We Keep Coding

HPA Kills the pod after a while: But container is processing some launch script

I am trying to enable HPA for the Magento application, which consists of 4 containers in my Kubernetes deployment on GKE. The way application works do not seem to be a good container native application. Hence, after launching the pod it takes 8+mins to be in running state during which it launches a shell script from phpfpm container that takes into account some updates. This is critical for the application to work.
So if I use hpa based on default metric like CPU or memory, the autoscaling kicked in and it attempts to create more replica. But after around 4mins30seconds, the pod is killed automatically and a new pod is attempted to spin up which is again killed after that period.
So is there anyway I can have the HPA process wait for 8-9 mins which is too long, but due to current business case I have no other option?
My deployment yaml file:
If I increase the replica count manually it works perfectly. So it means the hpa kills the pod.
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: magentoappli
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
labels:
environment: "test"
spec:
selector:
matchLabels:
app: magentoappli
replicas: 2
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: magentoappli
spec:
serviceAccountName: magento-sa
terminationGracePeriodSeconds: 10
volumes:
- name: phpfpm-configmap
configMap:
name: phpfpm
items:
- key: php
path: php
- key: phpfpm
path: phpfpm
- name: cluster-credentials
secret:
secretName: cluster-credentials
- name: non-prod-magento-netapp-static-claim
persistentVolumeClaim:
claimName: non-prod-magento-netapp-static-claim
- name: non-prod-magento-netapp-media-claim
persistentVolumeClaim:
claimName: non-prod-magento-netapp-media-claim
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
initContainers:
- image: gcr.io/google.com/cloudsdktool/cloud-sdk:326.0.0-alpine
name: workload-identity-initcontainer
command:
- /bin/bash
- -c
- |
curl -s -H 'Metadata-Flavor: Google' 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token' --retry 30 --retry-connrefused --retry-max-time 30 > /dev/null || exit 1
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "200m"
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
- name: nfs-fixer
image: alpine
securityContext:
#runAsUser: 0
#runAsGroup: 0
#fsGroup: 0
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- name: non-prod-magento-netapp-static-claim
mountPath: /static
- name: non-prod-magento-netapp-media-claim
mountPath: /media
command:
- sh
- -c
- (chmod 0775 /media /static; chown -R 1000:1000 /media /static)
containers:
- name: phpfpm
image: xxx/phpfpm:non-prod-1.50.104
command:
- /bin/sh
- -c
- environmental/entrypoint.sh
securityContext:
allowPrivilegeEscalation: false
#readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
ports:
- containerPort: 9000
livenessProbe:
exec:
command:
- php
- /var/www/html/magento/bin/magento
initialDelaySeconds: 15
periodSeconds: 15
timeoutSeconds: 15
volumeMounts:
- name: non-prod-magento-netapp-static-claim
mountPath: /var/www/html/magento/pub/static
- name: non-prod-magento-netapp-media-claim
mountPath: /var/www/html/magento/pub/media
- name: phpfpm-configmap
mountPath: /usr/local/etc/php/php.ini
subPath: php
readOnly: true
- name: phpfpm-configmap
mountPath: /usr/local/etc/php-fpm.conf
subPath: phpfpm
readOnly: true
envFrom:
- secretRef:
name: cluster-credentials
resources:
requests:
memory: "768Mi"
cpu: "2000m"
limits:
memory: "3072Mi"
cpu: "4000m"
- name: httpd
image: xxx/httpd:non-prod-1.50.104
ports:
- containerPort: 8000
securityContext:
allowPrivilegeEscalation: false
#runAsNonRoot: true
#readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- name: non-prod-magento-netapp-static-claim
mountPath: /var/www/html/magento/pub/static
readOnly: true
- name: non-prod-magento-netapp-media-claim
mountPath: /var/www/html/magento/pub/media
readOnly: true
resources:
requests:
memory: "256Mi"
cpu: "500m"
limits:
memory: "768Mi"
cpu: "750m"
livenessProbe:
httpGet:
port: 8000
path: /health_check.php
initialDelaySeconds: 30
periodSeconds: 15
timeoutSeconds: 30
readinessProbe:
httpGet:
port: 8000
path: /health_check.php
initialDelaySeconds: 30
periodSeconds: 15
timeoutSeconds: 30
- name: cloudsql-proxy
image: gcr.io/cloudsql-docker/gce-proxy:1.31.2
command:
- "/cloud_sql_proxy"
- "-ip_address_types=PRIVATE"
- "-instances=GCP_PROJECT:region:db-name=tcp:db_port"
- "-verbose=false"
- "-log_debug_stdout=true"
securityContext:
#runAsNonRoot: true
allowPrivilegeEscalation: false
#readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
resources:
requests:
memory: "50Mi"
cpu: "50m"
limits:
memory: "100Mi"
cpu: "100m"
HPA:
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: magento-hpa
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: magentoappli
minReplicas: 1
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 85
Any suggestion?

