PKS
Pivotal Container Service, shortened as PKS, is a managed Kubernetes platform by Pivotal.
Installation
Once Ops Manager and the Bosh Director is set up, download and install the PKS tile from the Pivotal Network. Once the PKS tile is deployed, a new VM should have been deployed by bosh under the pivotal-container-service-xxxx
deployment.
# bosh instances
Deployment 'pivotal-container-service-ad2c46d3833f5f4ea239'
Instance Process State AZ IPs
pivotal-container-service/6b58ba3e-be95-43e7-a9f5-57e8812c4826 running pks-management 172.31.0.4
Updates
If you have already the Pivotal Network integration in Ops Manager, you should be able to trigger Ops Manager to download the latest version of PKS on the main tiles view. Alternatively, you may download the most recent version of PKS from the Pivotal Network and then manually import it to Ops Manager.
With either method, once the new version of PKS is in Ops Manager, you may trigger an update by clicking on 'Review Pending Changes', then ensure that 'Upgrade all cluster errand' is checked for PKS.
Usage
API
Use the pks
utility to manage the PKS cluster and obtain kube configs.
- Login
pks login -a pks-api.example.com -u myusername -k
- List clusters
pks clusters
- Obtain a kubeconfig using the PKS login (from above)
pks get-credentials cluster-name
- Obtain a kubeconfig without PKS login
pks get-kubeconfig cluster-name -k -a pks-api.example.com -u myusername
Plan Configuration
The plan's cluster size is the default size and can be overridden when the cluster is first created using pks cluster-create -n N
or resized after the cluster is created using pks resize cluster-name -n N
.
Allow Privileged
This option sets the --allow-privileged
flag for kube-apiserver. Certain helm charts will require privileged containers so that they can drop certain privileges or do certain things to the node. If a cluster does not have privileged mode enabled, helm charts may result in errors similar to:
spec.template.spec.initContainers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
Cluster Sinks
Cluster sink resources will configure the fluent-bit daemonset containers to log all syslog messages from the node it's running on to the cluster sink destination. The rsyslog daemon on the node itself is not touched as it will always forward logs to itself.
Fluent bit is configured to serve the status API on port 5000. The cluster sink status is retrieved from this status API and will return 'Failing' if any of these pods return a non-successful response.
A cluster sink resource can be defined by:
apiVersion: apps.pivotal.io/v1beta1
kind: ClusterSink
metadata:
name: clustersink
spec:
type: syslog
host: itsopksmgnt-logstash.uc.ucalgary.ca
port: 514
enable_tls: false
The cluster sink status can be obtained from kubectl get clustersink
or pks clusters
.
# kubectl get clustersink
NAME TYPE URL HOST PORT TLS INSECURE AGE STATUS
clustersink syslog 10.254.247.29 514 false 1h Running
# pks clusters
Name Plan Name UUID Status Action
leo-itsopkspoc-06 cpu-heavy 4a7ed40e-d420-44f3-b725-f513b53b2fc6 succeeded CREATE
leo-itsopkspoc-08 small 4eed0494-1c80-444e-ac75-bbab32c0c609 succeeded CREATE
leo-itsopkspoc-09 small-privileged 9c253d8a-ee03-4855-8e0b-62de8b5a5b43 succeeded CREATE