Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
openshift_deployments [2019/12/26 02:05]
root [List Images in the Image Stream]
openshift_deployments [2020/01/23 07:26] (current)
root [Metric Beats]
Line 35: Line 35:
 Container ​   cpu       ​100m ​ 2 200m    300m  10 Container ​   cpu       ​100m ​ 2 200m    300m  10
 Container ​   memory ​   4Mi 1Gi 100Mi   200Mi - Container ​   memory ​   4Mi 1Gi 100Mi   200Mi -
 +</​code>​
 +
 +== DaemonSets == 
 +
 +<code yaml>
 +kind: DaemonSet
 +apiVersion: extensions/​v1beta1
 +metadata:
 +  name: fluentd
 +spec:
 +  replicas: 1
 +  selector:
 +    matchLabels:​
 +      app: fluentd
 +  template:
 +    metadata:
 +      labels:
 +        app: fluentd
 +    spec:
 +      affinity:
 +        nodeAffinity:​
 +          # ensure pods get scheduled on a node without inter-DC latency
 +          requiredDuringSchedulingIgnoredDuringExecution:​
 +            nodeSelectorTerms:​
 +            - matchExpressions:​
 +                - key: cluster
 +                  operator: DoesNotExist
 +      containers:
 +      - name: fluentd
 +        imagePullPolicy:​ {{ IMAGE_PULL_POLICY }}
 +        image: {{ FLUENTD_REGISTRY }}/​fluentd-kubernetes-daemonset:​v1.7.3-debian-elasticsearch6-1.0
 +        env:
 +        - name: FLUENTD_CONF
 +          value: lite3_fluentd.conf
 +        - name: FLUENT_ELASTICSEARCH_SED_DISABLE
 +          value: "​true"​
 +        volumeMounts:​
 +        - name: fluentd-config
 +          mountPath: /​fluentd/​etc/​lite3_fluentd.conf
 +          subPath: lite3_fluentd.conf
 +        - name: ca-crt
 +          mountPath: /cloud/
 +        resources:
 +          requests:
 +            memory: {{ FLUENTD_MEMORY_REQUEST }}
 +          limits:
 +            memory: 2Gi
 +        ports:
 +        - containerPort:​ {{ FLUENTD_PORT }}
 +          name: fluentd
 +      securityContext:​
 +        privileged: true
 +      volumes:
 +      - name: fluentd-config
 +        configMap:
 +          name: fluentd-cm
 +          items:
 +          - key: fluentd-conf
 +            path: lite3_fluentd.conf
 +      - name: ca-crt
 +        secret:
 +          secretName: "​truststore-secret"​
 +          items:
 +            - key: ca.crt
 +              path: ca.crt
 +</​code>​
 +
 +<​code>​
 +apiVersion: v1
 +kind: Template
 +metadata:
 +  name: filebeat
 +  annotations:​
 +    description:​ filebeat configuration for Openshift
 +    openshift.io/​display-name:​ Filebeat
 +    template.openshift.io/​long-description:​ Filebeat configured to tail container log files to monitor Red Hat Openshift
 +objects:
 +- apiVersion: v1
 +  kind: ConfigMap
 +  metadata:
 +    name: filebeat-config
 +    namespace: ${PROJECT_NAME}
 +    labels:
 +      app: ${APPLICATION_NAME}
 +  data:
 +    filebeat.yml:​ |-
 +      filebeat.config:​
 +        #inputs:
 +          # Mounted `filebeat-inputs` configmap:
 +        #  path: ${path.config}/​inputs.d/​*.yml
 +          # Reload inputs configs as they change:
 +        #  reload.enabled:​ false
 +        modules:
 +          path: ${path.config}/​modules.d/​*.yml
 +          # Reload module configs as they change:
 +          reload.enabled:​ false
 +
 +      #To enable hints based autodiscover,​ remove `filebeat.config.inputs` configuration and uncomment this:
