Kubernetes
The Kubernetes check queries Kubernetes resources such as Pods and evaluates their health or readiness.
kubernetes.yamlapiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: kube-system-checks
spec:
schedule: "@every 5m"
kubernetes:
- name: kube-system
kind: Pod
healthy: true
# resource:
# search: labels.app=test
# OR
# labelSelector: k8s-app=kube-dns
namespaceSelector:
name: kube-*,!*lease
# name: "*"
display:
expr: |
dyn(results).
map(i, i.Object).
filter(i, !k8s.isHealthy(i)).
map(i, "%s/%s -> %s".format([i.metadata.namespace, i.metadata.name, k8s.getHealth(i).message])).join('\n')
test:
expr: dyn(results).all(x, k8s.isHealthy(x))
| Field | Description | Scheme |
|---|---|---|
kind* | Kubernetes object kind |
|
name* | Name of the check, must be unique within the canary |
|
apiVersion | Kubernetes API version for the resource |
|
cnrm | CNRM connection details | |
connection | The connection url to use, mutually exclusive with | |
eks | EKS connection details | |
gke | GKE connection details | |
healthy | Fail the check if any resources are unhealthy |
|
ignore | Exclude resources by name. Values are glob patterns. |
|
kubeconfig | Source for kubeconfig | |
namespaceSelector | Filters namespaces by name or labels | |
ready | Fail the check if any resources are not ready |
|
resource | Filters resources by name, namespace, or labels | |
dependsOn | Checks that must complete before this check runs |
|
description | Description for the check |
|
display | Expression to change the formatting of the display | |
icon | Icon for overwriting default icon on the dashboard | |
labels | Labels for check |
|
markFailOnEmpty | If a transformation or datasource returns empty results, the check should fail |
|
metrics | Metrics to export from | |
namespace | Namespace to insert the check result into when it differs from the canary namespace |
|
relationships | Relationships that link check results to components or configs | Relationship |
test | Evaluate whether a check is healthy | |
transform | Transform data from a check into multiple individual checks | |
transformDeleteStrategy | Status to apply to transformed checks when the source check no longer returns them |
|
Resource Selector
| Field | Description | Scheme |
|---|---|---|
fieldSelector | Kubernetes field selector |
|
labelSelector | Kubernetes label selector |
|
name | Resource name or glob pattern |
|
search | Search expression |
|
The following example uses namespaceSelector and resource to select Kubernetes resources.
kubernetes.yamlapiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: kube-pass
spec:
schedule: "@every 5m"
kubernetes:
- name: k8s-ready pods
kind: Pod
namespaceSelector:
name: canaries
resource:
name: k8s-check-ready
- name: k8s-ready pods
kind: Pod
namespaceSelector:
name: canaries
ready: false
resource:
# resource name supports wildcards
name: k8s-check-not-*
#labelSelector: app=k8s-not-ready
API Version
Use apiVersion when the same Kubernetes kind exists in more than one API group.
kubernetes-apiversion.yamlapiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: kube-apiversion-pass
spec:
schedule: "@every 5m"
kubernetes:
# Same Kind (Event), different apiVersions
- name: events-core
kind: Event
apiVersion: v1
namespaceSelector:
name: kube-system
- name: events-k8s-io
kind: Event
apiVersion: events.k8s.io/v1
namespaceSelector:
name: kube-system
Healthy
Using healthy: true is functionally equivalent to this CEL expression:
dyn(results).all(x, k8s.isHealthy(x))
The following example uses healthy: true.
kubernetes-healthy.yamlapiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: kube-system-checks
spec:
schedule: "@every 5m"
kubernetes:
- name: kube-system
kind: Pod
healthy: true
# resource:
# search: labels.app=test
# OR
# labelSelector: k8s-app=kube-dns
namespaceSelector:
name: kube-*,!*lease
# name: "*"
display:
expr: |
dyn(results).
map(i, i.Object).
filter(i, !k8s.isHealthy(i)).
map(i, "%s/%s -> %s".format([i.metadata.namespace, i.metadata.name, k8s.getHealth(i).message])).join('\n')
test:
expr: dyn(results).all(x, k8s.isHealthy(x))
See the CEL function k8s.isHealthy for more details
Ready
Similar to the healthy flag, the ready flag is functionally equivalent to this CEL expression:
dyn(results).all(x, k8s.isReady(x))
Checking for certificate readiness
cert-manager.yamlapiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: cert-manager
spec:
schedule: "@every 15m"
kubernetes:
- name: cert-manager-check
kind: Certificate
test:
expr: |
dyn(results).
map(i, i.Object).
filter(i, i.status.conditions[0].status != "True").size() == 0
display:
expr: |
dyn(results).
map(i, i.Object).
filter(i, i.status.conditions[0].status != "True").
map(i, "%s/%s -> %s".format([i.metadata.namespace, i.metadata.name, i.status.conditions[0].message])).join('\n')
Remote clusters
A single canary-checker instance can connect to any number of remote clusters via custom kubeconfig. Either the kubeconfig itself or the path to the kubeconfig can be provided.
kubeconfig from kubernetes secret
remote-cluster.yaml---
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: pod-access-check
spec:
schedule: "@every 5m"
kubernetes:
- name: pod access on aws cluster
namespace: default
description: "deploy httpbin"
kubeconfig:
valueFrom:
secretKeyRef:
name: aws-kubeconfig
key: kubeconfig
kind: Pod
ready: true
namespaceSelector:
name: default
Kubeconfig inline
remote-cluster.yamlapiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: pod-access-check
spec:
schedule: "@every 5m"
kubernetes:
- name: pod access on aws cluster
namespace: default
kubeconfig:
value: |
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: xxxxx
server: https://xxxxx.sk1.eu-west-1.eks.amazonaws.com
name: arn:aws:eks:eu-west-1:765618022540:cluster/aws-cluster
contexts:
- context:
cluster: arn:aws:eks:eu-west-1:765618022540:cluster/aws-cluster
namespace: mission-control
user: arn:aws:eks:eu-west-1:765618022540:cluster/aws-cluster
name: arn:aws:eks:eu-west-1:765618022540:cluster/aws-cluster
current-context: arn:aws:eks:eu-west-1:765618022540:cluster/aws-cluster
kind: Config
preferences: {}
users:
- name: arn:aws:eks:eu-west-1:765618022540:cluster/aws-cluster
user:
exec:
....
kind: Pod
ready: true
namespaceSelector:
name: default
Kubeconfig from local filesystem
remote-cluster.yaml---
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: pod-access-check
spec:
schedule: "@every 5m"
kubernetes:
- name: pod access on aws cluster
namespace: default
kubeconfig:
value: /root/.kube/aws-kubeconfig
kind: Pod
ready: true
namespaceSelector:
name: default