e4cc298ab6
* Admin Can Specify in Which GCE Availability Zone(s) a PV Shall Be Created An admin wants to specify in which GCE availability zone(s) users may create persistent volumes using dynamic provisioning. That's why the admin can now configure in StorageClass object a comma separated list of zones. Dynamically created PVs for PVCs that use the StorageClass are created in one of the configured zones. * Admin Can Specify in Which AWS Availability Zone(s) a PV Shall Be Created An admin wants to specify in which AWS availability zone(s) users may create persistent volumes using dynamic provisioning. That's why the admin can now configure in StorageClass object a comma separated list of zones. Dynamically created PVs for PVCs that use the StorageClass are created in one of the configured zones. * move hardPodAffinitySymmetricWeight to scheduler policy config * Added Bind method to Scheduler Extender - only one extender can support the bind method - if an extender supports bind, scheduler delegates the pod binding to the extender * examples/podsecuritypolicy/rbac: allow to use projected volumes in restricted PSP. * fix typo * SPBM policy ID support in vsphere cloud provider * fix the invalid link * DeamonSet-DaemonSet * Update GlusterFS examples readme. Signed-off-by: Humble Chirammal <hchiramm@redhat.com> * fix some typo in example/volumes * Fix spelling in example/spark * Correct spelling in quobyte * Support custom domains in the cockroachdb example's init container This switches from using v0.1 of the peer-finder image to a version that includes https://github.com/kubernetes/contrib/pull/2013 While I'm here, switch the version of cockroachdb from 1.0 to 1.0.1 * Update docs/ URLs to point to proper locations * Adds --insecure to cockroachdb client command Cockroach errors out when using said command: ```shell ▶ kubectl run -it --rm cockroach-client --image=cockroachdb/cockroach --restart=Never --command -- ./cockroach sql --host cockroachdb-public Waiting for pod default/cockroach-client to be running, status is Pending, pod ready: false Waiting for pod default/cockroach-client to be running, status is Pending, pod ready: false Waiting for pod default/cockroach-client to be running, status is Pending, pod ready: false If you don't see a command prompt, try pressing enter. Error attaching, falling back to logs: unable to upgrade connection: container cockroach-client not found in pod cockroach-client_default Error: problem using security settings, did you mean to use --insecure?: problem with CA certificate: not found Failed running "sql" Waiting for pod default/cockroach-client to terminate, status is Running pod "cockroach-client" deleted ``` This PR updates the README.md to include --insecure in the client command * Add StorageOS volume plugin * examples/volumes/flexvolume/nfs: check for jq and simplify quoting. * Remove broken getvolumename and pass PV or volume name to attach call * Remove controller node plugin driver dependency for non-attachable flex volume drivers (Ex: NFS). * Add `imageFeatures` parameter for RBD volume plugin, which is used to customize RBD image format 2 features. Update RBD docs in examples/persistent-volume-provisioning/README.md. * Only `layering` RBD image format 2 feature should be supported for now. * Formatted Dockerfile to be cleaner and precise * Update docs for user-guide * Make the Quota creation optional * Remove duplicated line from ceph-secret-admin.yaml * Update CockroachDB tag to v1.0.3 * Correct the comment in PSP examples. * Update wordpress to 4.8.0 * Cassandra example, use nodetool drain in preStop * Add termination gracePeriod * Use buildozer to remove deprecated automanaged tags * Use buildozer to delete licenses() rules except under third_party/ * NR Infrastructure agent example daemonset Copy of previous newrelic example, then modified to use the new agent "newrelic-infra" instead of "nrsysmond". Also maps all of host node's root fs into /host in the container (ro, but still exposes underlying node info into a container). Updates to README * Reduce one time url direction Reduce one time url direction * update to rbac v1 in yaml file * Replicate the persistent volume label admission plugin in a controller in the cloud-controller-manager * update related files * Paramaterize stickyMaxAgeMinutes for service in API * Update example to CockroachDB v1.0.5 * Remove storage-class annotations in examples * PodSecurityPolicy.allowedCapabilities: add support for using * to allow to request any capabilities. Also modify "privileged" PSP to use it and allow privileged users to use any capabilities. * Add examples pods to demonstrate CPU manager. * Tag broken examples test as manual * bazel: use autogenerated all-srcs rules instead of manually-curated sources rules * Update CockroachDB tag to v1.1.0 * update BUILD files * pkg/api/legacyscheme: fixup imports * Update bazel * [examples.storage/minio] update deploy config version * Volunteer to help review examples I would like to do some code review for examples about how to run real applications with Kubernetes * examples/podsecuritypolicy/rbac: fix names in comments and sync with examples repository. * Update storageclass version to v1 in examples * pkg/apis/core: mechanical import fixes in dependencies * Use k8s.gcr.io vanity domain for container images * Update generated files * gcloud docker now auths k8s.gcr.io by default * -Add scheduler optimization options, short circuit all predicates if one predicate fails * Revert k8s.gcr.io vanity domain This reverts commit eba5b6092afcae27a7c925afea76b85d903e87a9. Fixes https://github.com/kubernetes/kubernetes/issues/57526 * Autogenerate BUILD files * Move scheduler code out of plugin directory. This moves plugin/pkg/scheduler to pkg/scheduler and plugin/cmd/kube-scheduler to cmd/kube-scheduler. Bulk of the work was done with gomvpkg, except for kube-scheduler main package. * Fix scheduler refs in BUILD files. Update references to moved scheduler code. * Switch to k8s.gcr.io vanity domain This is the 2nd attempt. The previous was reverted while we figured out the regional mirrors (oops). New plan: k8s.gcr.io is a read-only facade that auto-detects your source region (us, eu, or asia for now) and pulls from the closest. To publish an image, push k8s-staging.gcr.io and it will be synced to the regionals automatically (similar to today). For now the staging is an alias to gcr.io/google_containers (the legacy URL). When we move off of google-owned projects (working on it), then we just do a one-time sync, and change the google-internal config, and nobody outside should notice. We can, in parallel, change the auto-sync into a manual sync - send a PR to "promote" something from staging, and a bot activates it. Nice and visible, easy to keep track of. * Remove apiVersion from scheduler extender example configuration * Update examples to use PSPs from the policy API group. * fix all the typos across the project * Autogenerated: hack/update-bazel.sh * Modify PodSecurityPolicy admission plugin to additionally allow authorizing via "use" verb in policy API group. * fix todo: add validate method for &schedulerapi.Policy * examples/podsecuritypolicy: add owners. * Adding dummy and dummy-attachable example Flexvolume drivers; adding DaemonSet deployment example * Fix relative links in README |
||
|---|---|---|
| .. | ||
| README.md | ||
| config-to-secret.sh | ||
| newrelic-config-template.yaml | ||
| newrelic-config.yaml | ||
| newrelic-daemonset.yaml | ||
| nrconfig.env | ||
README.md
New Relic Server Monitoring Agent Example
This example shows how to run a New Relic server monitoring agent as a pod in a DaemonSet on an existing Kubernetes cluster.