 +      filebeat.autodiscover:​
 +        providers:
 +          - type: kubernetes
 +            hints.enabled:​ true
 +
 +      output.logstash:​
 +        hosts: [${OUTPUT_HOSTS}]
 +        ssl.enabled:​ true
 +        ssl.certificate_authorities:​ ['​${CA_CERT}'​]
 +
 +- apiVersion: v1
 +  kind: ConfigMap
 +  metadata:
 +    name: filebeat-inputs
 +    namespace: ${PROJECT_NAME}
 +    labels:
 +      app: ${APPLICATION_NAME}
 +  data:
 +    kubernetes.yml:​ |-
 +      - type: docker
 +        containers.ids:​
 +        - "​*"​
 +        processors:
 +          - add_kubernetes_metadata:​
 +              host: ${NODE_NAME}
 +              in_cluster: true
 +              ​
 +- apiVersion: extensions/​v1beta1
 +  kind: DaemonSet
 +  metadata:
 +    name: filebeat
 +    namespace: ${PROJECT_NAME}
 +    labels:
 +      app: ${APPLICATION_NAME}
 +  spec:
 +    template:
 +      metadata:
 +        labels:
 +          app: ${APPLICATION_NAME}
 +      spec:
 +        serviceAccountName:​ filebeat
 +        terminationGracePeriodSeconds:​ 30
 +        containers:
 +        - name: filebeat
 +          image: ${DOCKER_IMAGE}
 +          args: [
 +            "​-c",​ "/​etc/​filebeat.yml",​
 +            "​-e",​
 +          ]
 +          env:
 +          - name: OUTPUT_HOSTS
 +            value: ${OUTPUT_HOSTS}
 +          - name: CA_CERT
 +            value: ${CA_CERT}
 +          - name: NODE_NAME
 +            valueFrom:
 +              fieldRef:
 +                fieldPath: spec.nodeName
 +          securityContext:​
 +            runAsUser: 0
 +            privileged: true
 +          resources:
 +            limits:
 +              cpu: ${MAXIMUM_CPU}
 +              memory: ${MAXIMUM_MEMORY}
 +          volumeMounts:​
 +          - name: cacert
 +            mountPath: /etc/tls
 +            readOnly: true
 +          - name: config
 +            mountPath: /​etc/​filebeat.yml
 +            readOnly: true
 +            subPath: filebeat.yml
 +          - name: inputs
 +            mountPath: /​usr/​share/​filebeat/​inputs.d
 +            readOnly: true
 +          - name: data
 +            mountPath: /​usr/​share/​filebeat/​data
 +          - name: varlibdockercontainers
 +            mountPath: /​var/​lib/​docker/​containers
 +            readOnly: true
 +        volumes:
 +        - name: config
 +          configMap:
 +            defaultMode:​ 0600
 +            name: filebeat-config
 +        - name: cacert
 +          secret:
 +            secretName: cacert
 +        - name: varlibdockercontainers
 +          hostPath:
 +            path: /​var/​lib/​docker/​containers
 +        - name: inputs
 +          configMap:
 +            defaultMode:​ 0600
 +            name: filebeat-inputs
 +        # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart
 +        - name: data
 +          hostPath:
 +            path: /​var/​lib/​filebeat-data
 +            type: DirectoryOrCreate
 +            ​
 +- apiVersion: rbac.authorization.k8s.io/​v1beta1
 +  kind: ClusterRoleBinding
 +  metadata:
 +    name: filebeat
 +  subjects:
 +  - kind: ServiceAccount
 +    name: filebeat
 +    namespace: ${PROJECT_NAME}
 +  roleRef:
 +    kind: ClusterRole
 +    name: filebeat
