Contrail Insights Installation for Kubernetes
Architecture and Terminology
| Kubernetes cluster nodes | Primary and worker nodes of the Kubernetes cluster being monitored by Contrail Insights. These nodes will run the Contrail Insights Agent. |
| Contrail Insights Platform node | Node on which Contrail Insights Platform components will be installed. Should be able to reach the Kubernetes cluster nodes. |
Figure 1 shows the different components of Contrail Insights and how they interact with the Kubernetes cluster.
Requirements
The following are the requirements for installing Contrail Insights for Kubernetes.
Kubernetes versions 1.8 and later.
See Contrail Insights General Requirements for hardware and software requirements.
API access to the Kubernetes API server. Contrail Insights reads information about the cluster from the API server. The token provided during configuration must provide sufficient permission for read-only API calls. Contrail Insights Platform must also be able to open a connection to the host and port on which the API server runs.
- Note:
Upgrade notice: Starting with Contrail Insights 3.2.6, the requirement for a license file is removed. If you are installing a version earlier than 3.2.6, a license is required prior to installation.
You can obtain a license key from mailto:APPFORMIX-KEY-REQUEST@juniper.net. Provide the following information in your request:
Group name: Target customers or use: Cluster type: Kubernetes Number of hosts: Number of instances:
Workflow in Four Steps
The installation consists of the following steps:
Initial setup.
Configuring Kubernetes.
Installing Contrail Insights.
Setting up the Contrail Insights Scheduler Extender.
Initial Setup
Perform the following steps for the initial setup:
Install the following required files on the Contrail Insights Platform node.
#Ubuntu apt-get update apt-get install python-pip python-dev build-essential libssl-dev libffi-dev pip install ansible==2.1.2 markupsafe httplib2
#RHEL/CentOS yum install epel-release #Enable EPEL repository In case the above command does not work, manually download and install the epel-release package with one of the below commands, depending on your system’s version. yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm yum groupinstall 'Development Tools' #Install development tools yum install openssl-devel libffi libffi-devel #Dependencies yum install python-pip python-devel #Install Pip pip install ansible==2.3.0 #Install Ansible 2.3 pip install markupsafe httplib2 #DependenciesNote:For RHEL, the following
iptablesrule is needed to access port 9000:iptables -t filter -A IN_public_allow -p tcp --dport 9000 -j ACCEPT
Edit the
/etc/hosts/file on the Contrail Insights Platform node and enter the IP addresses of the Kubernetes cluster nodes.vi /etc/hosts <kube-master-ip> k8s-master <kube-worker1-ip> k8s-node1 <kube-worker2-ip> k8s-node2
Set up passwordless SSH between the Contrail Insights Platform node and the Kubernetes cluster nodes. Run the following commands to generate and copy the SSH public keys to all the nodes:
ssh-keygen -t rsa ssh-copy-id -i ~/.ssh/id_rsa.pub root@k8s-master ssh-copy-id -i ~/.ssh/id_rsa.pub root@k8s-node1 ssh-copy-id -i ~/.ssh/id_rsa.pub root@k8s-node2 ssh-copy-id -i ~/.ssh/id_rsa.pub root@<IP of Contrail Insights Platform node>
Configure Kubernetes
Contrail Insights reads information about resources in your Kubernetes clusters. The software requires the cluster-admin role or another role that provides read-only access to all objects in the cluster. We recommend that you create a new Service Account for Contrail Insights and assign it the cluster-admin role.
If you do not create a new Service Account, then you must provide the token from an existing Service Account that has the required access during the configuration of Contrail Insights.
To create a new Service Account with the required access for Contrail Insights, perform the following steps in the Kubernetes cluster:
Create a YAML file with the following:
apiVersion: v1 kind: ServiceAccount metadata: name: appformix
-
Create the
appformixService Account using the file you created in Step 1:$ kubectl create -f <file>.yaml
Confirm that the Service Account has been created. Make a note of its namespace as you’ll need this later.
$ kubectl describe serviceaccount appformix Name: appformix Namespace: default Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: appformix-token-pkljk Tokens: appformix-token-pkljk Events: <none>
-
Add the
cluster-adminrole to theappformixService Account, substituting <namespace> for the namespace noted in Step 3:$ kubectl create clusterrolebinding appformix-binding --clusterrole=cluster-admin --serviceaccount=<namespace>:appformix
Run the following command to confirm that the
appformixService Account has the required access:$ kubectl auth can-i get nodes --as=system:serviceaccount:<namespace>:appformix --all-namespaces
The output of the command should be yes.