Updating containers of a Pod of a running system without messing up the application

I have setup a AWS cluster with 5 nodes using kubernetes and kops. A FaaS application is running in the cluster with a KVS (Key-value store) at the backend. For testing purpose, I have updated a container image at the function-nodes-5p6fs pod (listed on the first line) which is attached to a daemonset function-nodes.
This function node pod is used by the scheduler pod to schedule function execution at the function node daemon-set.
Details about the function-node pod:
ubuntu#ip-172-31-22-220:~/hydro-project/cluster$ kubectl get pod/function-nodes-5swwv -o yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2021-09-07T21:20:45Z"
generateName: function-nodes-
labels:
controller-revision-hash: 859745cbc
pod-template-generation: "1"
role: function
name: function-nodes-5swwv
namespace: default
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: DaemonSet
name: function-nodes
uid: 1e1e3ebd-c4ce-41f2-9dec-d268ca2cc693
resourceVersion: "3492"
uid: 93181869-6e8a-4071-97dd-b10f5c66130e
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchFields:
- key: metadata.name
operator: In
values:
- ip-172-20-60-197.ec2.internal
containers:
- env:
- name: ROUTE_ADDR
value: a1710e6d6c58c4eae861335cae02dc66-1996401780.us-east-1.elb.amazonaws.com
- name: MGMT_IP
value: 100.96.1.5
- name: SCHED_IPS
value: 172.20.32.73
- name: THREAD_ID
value: "0"
- name: ROLE
value: executor
- name: REPO_ORG
value: hydro-project
- name: REPO_BRANCH
value: master
- name: ANNA_REPO_ORG
value: hydro-project
- name: ANNA_REPO_BRANCH
value: master
image: akazad1/srlcloudburst:v3
imagePullPolicy: Always
name: function-1
resources:
limits:
cpu: "2"
memory: 2G
requests:
cpu: "2"
memory: 2G
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /requests
name: ipc
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-kfzth
readOnly: true
- env:
- name: ROUTE_ADDR
value: a1710e6d6c58c4eae861335cae02dc66-1996401780.us-east-1.elb.amazonaws.com
- name: MGMT_IP
value: 100.96.1.5
- name: SCHED_IPS
value: 172.20.32.73
- name: THREAD_ID
value: "1"
- name: ROLE
value: executor
- name: REPO_ORG
value: hydro-project
- name: REPO_BRANCH
value: master
- name: ANNA_REPO_ORG
value: hydro-project
- name: ANNA_REPO_BRANCH
value: master
image: akazad1/srlcloudburst:v3
imagePullPolicy: Always
name: function-2
resources:
limits:
cpu: "2"
memory: 2G
requests:
cpu: "2"
memory: 2G
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /requests
name: ipc
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-kfzth
readOnly: true
- env:
- name: ROUTE_ADDR
value: a1710e6d6c58c4eae861335cae02dc66-1996401780.us-east-1.elb.amazonaws.com
- name: MGMT_IP
value: 100.96.1.5
- name: SCHED_IPS
value: 172.20.32.73
- name: THREAD_ID
value: "2"
- name: ROLE
value: executor
- name: REPO_ORG
value: hydro-project
- name: REPO_BRANCH
value: master
- name: ANNA_REPO_ORG
value: hydro-project
- name: ANNA_REPO_BRANCH
value: master
image: akazad1/srlcloudburst:v3
imagePullPolicy: Always
name: function-3
resources:
limits:
cpu: "2"
memory: 2G
requests:
cpu: "2"
memory: 2G
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /requests
name: ipc
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-kfzth
readOnly: true
- env:
- name: ROUTE_ADDR
value: a1710e6d6c58c4eae861335cae02dc66-1996401780.us-east-1.elb.amazonaws.com
- name: MGMT_IP
value: 100.96.1.5
- name: REPO_ORG
value: hydro-project
- name: REPO_BRANCH
value: master
image: hydroproject/anna-cache
imagePullPolicy: Always
name: cache-container
resources:
limits:
cpu: "1"
memory: 8G
requests:
cpu: "1"
memory: 8G
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /requests
name: ipc
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-kfzth
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
hostIPC: true
hostNetwork: true
nodeName: ip-172-20-60-197.ec2.internal
nodeSelector:
role: function
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
- effect: NoSchedule
key: node.kubernetes.io/disk-pressure