 +    apiGroup: rbac.authorization.k8s.io
 +
 +- apiVersion: rbac.authorization.k8s.io/​v1beta1
 +  kind: ClusterRole
 +  metadata:
 +    name: filebeat
 +    labels:
 +      app: ${APPLICATION_NAME}
 +  rules:
 +  - apiGroups: [""​] # ""​ indicates the core API group
 +    resources:
 +    - namespaces
 +    - pods
 +    verbs:
 +    - get
 +    - watch
 +    - list
 +
 +- apiVersion: v1
 +  kind: ServiceAccount
 +  metadata:
 +    name: filebeat
 +    namespace: ${PROJECT_NAME}
 +    labels:
 +      app: ${APPLICATION_NAME}
 +parameters:
 +- description:​ "Name of beats project."​
 +  displayName:​ Project name
 +  name: PROJECT_NAME
 +  required: true
 +  value: "​container-platform-monitoring"​
 +- description:​ "Name of application."​
 +  displayName:​ Application name
 +  name: APPLICATION_NAME
 +  required: true
 +  value: "​filebeat"​
 +- description:​ "​Docker image to be used for the deployment."​
 +  displayName:​ Docker image
 +  name: DOCKER_IMAGE
 +  required: true
 +  value: "​docker.swift.com:​5000/​elastic/​filebeat:​6.5.4"​
 +- description:​ "​Logstash output hosts."​
 +  displayName:​ Logstash output hosts
 +  name: OUTPUT_HOSTS
 +  required: true
 +  value: "​logstash:​5044"​
 +- description:​ "CA cert mount path"
 +  displayName:​ CA cert Mount Path
 +  name: CA_CERT
 +  required: true
 +  value: "/​etc/​tls/​ca_cert.pem"​
 +- description:​ "​Maximum processing power that a pod can use can be expressed in millicores(m)."​
 +  displayName:​ Maximum cpu
 +  name: MAXIMUM_CPU
 +  required: true
 +  value: "​500m"​
 +- description:​ "​Maximum memory that a pod can use can be in Mb or Gi."
 +  displayName:​ Maximum memory
 +  name: MAXIMUM_MEMORY
 +  required: true
 +  value: "​256Mi"​
 +</​code>  ​
 +
 +== Metric Beats == 
 +
 +<​code>​
 +apiVersion: v1
 +kind: Template
 +metadata:
 +  name: metricbeat
 +  annotations:​
 +    description:​ Metricbeat configured to monitor Red Hat Openshift
 +    openshift.io/​display-name:​ Metricbeat
 +    template.openshift.io/​long-description:​ Metricbeat configured to monitor Red Hat Openshift via host system metrics and Kubernetes state metrics and output to Logstash
 +objects:
 +- apiVersion: v1
 +  kind: ConfigMap
 +  metadata:
 +    name: metricbeat-daemonset-config
 +    namespace: ${PROJECT_NAME}
 +    labels:
 +      app: ${APPLICATION_NAME}
 +  data:
 +    metricbeat.yml:​ |-
 +      metricbeat.config.modules:​
 +        path: ${path.config}/​modules.d/​*.yml
 +        reload.enabled:​ false
 +     ​logging:​
 +        level: warning
 +      output.logstash:​
 +        hosts: [${OUTPUT_HOSTS}]
 +        ssl.enabled:​ true
 +        ssl.certificate_authorities:​ ['​${CA_CERT}'​]
 +- apiVersion: v1
 +  kind: ConfigMap
 +  metadata:
 +    name: metricbeat-daemonset-modules
 +    namespace: ${PROJECT_NAME}
 +    labels:
 +      app: ${APPLICATION_NAME}
 +  data:
 +    system.yml: |-
 +      - module: system
 +        metricsets:
 +          - cpu
 +          - load
 +          - memory
 +          - network
 +          - process
 +          - process_summary
 +          - core
 +          #- diskio
 +          #- socket
 +        period: 15s
 +        processes: ['​.*'​]
 +        process.include_top_n:​
 +          by_cpu: 5      # include top 5 processes by CPU
