Pivotal Container Service, shortened as PKS, is a managed Kubernetes platform by Pivotal.

Installation[edit | edit source]

Once Ops Manager and the Bosh Director is set up, download and install the PKS tile from the Pivotal Network. Once the PKS tile is deployed, a new VM should have been deployed by bosh under the pivotal-container-service-xxxx deployment.

# bosh instances
   Deployment 'pivotal-container-service-ad2c46d3833f5f4ea239'
   Instance                                                        Process State  AZ              IPs
   pivotal-container-service/6b58ba3e-be95-43e7-a9f5-57e8812c4826  running        pks-management

Updates[edit | edit source]

If you have already the Pivotal Network integration in Ops Manager, you should be able to trigger Ops Manager to download the latest version of PKS on the main tiles view. Alternatively, you may download the most recent version of PKS from the Pivotal Network and then manually import it to Ops Manager.

With either method, once the new version of PKS is in Ops Manager, you may trigger an update by clicking on 'Review Pending Changes', then ensure that 'Upgrade all cluster errand' is checked for PKS.

Usage[edit | edit source]

API[edit | edit source]

Use the pks utility to manage the PKS cluster and obtain kube configs.

  • Login pks login -a pks-api.example.com -u myusername -k
  • List clusters pks clusters
  • Obtain a kubeconfig using the PKS login (from above) pks get-credentials cluster-name
  • Obtain a kubeconfig without PKS login pks get-kubeconfig cluster-name -k -a pks-api.example.com -u myusername

Plan Configuration[edit | edit source]

The plan's cluster size is the default size and can be overridden when the cluster is first created using pks cluster-create -n N or resized after the cluster is created using pks resize cluster-name -n N.

Allow Privileged[edit | edit source]

This option sets the --allow-privileged flag for kube-apiserver. Certain helm charts will require privileged containers so that they can drop certain privileges or do certain things to the node. If a cluster does not have privileged mode enabled, helm charts may result in errors similar to:

spec.template.spec.initContainers[0].securityContext.privileged: Forbidden: disallowed by cluster policy

Cluster Sinks[edit | edit source]

Cluster sink resources will configure the fluent-bit daemonset containers to log all syslog messages from the node it's running on to the cluster sink destination. The rsyslog daemon on the node itself is not touched as it will always forward logs to itself.

Fluent bit is configured to serve the status API on port 5000. The cluster sink status is retrieved from this status API and will return 'Failing' if any of these pods return a non-successful response.

A cluster sink resource can be defined by:

apiVersion: apps.pivotal.io/v1beta1
kind: ClusterSink
  name: clustersink
  type: syslog
  host: itsopksmgnt-logstash.uc.ucalgary.ca
  port: 514
  enable_tls: false

The cluster sink status can be obtained from kubectl get clustersink or pks clusters.

# kubectl get clustersink
NAME          TYPE     URL   HOST            PORT   TLS     INSECURE   AGE   STATUS
clustersink   syslog   514    false              1h    Running

# pks clusters
Name                   Plan Name         UUID                                  Status     Action
leo-itsopkspoc-06      cpu-heavy         4a7ed40e-d420-44f3-b725-f513b53b2fc6  succeeded  CREATE
leo-itsopkspoc-08      small             4eed0494-1c80-444e-ac75-bbab32c0c609  succeeded  CREATE
leo-itsopkspoc-09      small-privileged  9c253d8a-ee03-4855-8e0b-62de8b5a5b43  succeeded  CREATE