Kubernetes: Search the specific rule granting a given permission

2 min read

Sometimes might be difficult to tell how some subject (User, ServiceAccount, ...) is able to perform a certain task: What's the Role or ClusterRole granting some permission?

For this we can use the searchrule plugin.

25/07/2023

Monitoring APIRequestCount in OpenShift

2 min read

Openshift provides an object that tracks the number of requests made to the Kubernetes API server. It provides insights into the load on the cluster, the performance of applications, and helps in capacity planning. By monitoring APIRequestCount, you can identify potential bottlenecks, detect unusual spikes in traffic, and optimize resource allocation.

$ kubectl get apirequestcounts NAME REMOVEDINRELEASE REQUESTSINCURRENTHOUR REQUESTSINLAST24H alertmanagerconfigs.v1alpha1.monitoring.coreos.com 6 1706 alertmanagers.v1.monitoring.coreos.com 20 2891 apiservices.v1.apiregistration.k8s.io 994 99521 (...) 

11/07/2023

Kubernetes: Configuring Topology Spread Constraints to tune Pod scheduling

2 min read

Ensuring high availability and fault tolerance in a Kubernetes cluster is a complex task: One important feature that allows us to addresses this challenge is Topology Spread Constraints.

10/07/2023

OpenShift 3.11 - custom default route certificate failing with certificate has expired or is not yet valid

2 min read

After trying to set a custom default certificate for the OpenShift routes we might see how it's Pods starts crashing:

$ kubectl get pods NAME READY STATUS RESTARTS AGE router-10-rh8vf 1/1 Running 0 32m router-10-f2dt2 0/1 CrashLoopBackOff 6 7m router-10-m45b7 1/1 Running 0 31m 

Checking it's logs we'll get a quite misleading message:

$ kubectl logs router-10-f2dt2 -n default Error from server: Get https://some.openshift.cluster:10250/containerLogs/default/router-10-f2dt2/router: x509: certificate has expired or is not yet valid 

04/07/2023