 +          by_memory: 5   # include top 5 processes by memory
 +
 +      - module: system
 +        metricsets:
 +          - filesystem
 +          - fsstat
 +        period: 1m
 +        processors:
 +        - drop_event.when.regexp:​
 +            system.filesystem.mount_point:​ '​^/​(sys|cgroup|proc|dev|etc|host|lib)($|/​)'​
 +
 +      - module: system
 +        metricsets:
 +          - uptime
 +        period: 15m
 +
 +    kubernetes.yml:​ |-
 +      - module: kubernetes
 +        metricsets:
 +          - container
 +          - node
 +          - pod
 +          - volume
 +          - system
 +        period: 15s
 +        host: ${NODE_NAME}
 +        hosts: ["​https://​${HOSTNAME}:​10250"​]
 +        bearer_token_file:​ /​var/​run/​secrets/​kubernetes.io/​serviceaccount/​token
 +        ssl.certificate_authorities:​
 +          - /​var/​run/​secrets/​kubernetes.io/​serviceaccount/​service-ca.crt
 +      ​
 +        add_metadata:​ true
 +        in_cluster: true
 +- apiVersion: extensions/​v1beta1
 +  kind: DaemonSet
 +  metadata:
 +    name: metricbeat
 +    namespace: ${PROJECT_NAME}
 +    labels:
 +      app: ${APPLICATION_NAME}
 +  spec:
 +    template:
 +      metadata:
 +        labels:
 +          app: ${APPLICATION_NAME}
 +      spec:
 +        serviceAccountName:​ metricbeat
 +        terminationGracePeriodSeconds:​ 30
 +        hostNetwork:​ true
 +        dnsPolicy: ClusterFirstWithHostNet
 +        containers:
 +        - name: metricbeat
 +          image: ${DOCKER_IMAGE}
 +          args: [
 +            "​-c",​ "/​etc/​metricbeat.yml",​
 +            "​-e",​
 +            "​-system.hostfs=/​hostfs",​
 +          ]
 +          env:
 +          - name: NODE_NAME
 +            valueFrom:
 +              fieldRef:
 +                fieldPath: spec.nodeName
 +          securityContext:​
 +            runAsUser: 0
 +          resources:
 +            limits:
 +              cpu: ${MAXIMUM_CPU}
 +              memory: ${MAXIMUM_MEMORY}
 +          volumeMounts:​
 +          - name: cacert
 +            mountPath: /etc/tls
 +            readOnly: true
 +          - name: config
 +            mountPath: /​etc/​metricbeat.yml
 +            readOnly: true
 +            subPath: metricbeat.yml
 +          - name: modules
 +            mountPath: /​usr/​share/​metricbeat/​modules.d
 +            readOnly: true
 +          - name: dockersock
 +            mountPath: /​var/​run/​docker.sock
 +            readOnly: true
 +          - name: proc
 +            mountPath: /​hostfs/​proc
 +            readOnly: true
 +          - name: cgroup
 +            mountPath: /​hostfs/​sys/​fs/​cgroup
 +            readOnly: true
 +        volumes:
 +        - name: cacert
 +          secret:
 +            secretName: cacert
 +        - name: proc
 +          hostPath:
 +            path: /proc
 +        - name: cgroup
 +          hostPath:
 +            path: /​sys/​fs/​cgroup
 +        - name: dockersock
 +          hostPath:
 +            path: /​var/​run/​docker.sock
 +        - name: config
 +          configMap:
 +            defaultMode:​ 0600
 +            name: metricbeat-daemonset-config
 +        - name: modules
 +          configMap:
 +            defaultMode:​ 0600
