Professional Documents
Culture Documents
Certified Kubernetes Administrator (CKA) : Behrad Eslamifar
Certified Kubernetes Administrator (CKA) : Behrad Eslamifar
Certified Kubernetes Administrator (CKA) : Behrad Eslamifar
(CKA)
Behrad Eslamifar
b.eslamifar@gmail.com
Logging/Monitoring
5%
Outlines
● System Metrics
○ generic metrics that are generally available from every entity that is monitored
(e.g. usage of CPU and memory by container and node
● Service Metrics
○ are explicitly defined in application code and exported (e.g. number of 500s
served by the API server)
System Metrics
● Core Metrics
○ Which are metrics that Kubernetes understands and uses for operation of its
internal components and core utilities
● Non-Core Metrics
○ Which are not interpreted by Kubernetes
○ Assume they include the core metrics (though not necessarily in a format
Kubernetes understands)
Evolution of components to monitor
https://www.datadoghq.com/blog/monitoring-kubernetes-era
Components that Now Need to be Monitored
Monitoring Workshop
Kubernetes Metric Server
$ cd Kubernetes-Certified-Administrator
● Collects resource metrics from $ git pull
$ cd labs/monitoring/manifests/
Kubelets $ kubectl apply -f metric-server.yaml
serviceaccount/metrics-server created
● Exposes them in Kubernetes clusterrole.rbac.authorization.k8s.io/system:aggregated-
metrics-reader created
clusterrole.rbac.authorization.k8s.io/system:metrics-server
apiserver through Metrics API created
rolebinding.rbac.authorization.k8s.io/metrics-server-auth-
● Use by Horizontal Pod reader created
...
Autoscaler and Vertical Pod $ kubectl top pods
Autoscaler NAME
mariadb-0
CPU(cores)
2m
MEMORY(bytes)
74Mi
web-server-6d48d5449c-75rj6 0m 3Mi
web-server-6d48d5449c-fg95l 0m 3Mi
wordpress-756bb74786-wghf7 0m 0Mi
* https://github.com/kubernetes-sigs/metrics-server/releases
Metric Server Use Cases: Autoscaling
Autoscaler ...
/ # curl http://kube-state-metrics.kube-
system.svc.cluster.local:8081/metrics
# HELP process_resident_memory_bytes Resident memory size in
bytes.
# TYPE process_resident_memory_bytes gauge
process_resident_memory_bytes 3.34848e+07
# HELP process_start_time_seconds Start time of the process
since unix epoch in seconds.
# TYPE process_start_time_seconds gauge
* https://github.com/kubernetes/kube-state-metrics process_start_time_seconds 1.60637852531e+09
Node Exporter
$ kubectl apply -f kubectl apply -f node-exporter-
daemonset.yaml
● Prometheus exporter for namespace/monitoring unchanged
clusterrole.rbac.authorization.k8s.io/node-exporter created
hardware and OS metrics clusterrolebinding.rbac.authorization.k8s.io/node-exporter
created
exposed by *NIX kernels service/node-exporter created
serviceaccount/node-exporter created
daemonset.apps/prometheus-node-exporter created
* https://github.com/prometheus/node_exporter
Prometheus
$ kubectl apply -f prometheus-deployment.yaml
serviceaccount/prometheus created
● An open-source monitoring service/prometheus-service created
clusterrole.rbac.authorization.k8s.io/prometheus created
system with a dimensional clusterrolebinding.rbac.authorization.k8s.io/prometheus created
configmap/prometheus-config created
data model, flexible query deployment.apps/prometheus-deployment created
* https://github.com/prometheus/prometheus
* https://prometheus.io/
Kubernetes Dashboard
$ kubectl apply -f dashboad.yaml
namespace/kubernetes-dashboard created
● Kubernetes Dashboard is a serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
general purpose, web-based secret/kubernetes-dashboard-certs created
...
UI for Kubernetes clusters $ kubectl apply -f dashboad-admin.yaml
serviceaccount/dashboard-admin created
clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin
created
* https://github.com/kubernetes/dashboard
Kubernetes
Logging Architecture
Kubernetes Logging Architecture
● Master
○ API Server
○ Scheduler
○ Controller manager
● Node
○ kubelet (/var/log/kubelet.log , journalctl -u kubelet)
○ kube-proxy
Auditlog
● what happened?
● when did it happen?
● who initiated it?
● on what did it happen?
● where was it observed?
● from where was it initiated?
● to where was it going?
Auditlog: Policy Level
● None - don't log events that match this # Log all requests at the Metadata level.
rule. apiVersion: audit.k8s.io/v1
kind: Policy
● Metadata - log request metadata rules:
- level: Metadata
(requesting user, timestamp, resource,
verb, etc.) but not request or response
body.
● Request - log event metadata and
request body but not response body.
This does not apply for non-resource
requests.
● RequestResponse - log event
metadata, request and response
bodies. This does not apply for non-
resource requests.
Auditlog: Policy Stage
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
● RequestReceived - The stage for # Don't generate audit events for all requests in
events generated as soon as the audit RequestReceived stage.
omitStages:
handler receives the request, and - "RequestReceived"
rules:
before it is delegated down the handler # Log pod changes at RequestResponse level
- level: RequestResponse
chain. resources:
● ResponseStarted - Once the response - group: ""
# Resource "pods" doesn't match requests to
headers are sent, but before the any subresource of pods,
# which is consistent with the RBAC policy.
response body is sent. This stage is resources: ["pods"]
...
only generated for long-running # A catch-all rule to log all other requests at
the Metadata level.
requests (e.g. watch). - level: Metadata
● ResponseComplete - The response # Long-running requests like watches that
fall under this rule will not
body has been completed and no more # generate an audit event in RequestReceived.
omitStages:
bytes will be sent. - "RequestReceived"
- name: audit-log
hostPath:
path: /var/log/apiserver
type: DirectoryOrCreate