2021-03-11

Kubernetes - Increase metrics-server resources (cpu/memory)

在 GKE 中，如果 metrics-server 因為資源不足崩潰，可以透過更改 NannyConfiguration 和刪除 Deployment: metric-server 來改善這個問題。

> kubectl top pod
W0309 18:40:25.910477   53595 top_pod.go:274] Metrics not available for pod default/xxxx, age: 536h37m25.91045s
error: Metrics not available for pod default/xxxx, age: 536h37m25.91045s

Environment:

Kubernetes: v1.17.15-gke.800

範例

> kubectl apply -f metrics-server-config.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
    kubernetes.io/cluster-service: "true"
  name: metrics-server-config
  namespace: kube-system
data:
  NannyConfiguration: |-
    apiVersion: nannyconfig/v1alpha1
    kind: NannyConfiguration
    baseCPU: 200m
    cpuPerNode: 2m
    baseMemory: 150Mi
    memoryPerNode: 4Mi

> kubectl delete deployment -n kube-system metrics-server-v0.3.6
deployment.apps "metrics-server-v0.3.6" deleted

需要 3-5 分鐘，等待 kube-controller-manager 生效，用新的配置產生 Deployment。

Reference

https://github.com/kubernetes/autoscaler/tree/master/addon-resizer

2020-08-25

Docker Update Rate Limit Policy on 2020-08-24 懶人包

Image from: https://www.docker.com/blog/scaling-dockers-business-to-serve-millions-more-developers-storage/

Docker 收到了許多的意見回饋後，在 2020/08/24 更新 Rate Limit Policy，改成針對 manifest 做限制，對開發者友善了許多。

懶人包

Rate limit 改成對 manifest 限制，而不是 docker image layers
一個 docker pull 會有 1-2 個 manifest requests，及 0-N 個 layer requests
docker pull 就算沒有下載任何 layer，也會計次
Read More

2020-08-21

Docker New Retention Policy on 2020-08-13

ref: https://www.docker.com/pricing

Docker 在 2020/08/13 更新了 Docker Terms of Service，也一併更新了 Pricing Page，Docker Hub 即將開始對 docker pull 限制下載量。

Docker Update Rate Limit Policy on 2020-08-24 懶人包

How I debug a certificate didn't renew

I found out my certificate is expired this morning and it’s not renewed automatically. Here’s how I debug it step by step.

Get certificate status

$ kubectl describe cert -n slack slack-tls
Status:
  Conditions:
    Last Transition Time:  2020-01-21T04:15:16Z
    Message:               Certificate is up to date and has not expired
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2020-08-18T01:20:11Z

Try to force certificate renewal

By adding spec.renewBefore to certificate.

kubectl -n <namespace> patch certificate example-certificate --type=merge -p '{"spec":{"renewBefore":"2159h00m00s"}}'

And the order is still invalid.

$ kubectl -n slack get order
NAME                  STATE   AGE
slack-tls-488818493   invalid   11m

So, I try to see if any event happened.

$ kubectl get event -n slack
LAST SEEN   TYPE      REASON         OBJECT                            MESSAGE
38m         Warning   PresentError   challenge/slack-tls-488818493-0   Error presenting challenge: GoogleCloud API call failed: googleapi: Error 403: Request had insufficient authentication scopes.
More details:
Reason: insufficientPermissions, Message: Insufficient Permission
12m         Warning   CleanUpError   challenge/slack-tls-488818493-0   Error cleaning up challenge: GoogleCloud API call failed: googleapi: Error 403: Request had insufficient authentication scopes.
More details:

AWS Route 53 - 實測 Geolocation Routing

AWS Route 53 Geolocation Routing 可以根據不同地理位置，回傳不同的 IP，可以用這個功能讓使用者選擇最近的 Data center，或是回傳不同的網站內容。

我們先加入幾組 Record

使用 https://dnschecker.org/ 檢查，可以看到 US, CA 的部分都是顯示 35.186.255.2(NA)，其餘的都是 35.186.255.1(Default)

這邊特別設定一個新加坡的 35.186.255.４，也能正確顯示。
其他也都是 35.186.255.1(Default)，不過有一個 IONICA LLC 是連到 35.186.255.2(NA)的特例。

Rammus

A Taiwan Developer

Kubernetes - Increase metrics-server resources (cpu/memory)

範例

Reference

Docker Update Rate Limit Policy on 2020-08-24 懶人包

懶人包

Docker New Retention Policy on 2020-08-13

How I debug a certificate didn't renew

Get certificate status

Try to force certificate renewal

AWS Route 53 - 實測 Geolocation Routing