 +            name: metricbeat-daemonset-modules
 +        - name: data
 +          hostPath:
 +            path: /​var/​lib/​metricbeat-data
 +            type: DirectoryOrCreate
 +- apiVersion: v1
 +  kind: ConfigMap
 +  metadata:
 +    name: metricbeat-deployment-config
 +    namespace: ${PROJECT_NAME}
 +    labels:
 +      app: ${APPLICATION_NAME}
 +  data:
 +    metricbeat.yml:​ |-
 +      metricbeat.config.modules:​
 +        path: ${path.config}/​modules.d/​*.yml
 +        reload.enabled:​ false
 +      logging:
 +        level: warning
 +      output.logstash:​
 +        hosts: [${OUTPUT_HOSTS}]
 +        ssl.enabled:​ true
 +        ssl.certificate_authorities:​ ['​${CA_CERT}'​]
 +- apiVersion: v1
 +  kind: ConfigMap
 +  metadata:
 +    name: metricbeat-deployment-modules
 +    namespace: ${PROJECT_NAME}
 +    labels:
 +      app: ${APPLICATION_NAME}
 +  data:
 +    kubernetes.yml:​ |-
 +      # State metrics from internal openshift kube-state-metrics service:
 +      - module: kubernetes
 +        enabled: true
 +        metricsets:
 +          - state_node
 +          - state_deployment
 +          - state_replicaset
 +          - state_statefulset
 +          - state_pod
 +          - state_container
 +        period: 15s
 +        hosts: ["​https://​kube-state-metrics.openshift-monitoring.svc.cluster.local:​8443"​]
 +        bearer_token_file:​ /​var/​run/​secrets/​kubernetes.io/​serviceaccount/​token
 +        ssl.certificate_authorities:​
 +          - /​var/​run/​secrets/​kubernetes.io/​serviceaccount/​service-ca.crt
 +
 +      - module: kubernetes
 +        enabled: true
 +        metricsets:
 +          - event
 +
 +      - module: kubernetes
 +        enabled: true
 +        metricsets:
 +          - apiserver
 +        hosts: ["​https://​${KUBERNETES_SERVICE_HOST}:​${KUBERNETES_SERVICE_PORT}"​]
 +        bearer_token_file:​ /​var/​run/​secrets/​kubernetes.io/​serviceaccount/​token
 +        ssl.certificate_authorities:​
 +          - /​var/​run/​secrets/​kubernetes.io/​serviceaccount/​service-ca.crt
 +
 +        add_metadata:​ true
 +        in_cluster: true
 +- apiVersion: apps/​v1beta1
 +  kind: Deployment
 +  metadata:
 +    name: metricbeat
 +    namespace: ${PROJECT_NAME}
 +    labels:
 +      app: ${APPLICATION_NAME}
 +  spec:
 +    template:
 +      metadata:
 +        labels:
 +          app: ${APPLICATION_NAME}
 +      spec:
 +        serviceAccountName:​ metricbeat
 +        hostNetwork:​ true
 +        dnsPolicy: ClusterFirstWithHostNet
 +        containers:
 +        - name: metricbeat
 +          image: ${DOCKER_IMAGE}
 +          args: [
 +            "​-c",​ "/​etc/​metricbeat.yml",​
 +            "​-e",​
 +          ] 
 +          env:
 +          - name: NODE_NAME
 +            valueFrom:
 +              fieldRef:
 +                fieldPath: spec.nodeName
 +          securityContext:​
 +            runAsUser: 0
 +          resources:
 +            limits:
 +              cpu: ${MAXIMUM_CPU}
 +              memory: ${MAXIMUM_MEMORY}
 +          volumeMounts:​
 +          - name: cacert
 +            mountPath: /etc/tls
 +            readOnly: true
 +          - name: config
 +            mountPath: /​etc/​metricbeat.yml
 +            readOnly: true