operator: Exists
- effect: NoSchedule
key: node.kubernetes.io/memory-pressure
operator: Exists
- effect: NoSchedule
key: node.kubernetes.io/pid-pressure
operator: Exists
- effect: NoSchedule
key: node.kubernetes.io/unschedulable
operator: Exists
- effect: NoSchedule
key: node.kubernetes.io/network-unavailable
operator: Exists
volumes:
- hostPath:
path: /tmp
type: ""
name: ipc
- name: kube-api-access-kfzth
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
status:
conditions:
- lastProbeTime: null
lastTransitionTime: "2021-09-07T21:20:45Z"
status: "True"
type: Initialized
- lastProbeTime: null
lastTransitionTime: "2021-09-07T21:21:53Z"
status: "True"
type: Ready
- lastProbeTime: null
lastTransitionTime: "2021-09-07T21:21:53Z"
status: "True"
type: ContainersReady
- lastProbeTime: null
lastTransitionTime: "2021-09-07T21:20:45Z"
status: "True"
type: PodScheduled
containerStatuses:
- containerID: containerd://742b944e744fcd951c21f6e47a4bdaafacc90d2c0ce0d8e172b62429172bceaf
image: docker.io/hydroproject/anna-cache:latest
imageID: docker.io/hydroproject/anna-cache#sha256:50a5aac7fd6b742bdeeedef855f48c6307aae688987d86f680d1bbdb57050d8b
lastState: {}
name: cache-container
ready: true
restartCount: 0
started: true
state:
running:
startedAt: "2021-09-07T21:21:53Z"
- containerID: containerd://62279440c50bad86386acecdd8a0d406282cfe25646c46eb3f2b2004a662ee3b
image: docker.io/akazad1/srlcloudburst:v3
imageID: docker.io/akazad1/srlcloudburst#sha256:4ef979d9202e519203cca186354f60a5c0ee3d47ed873fca5f1602549bf14bfa
lastState: {}
name: function-1
ready: true
restartCount: 0
started: true
state:
running:
startedAt: "2021-09-07T21:21:48Z"
- containerID: containerd://56a7263acac5a3ed291aaf2d77cce4a9490c87710afed76857aedcc15d5b2dc5
image: docker.io/akazad1/srlcloudburst:v3
imageID: docker.io/akazad1/srlcloudburst#sha256:4ef979d9202e519203cca186354f60a5c0ee3d47ed873fca5f1602549bf14bfa
lastState: {}
name: function-2
ready: true
restartCount: 0
started: true
state:
running:
startedAt: "2021-09-07T21:21:49Z"
- containerID: containerd://49e50972d5cb059b29e1130e78613b89827239450f14b46bad633a897b7d3e6f
image: docker.io/akazad1/srlcloudburst:v3
imageID: docker.io/akazad1/srlcloudburst#sha256:4ef979d9202e519203cca186354f60a5c0ee3d47ed873fca5f1602549bf14bfa
lastState: {}
name: function-3
ready: true
restartCount: 0
started: true
state:
running:
startedAt: "2021-09-07T21:21:49Z"
hostIP: 172.20.60.197
phase: Running
podIP: 172.20.60.197
podIPs:
- ip: 172.20.60.197
qosClass: Guaranteed
startTime: "2021-09-07T21:20:45Z"
The cluster
ubuntu#ip-172-31-22-220:/$ kubectl get all -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/function-nodes-5p6fs 4/4 Running 0 79m 172.20.56.188 ip-172-20-56-188.ec2.internal <none> <none>
pod/management-pod 1/1 Running 0 4h21m 100.96.1.4 ip-172-20-46-4.ec2.internal <none> <none>
pod/memory-nodes-mtlxh 1/1 Running 0 4h14m 172.20.61.87 ip-172-20-61-87.ec2.internal <none> <none>
pod/monitoring-pod 1/1 Running 0 4h20m 100.96.1.6 ip-172-20-46-4.ec2.internal <none> <none>
pod/routing-nodes-kl8wb 1/1 Running 0 4h18m 172.20.46.83 ip-172-20-46-83.ec2.internal <none> <none>
pod/scheduler-nodes-q8std 1/1 Running 0 4h11m 172.20.59.122 ip-172-20-59-122.ec2.internal <none> <none>
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/function-service LoadBalancer 100.65.229.234 ab696981b80b84918a30ed81201726b6-371417546.us-east-1.elb.amazonaws.com 5000:32189/TCP,5001:30872/TCP,5002:31765/TCP,5003:30711/TCP,5004:32544/TCP,5005:31007/TCP,5006:32097/TCP 4h7m role=scheduler
service/kubernetes ClusterIP 100.64.0.1 <none> 443/TCP 4h25m <none>
service/routing-service LoadBalancer 100.68.27.23 af4491484277a42388857d471f4bb220-1539998664.us-east-1.elb.amazonaws.com 6450:32127/TCP,6451:31251/TCP,6452:32116/TCP,6453:31126/TCP 4h12m role=routing
I have used the following command to update the container image-
kubectl set image ds/function-nodes container-name=image-name
After the container image updates (3of them) to function-node pod, I get the following error.
Errors after updating images..
