Pivotal Container Service, shortened as PKS, is a managed Kubernetes platform by Pivotal.
Installation[edit | edit source]
Once Ops Manager and the Bosh Director is set up, download and install the PKS tile from the Pivotal Network. Once the PKS tile is deployed, a new VM should have been deployed by bosh under the
# bosh instances Deployment 'pivotal-container-service-ad2c46d3833f5f4ea239' Instance Process State AZ IPs pivotal-container-service/6b58ba3e-be95-43e7-a9f5-57e8812c4826 running pks-management 172.31.0.4
Updates[edit | edit source]
If you have already the Pivotal Network integration in Ops Manager, you should be able to trigger Ops Manager to download the latest version of PKS on the main tiles view. Alternatively, you may download the most recent version of PKS from the Pivotal Network and then manually import it to Ops Manager.
With either method, once the new version of PKS is in Ops Manager, you may trigger an update by clicking on 'Review Pending Changes', then ensure that 'Upgrade all cluster errand' is checked for PKS.
Usage[edit | edit source]
API[edit | edit source]
pks utility to manage the PKS cluster and obtain kube configs.
pks login -a pks-api.example.com -u myusername -k
- List clusters
- Obtain a kubeconfig using the PKS login (from above)
pks get-credentials cluster-name
- Obtain a kubeconfig without PKS login
pks get-kubeconfig cluster-name -k -a pks-api.example.com -u myusername
Plan Configuration[edit | edit source]
The plan's cluster size is the default size and can be overridden when the cluster is first created using
pks cluster-create -n N or resized after the cluster is created using
pks resize cluster-name -n N.
Allow Privileged[edit | edit source]
This option sets the
--allow-privileged flag for kube-apiserver. Certain helm charts will require privileged containers so that they can drop certain privileges or do certain things to the node. If a cluster does not have privileged mode enabled, helm charts may result in errors similar to:
spec.template.spec.initContainers.securityContext.privileged: Forbidden: disallowed by cluster policy
Cluster Sinks[edit | edit source]
Cluster sink resources will configure the fluent-bit daemonset containers to log all syslog messages from the node it's running on to the cluster sink destination. The rsyslog daemon on the node itself is not touched as it will always forward logs to itself.
Fluent bit is configured to serve the status API on port 5000. The cluster sink status is retrieved from this status API and will return 'Failing' if any of these pods return a non-successful response.
A cluster sink resource can be defined by:
apiVersion: apps.pivotal.io/v1beta1 kind: ClusterSink metadata: name: clustersink spec: type: syslog host: itsopksmgnt-logstash.uc.ucalgary.ca port: 514 enable_tls: false
The cluster sink status can be obtained from
kubectl get clustersink or
# kubectl get clustersink NAME TYPE URL HOST PORT TLS INSECURE AGE STATUS clustersink syslog 10.254.247.29 514 false 1h Running # pks clusters Name Plan Name UUID Status Action leo-itsopkspoc-06 cpu-heavy 4a7ed40e-d420-44f3-b725-f513b53b2fc6 succeeded CREATE leo-itsopkspoc-08 small 4eed0494-1c80-444e-ac75-bbab32c0c609 succeeded CREATE leo-itsopkspoc-09 small-privileged 9c253d8a-ee03-4855-8e0b-62de8b5a5b43 succeeded CREATE