Contrail Insights must be configured to communicate with the Kubernetes cluster. Get the following details from the Kubernetes cluster to use during the Contrail Insights installation.
kubernetes_cluster_url This is the URL of the Kubernetes API Server. To get this value, run the following command on the Kubernetes cluster:
$ kubectl cluster-info | grep 'Kubernetes master' Kubernetes master is running at https://172.24.1.173:6443
kubernetes_auth_token This is the authentication token of the
appformixService Account. To get this value, run the following commands on the Kubernetes cluster:$ kubectl describe serviceaccount appformix Name: appformix Namespace: default Labels: <none> Annotations: <none> Tokens: appformix-token-pkljk [...] $ kubectl describe secret appformix-token-pkljk Name: appformix-token-pkljk Namespace: default [...] token: eyJhb[...]
Install Contrail Insights
To install Contrail Insights:
Download the Contrail Insights installation packages from software downloads to the Contrail Insights Platform node. Get the following files:
contrail-insights-<version>.tar.gz contrail-insights-dependencies-images-<version>.tar.gz contrail-insights-kubernetes-images-<version>.tar.gz contrail-insights-platform-images-<version>.tar.gz contrail-insights-network_device-images-<version>.tar.gz
If you are installing a version earlier than 3.2.6, copy the Contrail Insights license file to the Contrail Insights Platform node.
Unzip
contrail-insights-<version>.tar.gz. This package contains all the Ansible playbooks required to install Contrail Insights.tar -xvzf contrail-insights-<version>.tar.gz cd contrail-insights-<version>/
Note:The remaining steps should be executed from within the
contrail-insights-<version>/directory. Although the product name changed from "AppFormix" to "Contrail Insights," the UI and internal command paths continue to show AppFormix and will reflect the new name at a later date.Using
sample_inventoryas a template, create an inventory file for the installation. List the Kubernetes cluster nodes in thecomputesection and the Contrail Insights Platform node in theappformix_controllersection.cp sample_inventory inventory vi inventory [compute] k8s-master k8s-node1 k8s-node2 [appformix_controller] <IP of the Contrail Insights Platform node>
Create a directory called
group_vars. Create a file namedallinside this directory with configuration variables required by Contrail Insights.mkdir group_vars vi group_vars/all appformix_docker_images: - /path/to/contrail-insights-platform-images-<version>.tar.gz - /path/to/contrail-insights-dependencies-images-<version>.tar.gz - /path/to/contrail-insights-kubernetes-images-<version>.tar.gz - /path/to/contrail-insights-network_device-images-<version>.tar.gz appformix_dns_version: 2 kubernetes_platform_enabled: True openstack_platform_enabled: False kubernetes_cluster_url: <URL from Configuring Kubernetes step 6 above> kubernetes_auth_token: <token from Configuring Kubernetes step 6 above>
If you are installing a version earlier than 3.2.6, include the path to the Contrail Insights license file in
group_vars/all:appformix_license: path/to/<contrail-insights-license-file>.sig
Note:Deprecation Notice: The
appformix_mongo_cache_size_gbparameter previously available starting in Contrail Insights 2.19.5 is now deprecated and no longer supported from Contrail Insights 3.2.0 and going forward. Starting with Contrail Insights version 3.2.0, Mongo will be configured to use a maximum of 40 percent of the available memory on the Contrail Insights Platform nodes.To enable network device monitoring in the cluster, include the following in the
group_vars/allfile:# For enabling pre-requisites for packdge installation. appformix_install_snmp_dependencies: true appformix_install_jti_dependencies: true # For running the appformix-network-device-adapter network_device_discovery_enabled: true appformix_plugins: '{{ appformix_network_device_factory_plugins }}' # After 3.1, SNMP Traps can be enabled also so appformix_plugins can be specified as below: # appformix_plugins: '{{ appformix_network_device_factory_plugins }} + {{ appformix_snmp_trap_factory_plugins }}'Run the Ansible playbook.
ansible-playbook -i inventory appformix_kubernetes.yml
Playbook should run to completion without any errors.
Log into the Contrail Insights Dashboard at:
http://<contrail-insights-node-ip>:9000
Log in using the tokenId from the following file on the Contrail Insights Platform node:
/opt/appformix/etc/appformix_token.rst
Set up the Contrail Insights Scheduler Extender
Contrail Insights comes with a Scheduler Extender module that can be added to the Kubernetes scheduler. With this module in place, the Kubernetes scheduler will use user-defined SLA policies in addition to its default policies to determine where to schedule a pod in the cluster.