$ kubectl describe pod function-nodes-vg5pr
......
.....
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Killing 39m kubelet Container function-3 definition changed, will be restarted
Normal Killing 39m kubelet Container function-1 definition changed, will be restarted
Normal Killing 38m kubelet Container function-2 definition changed, will be restarted
Normal Pulling 38m kubelet Pulling image "hydroproject/cloudburst"
Normal Created 38m (x2 over 3h18m) kubelet Created container function-3
Normal Started 38m (x2 over 3h18m) kubelet Started container function-3
Normal Pulled 38m kubelet Successfully pulled image "hydroproject/cloudburst" in 20.006668839s
Warning InspectFailed 37m (x4 over 38m) kubelet Failed to apply default image tag "hydroproject/cloudburst,": couldn't parse image reference "hydroproject/cloudburst,": invalid reference format
Warning Failed 37m (x4 over 38m) kubelet Error: InvalidImageName
Warning InspectFailed 37m (x5 over 38m) kubelet Failed to apply default image tag "hydroproject/cloudburst,": couldn't parse image reference "hydroproject/cloudburst,": invalid reference format
Warning Failed 37m (x5 over 38m) kubelet Error: InvalidImageName
Warning BackOff 34m (x12 over 37m) kubelet Back-off restarting failed container
Therefore, the scheduler pod is not being able to find the function pod to schedule function execution --
root#ip-172-20-38-118:/hydro/cloudburst# python3 run_benchmark.py
Traceback (most recent call last):
File "run_benchmark.py", line 22, in <module>
from cloudburst.server.benchmarks import (
ImportError: cannot import name 'retwis_benchmark'
root#ip-172-20-38-118:/hydro/cloudburst# vi run_benchmark.py
root#ip-172-20-38-118:/hydro/cloudburst# python3 run_benchmark.py
Usage: ./run_benchmark.py benchmark_name function_elb num_requests {ip}
root#ip-172-20-38-118:/hydro/cloudburst# python3 run_benchmark.py locality a94718831527b4048b43c7817b5d1212-1314702864.us-east-1.elb.amazonaws.com 1 172.20.38.118
INFO:root:Successfully registered the dot function.
INFO:root:Successfully tested function!
ERROR:root:Scheduler returned unexpected error:
error: NO_RESOURCES
Traceback (most recent call last):
File "run_benchmark.py", line 59, in <module>
False, None)
File "/hydro/cloudburst/cloudburst/server/benchmarks/locality.py", line 134, in run
cloudburst_client.call_dag(dag_name, arg_map, True)
File "/hydro/cloudburst/cloudburst/client/client.py", line 283, in call_dag
raise RuntimeError(str(r.error))
RuntimeError: 5
Can anyone please give some pointers to resolve this issue? I mean updating pod container images without messing up the whole running system?
Thanks in advance!

pod stuck on `ContainerCreating` state in AWS EKS

I deployed a k8s cluster on AWS EKS fargate. And deployed a elasticsearch container to the pod. The pod is stuck on ContainerCreating state and describe pod shows below error:
$ kubectl describe pod es-0
Name: es-0
Namespace: default
Priority: 2000001000
Priority Class Name: system-node-critical
Node: fargate-ip-10-0-1-207.ap-southeast-2.compute.internal/10.0.1.207
Start Time: Fri, 28 May 2021 16:39:07 +1000
Labels: controller-revision-hash=es-86f54d94fb
eks.amazonaws.com/fargate-profile=elk_profile
name=es
statefulset.kubernetes.io/pod-name=es-0
Annotations: CapacityProvisioned: 1vCPU 2GB
Logging: LoggingDisabled: LOGGING_CONFIGMAP_NOT_FOUND
kubernetes.io/psp: eks.privileged
Status: Pending
IP:
IPs: <none>
Controlled By: StatefulSet/es
Containers:
es:
Container ID:
Image: elasticsearch:7.10.1
Image ID:
Ports: 9200/TCP, 9300/TCP
Host Ports: 0/TCP, 0/TCP
State: Waiting
Reason: ContainerCreating
Ready: False
Restart Count: 0
Limits:
cpu: 2
memory: 8
Requests:
cpu: 1
memory: 4
Environment: <none>
Mounts:
/usr/share/elasticsearch/config/elasticsearch.yml from es-config (rw,path="elasticsearch.yml")
/var/run/secrets/kubernetes.io/serviceaccount from default-token-6qql4 (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
es-config:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: es-config
Optional: false
default-token-6qql4:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-6qql4
Optional: false
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreatePodSandBox 75s (x4252 over 16h) kubelet Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create containerd task: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:319: getting the final child's pid from pipe caused \"read init-p: connection reset by peer\"": unknown
How do I know what the issue is and how to fix it? I have tried to restart the Statefulset but it didn't restart. It seems the pod stucked.
