object don't want to be delete (in status termination)?

kubectl delete namespace logging --grace-period=0 --force
kubectl delete po/node-directory-size-metrics-flbdp --namespace=monitoring  --grace-period=0 --force

12. Future work

  • Use firewalls security group: k8s, k8s-dmz, k8s-master, to be ready for production
  • Use persistent data for Elasticsearch and prometheus
  • Fix prometheus k8s_pod scraping both port 80 and 9102...
  • Backup etcd error follow up

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.