I want to enable Kubernetes Engine Monitoring on clusters but I don't see that as a field in Terraform's google_container_cluster resource.
Is Kubernetes Engine Monitoring managed with another resource?
You can use the newer Kubernetes Monitoring Service by setting monitoring_service to monitoring.googleapis.com/kubernetes instead of the default monitoring.googleapis.com.
When enabling this you will also need to set logging_service to logging.googleapis.com/kubernetes as well.
Related
I'm trying to use Stackdriver Kubernetes Engine Monitoring to monitor my GKE cluster (as opposed to Legacy Stackdriver), as this is recommended by https://cloud.google.com/monitoring/kubernetes-engine/ page (despite being beta).
However, I'd like to use custom log parses, as some of my containers use proprietary log formats.
My understanding:
it's a matter of customizing fluentd config map (in my case it's fluentd-gcp-config-v1.2.6 in kube-system namespace), however this config map is managed by GKE and can be replaced anytime.
with Legacy Stackdriver it was possible to disable the logging alone, and deploy fluentd-gcp manually - as described e.g. here: https://cloud.google.com/solutions/customizing-stackdriver-logs-fluentd
. However, with new fancy Stackdriver Kubernetes Engine Monitoring it is not possible to disable logging anymore (and only leave metrics support).
Is there any other way to support custom log formats?
I have a namespace in k8s with the setting:
scheduler.alpha.kubernetes.io/defaultTolerations:
'[{"key": "role_va", "operator": "Exists"}]'
If I am not mistaken all pods that are created in this namespace must get this toleration.
But the pods don't get it.
I read this and understood that I must enable the PodTolerationRestriction controller.
How can I do this on gloud?
In order to enable PodTolerationRestriction you might be required to set --enable-admission-plugins flag in kube-apiserver configuration. This is according to the official documentation, as by default this plugin is not included in admission controller plugins list.
However, in GKE there is no possibility to adapt any specific flag for the current API server run-time configuration, because Kubernetes cluster engine core components are not exposed to any user purpose actions (related Stackoverflow thread).
Assuming that, you can consider using GCE and bootstrap cluster with any cluster building solutions, depending on your preference, within a particular GCE VM.
For our use-case, we need to access a lot of services via NodePort. By default, the NodePort range is 30000-32767. With kubeadm, I can set the port range via --service-node-port-range flag.
We are using Google Kubernetes Engine (GKE) cluster. How can I set the port range for a GKE cluster?
In GKE, the control plane is managed by Google. This means you don't get to set things on the API Server yourself. That being sad, I believe you can use the kubemci CLI tool to achieve it, see Setting up a multi-cluster Ingress.
I want to enable Stackdriver logging with my Kubernetes cluster on GKE.
It's stated here: https://kubernetes.io/docs/user-guide/logging/stackdriver/
This article assumes that you have created a Kubernetes cluster with cluster-level logging support for sending logs to Stackdriver Logging. You can do this either by selecting the Enable Stackdriver Logging checkbox in the create cluster dialogue in GKE, or by setting the KUBE_LOGGING_DESTINATION flag to gcp when manually starting a cluster using kube-up.sh.
But my cluster was created without this option enabled.
How do I change the environment variable while my cluster is running?
Unfortunately, logging isn't a setting that can be enabled/disabled on a cluster once it is running. This is something that we hope to change in the near future, but in the mean time your best bet is to delete and recreate your cluster (sorry!).
I would like to enable the ABAC mode for the Kubernetes Cluster I'm using in Google's Container Engine. (more specifically, I would like to restrict access to the API service for the default service account which is automatically assigned to all pods). However, since --authorization-mode=ABAC is a command line argument for kube-apiserver and since the API server is managed in Google Container Engine, I didn't find a way to enable authorization for my cluster.
Is there a way to enable ABAC mode on GCE?
I'm currently running Kubernetes v1.1.7 on server and nodes.
There is not a way to enable ABAC mode on Google Container Engine. If you need fine-grained control over the parameters passed to any of the master components you have to run Kubernetes on GCE instead.
In the meantime Google has added the possibility to use Role Based Access Control (RBAC) for a Kubernetes Cluster. It is enabled by default for all new Clusters running Kubernetes 1.6 or later: https://cloud.google.com/container-engine/docs/role-based-access-control