apiVersion: v1
kind: ConfigMap
metadata:
name: es-config
data:
elasticsearch.yml: |
cluster.name: my-elastic-cluster
network.host: "0.0.0.0"
bootstrap.memory_lock: false
discovery.zen.ping.unicast.hosts: elasticsearch-cluster
discovery.zen.minimum_master_nodes: 1
discovery.type: single-node
ES_JAVA_OPTS: -Xms2g -Xmx4g
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: es
namespace: default
spec:
serviceName: es-entrypoint
replicas: 1
selector:
matchLabels:
name: es
template:
metadata:
labels:
name: es
spec:
volumes:
- name: es-config
configMap:
name: es-config
items:
- key: elasticsearch.yml
path: elasticsearch.yml
# - name: persistent-storage
# persistentVolumeClaim:
# claimName: efs-es-claim
securityContext:
fsGroup: 1000
runAsUser: 1000
runAsGroup: 1000
containers:
- name: es
image: elasticsearch:7.10.1
resources:
limits:
cpu: 2
memory: 8
requests:
cpu: 1
memory: 4
ports:
- name: http
containerPort: 9200
- containerPort: 9300
name: inter-node
volumeMounts:
- name: es-config
mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
subPath: elasticsearch.yml
# - name: persistent-storage
# mountPath: /usr/share/elasticsearch/data
---
apiVersion: v1
kind: Service
metadata:
name: es-entrypoint
spec:
selector:
name: es
ports:
- port: 9200
targetPort: 9200
protocol: TCP
type: NodePort

Figured out why it happens, after remove the limits resources, it works. Not sure why it doesn't allow limits
limits:
cpu: 2
memory: 8

Error from server (BadRequest): container "grafana" in pod is waiting to start: PodInitializing

Recently worked on a deployment for grafana instance which I edited the replicas within the spec: block from "1" to "0" --- intention was to scale down the replicas of the deployment but did something totally different which caused things to end up in the following state:
container "grafana" in pod "grafana-66f99d7dff-qsffd" is waiting to start: PodInitializing
Even though, I brought back the replicas to their initial state with the default value, the pod's state still stays on PodInitializing
Since then, I have tried the following things:
Rolling Restart by running kubectl rollout restart deployment [deployment_name]
Get logs by running kubectl logs [pod name] -c [init_container_name]
Check if nodes are in healthy state by running kubectl get nodes
Get some additional logs for the overall health of the cluster with kubectl cluster-info dump
Here is an output of the yaml for the grafana deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
creationTimestamp: "2019-08-27T11:22:44Z"
generation: 3
labels:
app: grafana
chart: grafana-3.7.2
heritage: Tiller
release: grafana
name: grafana
namespace: default
resourceVersion: "371133807"
selfLink: /apis/apps/v1/namespaces/default/deployments/grafana
uid: fd7a12a5-c8bc-11e9-8b38-42010af0015f
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: grafana
release: grafana
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
checksum/config: 26c545fd5de1c9c9af86777a84500c5b1ec229ecb0355ee764271e69639cfd96
checksum/dashboards-json-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
checksum/sc-dashboard-provider-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
checksum/secret: 940f74350e2a595924ed2ce4d579942346ba465ada21acdcff4916d95f59dbe5
creationTimestamp: null
labels:
app: grafana
release: grafana
spec:
containers:
- env:
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
key: admin-user
name: grafana
- name: GF_SECURITY_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
key: admin-password
name: grafana
- name: GF_INSTALL_PLUGINS
valueFrom:
configMapKeyRef:
key: plugins
name: grafana
image: grafana/grafana:6.2.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 10
httpGet:
path: /api/health
port: 3000
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 30
name: grafana
ports:
- containerPort: 80
name: service
protocol: TCP
- containerPort: 3000
name: grafana
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /api/health
port: 3000
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/grafana/grafana.ini
name: config
subPath: grafana.ini
- mountPath: /etc/grafana/ldap.toml
name: ldap
subPath: ldap.toml
- mountPath: /var/lib/grafana
name: storage