To set up the Scheduler Extender:
Create a JSON file describing the Contrail Insights Scheduler Extender. Place this file inside
/etc/kuberneteson the Kubernetes primary node.vi /etc/kubernetes/appformix_scheduler_extender.json { "kind" : "Policy", "apiVersion" : "v1", "predicates" : [ {"name": "NoVolumeZoneConflict"}, {"name": "MaxEBSVolumeCount"}, {"name": "MaxGCEPDVolumeCount"}, {"name": "MatchInterPodAffinity"}, {"name": "NoDiskConflict"}, {"name": "GeneralPredicates"}, {"name": "PodToleratesNodeTaints"}, {"name": "CheckNodeMemoryPressure"}, {"name": "CheckNodeDiskPressure"} ], "priorities" : [ {"name" : "SelectorSpreadPriority", "weight" : 1}, {"name" : "InterPodAffinityPriority", "weight" : 1}, {"name" : "LeastRequestedPriority", "weight" : 1}, {"name" : "BalancedResourceAllocation", "weight" : 1}, {"name" : "NodePreferAvoidPodsPriority", "weight" : 10000}, {"name" : "NodeAffinityPriority", "weight" : 1}, {"name" : "TaintTolerationPriority", "weight" : 1} ], "extenders": [ {"urlPrefix" : "http://<contrail-insights-platform-node-ip>:9000/appformix/v1.0/kubernetes_adapter", "filterVerb" : "kubernetes_schedule_request", "weight": 1, "enableHttps" : false} ] }Add the extender to the
kube-scheduleron the primary node by adding the--policy-config-fileoption to thespec.containers.commandblock:vi /etc/kubernetes/manifests/kube-scheduler.yaml ... - command: - kube-scheduler - --address=127.0.0.1 - --leader-elect=true - --kubeconfig=/etc/kubernetes/scheduler.conf - --policy-config-file=/etc/kubernetes/appformix_scheduler_extender.json ...Update the
kube-schedulercontainer by restarting thekubeletservice on the primary node.service kubelet restart
The
kube-scheduleris now running with the Contrail Insights Scheduler Extender.By default, Kubernetes does not allow any user pods to be scheduled on the primary node. To really see the Contrail Insights Scheduler Extender in action on a 3-node Kubernetes cluster, enable scheduling on the Kubernetes primary node with the following command:
kubectl taint nodes master node-role.kubernetes.io/master:NoSchedule-
Using the Contrail Insights SLA Profile for Scheduling
Contrail Insights ships with a default Scheduling SLA that includes alarms for missed heartbeat, high CPU load, and high memory usage.
To change the profiles in the Scheduling SLA, do the following:
Select Settings from the list in the top right of the Dashboard, then select SLA Settings > Scheduling.
Figure 2: Contrail Insights Settings in Dashboard
Click Delete Profile to delete the existing profile.
Figure 3: Delete Scheduling Profile
Click Add New Rule and define a new alarm.
Figure 4: Add New Rule in Scheduling Profile
Select the newly created alarm from the list of available alarms and click Create Profile. You can add several alarms with custom weights to the SLA profile.
Figure 5: Create Profile in Scheduling SLA
To see the Scheduler Extender in action, generate some load on one of the Kubernetes cluster nodes so that the Scheduling SLA is violated. Check the status of the SLA from the Alarms page.
Figure 6: Violated Scheduling SLA in Alarms page
Then create some pods on the Kubernetes cluster and check which nodes they get scheduled on. The node that is violating the scheduling SLA will not get any new pods scheduled on it.
root@master:~# kubectl scale rc bpsloadgenrc --replicas 4; kubectl get pods -o wide replicationcontroller "bpsloadgenrc" scaled NAME READY STATUS RESTARTS AGE IP NODE bpsloadgenrc-2lsbg 1/1 Running 0 3h 10.244.2.20 node1 bpsloadgenrc-4kddr 0/1 ContainerCreating 0 0s <none> master bpsloadgenrc-fm16h 1/1 Running 0 3h 10.244.0.18 master bpsloadgenrc-sz2r6 0/1 ContainerCreating 0 0s <none> master fectrl-3278x 1/1 Running 0 3h 10.244.1.24 node1 redismaster 1/1 Running 0 3h 10.244.2.19 node1 redissc-ffsqd 1/1 Running 0 3h 10.244.0.17 master root@master:~# kubectl scale rc bpsloadgenrc --replicas 6; kubectl get pods -o wide replicationcontroller "bpsloadgenrc" scaled NAME READY STATUS RESTARTS AGE IP NODE bpsloadgenrc-2lsbg 1/1 Running 0 3h 10.244.2.20 node1 bpsloadgenrc-4kddr 1/1 Running 0 17s 10.244.1.25 master bpsloadgenrc-9zgx5 0/1 ContainerCreating 0 0s <none> master bpsloadgenrc-fm16h 1/1 Running 0 3h 10.244.0.18 master bpsloadgenrc-p7drd 0/1 ContainerCreating 0 0s <none> master bpsloadgenrc-sz2r6 1/1 Running 0 17s 10.244.0.19 master fectrl-3278x 1/1 Running 0 3h 10.244.1.24 node1 redismaster 1/1 Running 0 3h 10.244.2.19 node1 redissc-ffsqd 1/1 Running 0 3h 10.244.0.17 master