 +            subPath: metricbeat.yml
 +          - name: modules
 +            mountPath: /​usr/​share/​metricbeat/​modules.d
 +            readOnly: true
 +        volumes:
 +        - name: cacert
 +          secret:
 +            secretName: cacert
 +        - name: config
 +          configMap:
 +            defaultMode:​ 0600
 +            name: metricbeat-deployment-config
 +        - name: modules
 +          configMap:
 +            defaultMode:​ 0600
 +            name: metricbeat-deployment-modules
 +- apiVersion: rbac.authorization.k8s.io/​v1beta1
 +  kind: ClusterRoleBinding
 +  metadata:
 +    name: metricbeat
 +  subjects:
 +  - kind: ServiceAccount
 +    name: metricbeat
 +    namespace: ${PROJECT_NAME}
 +  roleRef:
 +    kind: ClusterRole
 +    name: metricbeat
 +    apiGroup: rbac.authorization.k8s.io
 +
 +- apiVersion: rbac.authorization.k8s.io/​v1beta1
 +  kind: ClusterRole
 +  metadata:
 +    name: metricbeat
 +    labels:
 +      app: ${APPLICATION_NAME}
 +  rules:
 +  - apiGroups: [""​]
 +    resources:
 +    - nodes
 +    - namespaces
 +    - events
 +    - pods
 +    verbs: ["​get",​ "​list",​ "​watch"​]
 +  - apiGroups: ["​extensions"​]
 +    resources:
 +    - replicasets
 +    verbs: ["​get",​ "​list",​ "​watch"​]
 +  - apiGroups: ["​apps"​]
 +    resources:
 +    - statefulsets
 +    - deployments
 +    verbs: ["​get",​ "​list",​ "​watch"​]
 +  - apiGroups:
 +    - ""​
 +    resources:
 +    - nodes/stats
 +    - nodes/​metrics
 +    verbs:
 +    - get
 +- apiVersion: v1
 +  kind: ServiceAccount
 +  metadata:
 +    name: metricbeat
 +    namespace: ${PROJECT_NAME}
 +    labels:
 +      app: ${APPLICATION_NAME}
 +parameters:
 +- description:​ "Name of beats project."​
 +  displayName:​ Project name
 +  name: PROJECT_NAME
 +  required: true
 +  value: "​container-platform-monitoring"​
 +- description:​ "Name of application."​
 +  displayName:​ Application name
 +  name: APPLICATION_NAME
 +  required: true
 +  value: "​metricbeat"​
 +- description:​ "​Docker image to be used for the deployment."​
 +  displayName:​ Docker image
 +  name: DOCKER_IMAGE
 +  required: true
 +  value: ""​
 +- description:​ "​Logstash output hosts."​
 +  displayName:​ Logstash output hosts
 +  name: OUTPUT_HOSTS
 +  required: true
 +  value: "​logstash:​5044"​
 +- description:​ "CA cert mount path"
 +  displayName:​ CA cert Mount Path
 +  name: CA_CERT
 +  required: true
 +  value: "/​etc/​tls/​ca_cert.pem"​
 +- description:​ "​Maximum processing power that a pod can use can be expressed in millicores(m)."​
 +  displayName:​ Maximum cpu
 +  name: MAXIMUM_CPU
 +  required: true
 +  value: "​500m"​
 +- description:​ "​Maximum memory that a pod can use can be in Mb or Gi."
 +  displayName:​ Maximum memory
 +  name: MAXIMUM_MEMORY
 +  required: true
 +  value: "​256Mi"​
 +</​code>​
 +
 +== Service == 
 +
 +<code yaml>
 +kind: Service
 +apiVersion: v1
 +metadata:
 +  name: kibana-svc
 +  labels:
 +    app: kibana
 +spec:
 +  ports:
 +  - port: {{ KIBANA_PORT }}
 +    protocol: TCP
 +    name: http
 +  clusterIP: None
 +  sessionAffinity:​ ClientIP
 +  selector:
 +    app: kibana
 </​code>​ </​code>​
 
openshift_deployments.1577354754.txt.gz · Last modified: 2019/12/26 02:05 by root
 
RSS - 200 © CrosswireDigitialMedia Ltd