dnsPolicy: ClusterFirst
initContainers:
- command:
- chown
- -R
- 472:472
- /var/lib/grafana
image: busybox:1.30
imagePullPolicy: IfNotPresent
name: init-chown-data
resources: {}
securityContext:
runAsUser: 0
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/lib/grafana
name: storage
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
fsGroup: 472
runAsUser: 472
serviceAccount: grafana
serviceAccountName: grafana
terminationGracePeriodSeconds: 30
volumes:
- configMap:
defaultMode: 420
name: grafana
name: config
- name: ldap
secret:
defaultMode: 420
items:
- key: ldap-toml
path: ldap.toml
secretName: grafana
- name: storage
persistentVolumeClaim:
claimName: grafana
And this is the output of the yaml with kubectl describe for the pod
Name: grafana-66f99d7dff-qsffd
Namespace: default
Priority: 0
Node: gke-micah-prod-new-pool-f3184925-5n50/10.1.15.208
Start Time: Tue, 16 Mar 2021 12:05:25 +0200
Labels: app=grafana
pod-template-hash=66f99d7dff
release=grafana
Annotations: checksum/config: 26c545fd5de1c9c9af86777a84500c5b1ec229ecb0355ee764271e69639cfd96
checksum/dashboards-json-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
checksum/sc-dashboard-provider-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
checksum/secret: 940f74350e2a595924ed2ce4d579942346ba465ada21acdcff4916d95f59dbe5
kubectl.kubernetes.io/restartedAt: 2021-03-15T18:26:31+02:00
kubernetes.io/limit-ranger: LimitRanger plugin set: cpu request for container grafana; cpu request for init container init-chown-data
Status: Pending
IP:
IPs: <none>
Controlled By: ReplicaSet/grafana-66f99d7dff
Init Containers:
init-chown-data:
Container ID:
Image: busybox:1.30
Image ID:
Port: <none>
Host Port: <none>
Command:
chown
-R
472:472
/var/lib/grafana
State: Waiting
Reason: PodInitializing
Ready: False
Restart Count: 0
Requests:
cpu: 100m
Environment: <none>
Mounts:
/var/lib/grafana from storage (rw)
/var/run/secrets/kubernetes.io/serviceaccount from grafana-token-wmgg9 (ro)
Containers:
grafana:
Container ID:
Image: grafana/grafana:6.2.5
Image ID:
Ports: 80/TCP, 3000/TCP
Host Ports: 0/TCP, 0/TCP
State: Waiting
Reason: PodInitializing
Ready: False
Restart Count: 0
Requests:
cpu: 100m
Liveness: http-get http://:3000/api/health delay=60s timeout=30s period=10s #success=1 #failure=10
Readiness: http-get http://:3000/api/health delay=0s timeout=1s period=10s #success=1 #failure=3
Environment:
GF_SECURITY_ADMIN_USER: <set to the key 'admin-user' in secret 'grafana'> Optional: false
GF_SECURITY_ADMIN_PASSWORD: <set to the key 'admin-password' in secret 'grafana'> Optional: false
GF_INSTALL_PLUGINS: <set to the key 'plugins' of config map 'grafana'> Optional: false
Mounts:
/etc/grafana/grafana.ini from config (rw,path="grafana.ini")
/etc/grafana/ldap.toml from ldap (rw,path="ldap.toml")
/var/lib/grafana from storage (rw)
/var/run/secrets/kubernetes.io/serviceaccount from grafana-token-wmgg9 (ro)
Conditions:
Type Status
Initialized False
Ready False
ContainersReady False
PodScheduled True
Volumes:
config:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: grafana
Optional: false
ldap:
Type: Secret (a volume populated by a Secret)
SecretName: grafana
Optional: false
storage:
Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
ClaimName: grafana
ReadOnly: false
grafana-token-wmgg9:
Type: Secret (a volume populated by a Secret)
SecretName: grafana-token-wmgg9
Optional: false
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedMount 19m (x82 over 169m) kubelet MountVolume.SetUp failed for volume "ldap" : secret "grafana" not found
Warning FailedMount 9m24s (x18 over 167m) kubelet Unable to attach or mount volumes: unmounted volumes=[ldap], unattached volumes=[grafana-token-wmgg9 config ldap storage]: timed out waiting for the condition
Warning FailedMount 4m50s (x32 over 163m) kubelet Unable to attach or mount volumes: unmounted volumes=[ldap], unattached volumes=[storage grafana-token-wmgg9 config ldap]: timed out waiting for the condition
As I am still exploring and trying to research how to approach this, any advice, or even probing Qs are more than welcome to think through this.
Appreciate your time and effort!

Why isn't Kubernetes service DNS working?