This example will create a DaemonSet which places the New Relic monitoring agent on every node in the cluster. It's also fairly trivial to exclude specific Kubernetes nodes from the DaemonSet to just monitor specific servers.
Step 0: Prerequisites
This process will create privileged containers which have full access to the host system for logging. Beware of the security implications of this.
If you are using a Salt based KUBERNETES_PROVIDER (gce, vagrant, aws), you should make sure the creation of privileged containers via the API is enabled. Check cluster/saltbase/pillar/privilege.sls.
DaemonSets must be enabled on your cluster. Instructions for enabling DaemonSet can be found here.
Step 1: Configure New Relic Agent
The New Relic agent is configured via environment variables. We will configure these environment variables in a sourced bash script, encode the environment file data, and store it in a secret which will be loaded at container runtime.
The [New Relic Linux Server configuration page] (https://docs.newrelic.com/docs/servers/new-relic-servers-linux/installation-configuration/configuring-servers-linux) lists all the other settings for nrsysmond.
To create an environment variable for a setting, prepend NRSYSMOND_ to its name. For example,
loglevel=debug
translates to
NRSYSMOND_loglevel=debug
Edit examples/newrelic/nrconfig.env and set up the environment variables for your NewRelic agent. Be sure to edit the license key field and fill in your own New Relic license key.
Now, let's vendor the config into a secret.
$ cd examples/newrelic/
$ ./config-to-secret.sh
apiVersion: v1
kind: Secret
metadata:
name: newrelic-config
type: Opaque
data:
config: {{config_data}}
The script will encode the config file and write it to newrelic-config.yaml.
Finally, submit the config to the cluster:
$ kubectl create -f examples/newrelic/newrelic-config.yaml
Step 2: Create the DaemonSet definition.
The DaemonSet definition instructs Kubernetes to place a newrelic sysmond agent on each Kubernetes node.
apiVersion: apps/v1 # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1
kind: DaemonSet
metadata:
name: newrelic-agent
labels:
tier: monitoring
app: newrelic-agent
version: v1
spec:
selector:
matchLabels:
name: newrelic
template:
metadata:
labels:
name: newrelic
spec:
# Filter to specific nodes:
# nodeSelector:
# app: newrelic
hostPID: true
hostIPC: true
hostNetwork: true
containers:
- resources:
requests:
cpu: 0.15
securityContext:
privileged: true
env:
- name: NRSYSMOND_logfile
value: "/var/log/nrsysmond.log"
image: newrelic/nrsysmond
name: newrelic
command: [ "bash", "-c", "source /etc/kube-newrelic/config && /usr/sbin/nrsysmond -E -F" ]
volumeMounts:
- name: newrelic-config
mountPath: /etc/kube-newrelic
readOnly: true
- name: dev
mountPath: /dev
- name: run
mountPath: /var/run/docker.sock
- name: sys
mountPath: /sys
- name: log
mountPath: /var/log
volumes:
- name: newrelic-config
secret:
secretName: newrelic-config
- name: dev
hostPath:
path: /dev
- name: run
hostPath:
path: /var/run/docker.sock
- name: sys
hostPath:
path: /sys
- name: log
hostPath:
path: /var/log
The daemonset instructs Kubernetes to spawn pods on each node, mapping /dev/, /run/, /sys/, and /var/log to the container. It also maps the secrets we set up earlier to /etc/kube-newrelic/config, and sources them in the startup script, configuring the agent properly.
DaemonSet customization
- To include a custom hostname prefix (or other per-container environment variables that can be generated at run-time), you can modify the DaemonSet
commandvalue:
command: [ "bash", "-c", "source /etc/kube-newrelic/config && export NRSYSMOND_hostname=mycluster-$(hostname) && /usr/sbin/nrsysmond -E -F" ]
When the New Relic agent starts, NRSYSMOND_hostname is set using the output of hostname with mycluster prepended.
Known issues
It's a bit cludgy to define the environment variables like we do here in these config files. There is another issue to discuss adding mapping secrets to environment variables in Kubernetes.