I have set up DNS in my Kubernetes (v1.1.2+1abf20d) system, on CoreOS/AWS, but I cannot look up services via DNS. I have tried debugging, but cannot for the life of me find out why. This is what happens when I try to look up the kubernetes service, which should always be available:
$ ~/.local/bin/kubectl --kubeconfig=/etc/kubernetes/kube.conf exec busybox-sleep -- nslookup kubernetes.default
Server: 10.3.0.10
Address 1: 10.3.0.10 ip-10-3-0-10.eu-central-1.compute.internal
nslookup: can't resolve 'kubernetes.default'
error: error executing remote command: Error executing command in container: Error executing in Docker Container: 1
I have installed the DNS addon according to this spec:
apiVersion: v1
kind: ReplicationController
metadata:
name: kube-dns-v10
namespace: kube-system
labels:
k8s-app: kube-dns
version: v10
kubernetes.io/cluster-service: "true"
spec:
replicas: 1
selector:
k8s-app: kube-dns
version: v10
template:
metadata:
labels:
k8s-app: kube-dns
version: v10
kubernetes.io/cluster-service: "true"
spec:
containers:
- name: etcd
image: gcr.io/google_containers/etcd-amd64:2.2.1
resources:
# keep request = limit to keep this container in guaranteed class
limits:
cpu: 100m
memory: 50Mi
requests:
cpu: 100m
memory: 50Mi
command:
- /usr/local/bin/etcd
- -data-dir
- /var/etcd/data
- -listen-client-urls
- http://127.0.0.1:2379,http://127.0.0.1:4001
- -advertise-client-urls
- http://127.0.0.1:2379,http://127.0.0.1:4001
- -initial-cluster-token
- skydns-etcd
volumeMounts:
- name: etcd-storage
mountPath: /var/etcd/data
- name: kube2sky
image: gcr.io/google_containers/kube2sky:1.12
resources:
# keep request = limit to keep this container in guaranteed class
limits:
cpu: 100m
memory: 50Mi
requests:
cpu: 100m
memory: 50Mi
args:
# command = "/kube2sky"
- --domain=cluster.local
- name: skydns
image: gcr.io/google_containers/skydns:2015-10-13-8c72f8c
resources:
# keep request = limit to keep this container in guaranteed class
limits:
cpu: 100m
memory: 50Mi
requests:
cpu: 100m
memory: 50Mi
args:
# command = "/skydns"
- -machines=http://127.0.0.1:4001
- -addr=0.0.0.0:53
- -ns-rotate=false
- -domain=cluster.local.
ports:
- containerPort: 53
name: dns
protocol: UDP
- containerPort: 53
name: dns-tcp
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 1
timeoutSeconds: 5
- name: healthz
image: gcr.io/google_containers/exechealthz:1.0
resources:
# keep request = limit to keep this container in guaranteed class
limits:
cpu: 10m
memory: 20Mi
requests:
cpu: 10m
memory: 20Mi
args:
- -cmd=nslookup kubernetes.default.svc.cluster.local 127.0.0.1 >/dev/null
- -port=8080
ports:
- containerPort: 8080
protocol: TCP
volumes:
- name: etcd-storage
emptyDir: {}
dnsPolicy: Default # Don't use cluster DNS.
---
apiVersion: v1
kind: Service
metadata:
name: kube-dns
namespace: kube-system
labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"
kubernetes.io/name: "KubeDNS"
spec:
selector:
k8s-app: kube-dns
clusterIP: 10.3.0.10
ports:
- name: dns
port: 53
protocol: UDP
- name: dns-tcp
port: 53
protocol: TCP
Why isn't DNS lookup for services working in my Kubernetes setup? Please let me know what other info I need to provide.

There were two things I needed to do:
Configure kube2sky via kubeconfig, so that it's properly configured for TLS.
Configure kube-proxy via kubeconfig, so that it's properly configured for TLS and finds the master node.
/etc/kubernetes/kube.conf on master node
apiVersion: v1
kind: Config
clusters:
- name: kube
cluster:
server: https://127.0.0.1:443
certificate-authority: /etc/ssl/etcd/ca.pem
users:
- name: kubelet
user:
client-certificate: /etc/ssl/etcd/master-client.pem
client-key: /etc/ssl/etcd/master-client-key.pem
contexts:
- context:
cluster: kube
user: kubelet
/etc/kubernetes/kube.conf on worker node
apiVersion: v1
kind: Config
clusters:
- name: local
cluster:
certificate-authority: /etc/ssl/etcd/ca.pem
server: https://<master IP>:443
users:
- name: kubelet
user:
client-certificate: /etc/ssl/etcd/worker.pem
client-key: /etc/ssl/etcd/worker-key.pem
contexts:
- context:
cluster: local
user: kubelet
name: kubelet-context
current-context: kubelet-context
dns-addon.yaml (install this on master)
apiVersion: v1
kind: ReplicationController
metadata:
name: kube-dns-v11
namespace: kube-system
labels:
k8s-app: kube-dns
version: v11
kubernetes.io/cluster-service: "true"
spec:
replicas: 1
selector:
k8s-app: kube-dns
version: v11
template:
metadata:
labels:
k8s-app: kube-dns
version: v11
kubernetes.io/cluster-service: "true"
spec:
containers:
- name: etcd
image: gcr.io/google_containers/etcd-amd64:2.2.1
resources:
# TODO: Set memory limits when we've profiled the container for large
# clusters, then set request = limit to keep this container in
# guaranteed class. Currently, this container falls into the
# "burstable" category so the kubelet doesn't backoff from restarting
# it.
limits:
cpu: 100m
memory: 500Mi
requests:
cpu: 100m
memory: 50Mi
command:
- /usr/local/bin/etcd
- -data-dir
- /var/etcd/data
- -listen-client-urls
- http://127.0.0.1:2379,http://127.0.0.1:4001
- -advertise-client-urls
- http://127.0.0.1:2379,http://127.0.0.1:4001
- -initial-cluster-token
- skydns-etcd
volumeMounts:
- name: etcd-storage
mountPath: /var/etcd/data
- name: kube2sky
image: gcr.io/google_containers/kube2sky:1.14
resources:
# TODO: Set memory limits when we've profiled the container for large
# clusters, then set request = limit to keep this container in
# guaranteed class. Currently, this container falls into the
# "burstable" category so the kubelet doesn't backoff from restarting
# it.
limits:
cpu: 100m
# Kube2sky watches all pods.
memory: 200Mi
requests:
cpu: 100m
memory: 50Mi
livenessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 60
timeoutSeconds: 5
volumeMounts:
- name: kubernetes-etc
mountPath: /etc/kubernetes
readOnly: true
- name: etcd-ssl
mountPath: /etc/ssl/etcd
readOnly: true
readinessProbe:
httpGet:
path: /readiness
port: 8081
scheme: HTTP
# we poll on pod startup for the Kubernetes master service and
# only setup the /readiness HTTP server once that's available.
initialDelaySeconds: 30
timeoutSeconds: 5
args:
# command = "/kube2sky"
- --domain=cluster.local.
- --kubecfg-file=/etc/kubernetes/kube.conf
- name: skydns
image: gcr.io/google_containers/skydns:2015-10-13-8c72f8c
resources:
# TODO: Set memory limits when we've profiled the container for large
# clusters, then set request = limit to keep this container in
# guaranteed class. Currently, this container falls into the
# "burstable" category so the kubelet doesn't backoff from restarting
# it.
limits:
cpu: 100m
memory: 200Mi
requests:
cpu: 100m
memory: 50Mi
args:
# command = "/skydns"
- -machines=http://127.0.0.1:4001
- -addr=0.0.0.0:53
- -ns-rotate=false
- -domain=cluster.local
ports:
- containerPort: 53
name: dns
protocol: UDP
- containerPort: 53
name: dns-tcp
protocol: TCP
- name: healthz
image: gcr.io/google_containers/exechealthz:1.0
resources:
# keep request = limit to keep this container in guaranteed class
limits:
cpu: 10m
memory: 20Mi
requests:
cpu: 10m
memory: 20Mi
args:
- -cmd=nslookup kubernetes.default.svc.cluster.local \
127.0.0.1 >/dev/null
- -port=8080
ports:
- containerPort: 8080
protocol: TCP
volumes:
- name: etcd-storage
emptyDir: {}
- name: kubernetes-etc
hostPath:
path: /etc/kubernetes
- name: etcd-ssl
hostPath:
path: /etc/ssl/etcd
dnsPolicy: Default # Don't use cluster DNS.
/etc/kubernetes/manifests/kube-proxy.yaml on master node
apiVersion: v1
kind: Pod
metadata:
name: kube-proxy
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-proxy
image: gcr.io/google_containers/hyperkube:v1.1.2
command:
- /hyperkube
- proxy
- --master=https://127.0.0.1:443
- --proxy-mode=iptables
- --kubeconfig=/etc/kubernetes/kube.conf
securityContext:
privileged: true
volumeMounts:
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
- mountPath: /etc/kubernetes
name: kubernetes
readOnly: true
- mountPath: /etc/ssl/etcd
name: kubernetes-certs
readOnly: true
volumes:
- hostPath:
path: /usr/share/ca-certificates
name: ssl-certs-host
- hostPath:
path: /etc/kubernetes
name: kubernetes
- hostPath:
path: /etc/ssl/etcd
name: kubernetes-certs
/etc/kubernetes/manifests/kube-proxy.yaml on worker node
apiVersion: v1
kind: Pod
metadata:
name: kube-proxy
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-proxy
image: gcr.io/google_containers/hyperkube:v1.1.2
command:
- /hyperkube
- proxy
- --kubeconfig=/etc/kubernetes/kube.conf
- --proxy-mode=iptables
- --v=2
securityContext:
privileged: true
volumeMounts:
- mountPath: /etc/ssl/certs
name: "ssl-certs"
- mountPath: /etc/kubernetes/kube.conf
name: "kubeconfig"
readOnly: true
- mountPath: /etc/ssl/etcd
name: "etc-kube-ssl"
readOnly: true
volumes:
- name: "ssl-certs"
hostPath:
path: "/usr/share/ca-certificates"
- name: "kubeconfig"
hostPath:
path: "/etc/kubernetes/kube.conf"
- name: "etc-kube-ssl"
hostPath:
path: "/etc/ssl/etcd"