Awesome

• Kubenurse
  • Grafana dashboard
  • Metrics
  • Deployment
    • Helm deployment
      • Helm parameters
    • Configuration
  • HTTP Endpoints
  • Health Checks
    • API Server Direct
    • API Server DNS
    • Me Ingress
    • Me Service
    • Neighbourhood
  • Neighbourhood filtering
    • Neighbourhood incoming checks metric

Kubenurse

Kubenurse is a little service that monitors all network connections in a Kubernetes cluster. Kubenurse measures request durations, records errors and exports those metrics in Prometheus format.

Here's an overview of the checks performed by kubenurse, which are exposed as labels for the various duration/error prometheus metrics.

Grafana dashboard

Once the kubenurse pods are up and running and scraped by your metrics agent, you can import the example dashboard to start scrutinizing network latencies and errors.

Metrics

All performed checks expose metrics which can be used to monitor/alert:

• node-to-node network latencies and errors
• pod-to-apiserver communication
• Ingress roundtrip latencies and errors
• Service roundtrip latencies and errors (kube-proxy / your CNI)
• Major kube-apiserver issues
• kube-dns (or CoreDNS) errors
• External DNS resolution errors (ingress URL resolution)

At /metrics you will find the following metrics:

For metrics partitioned with a type label, it is possible to precisely know which request type increased an error counter, or to compare the latencies of multiple request types, for example compare how your service and ingress latencies differ.

Some event labels include dns_start, got_conn, tls_handshake_done, and more. the details can be seen in the httptrace.go file.

Deployment

You can get the Docker image from Docker Hub. The examples directory contains manifests which can be used to deploy kubenurse to the kube-system namespace of your cluster.

Helm deployment

You can also deploy kubenurse with Helm, the Chart can be found in repository https://postfinance.github.io/kubenurse/ or directory ./helm/kubenurse/. The following command can be used to install kubenurse with Helm: helm upgrade [RELEASE_NAME] --install --repo https://postfinance.github.io/kubenurse/ kubenurse.

Helm parameters

Configuration

• KUBENURSE_INGRESS_URL: An URL to the kubenurse in order to check the ingress
• KUBENURSE_SERVICE_URL: An URL to the kubenurse in order to check the Kubernetes service
• KUBENURSE_INSECURE: If "true", TLS connections will not validate the certificate
• KUBENURSE_EXTRA_CA: Additional CA cert path for TLS connections
• KUBENURSE_EXTRA_CHECKS: Additional checks, specified as a list (separated by a vertical bar |) where each entry of the list has the format: <metric_name>:<url_to_check>. For example google:https://www.google.ch/|cloudflare:https://www.cloudflare.com/
• KUBENURSE_NAMESPACE: Namespace in which to look for the neighbour kubenurses
• KUBENURSE_NEIGHBOUR_FILTER: A Kubernetes label selector (eg. app=kubenurse) to filter neighbour kubenurses
• KUBENURSE_NEIGHBOUR_LIMIT: The maximum number of neighbours each kubenurse will query
• KUBENURSE_ALLOW_UNSCHEDULABLE: If this is "true", path checks to neighbouring kubenurses are made even if they are running on unschedulable nodes.
• KUBENURSE_CHECK_API_SERVER_DIRECT: If this is "true" kubenurse will perform the check [API Server Direct](#API Server Direct). default is "true"
• KUBENURSE_CHECK_API_SERVER_DNS: If this is "true", kubenurse will perform the check [API Server DNS](#API Server DNS). default is "true"
• KUBENURSE_CHECK_ME_INGRESS: If this is "true", kubenurse will perform the check [Me Ingress](#Me Ingress). default is "true"
• KUBENURSE_CHECK_ME_SERVICE: If this is "true", kubenurse will perform the check [Me Service](#Me Service). default is "true"
• KUBENURSE_CHECK_NEIGHBOURHOOD: If this is "true", kubenurse will perform the check Neighbourhood. default is "true"
• KUBENURSE_CHECK_INTERVAL: the frequency to perform kubenurse checks. the string should be formatted for time.ParseDuration. defaults to 5s
• KUBENURSE_REUSE_CONNECTIONS: whether to reuse connections or not for all checks. default is "false"
• KUBENURSE_HISTOGRAM_BUCKETS: optional comma-separated list of float64, used in place of the default prometheus histogram buckets
• KUBENURSE_USE_TLS: If this is "true", enable TLS endpoint on port 8443
• KUBENURSE_CERT_FILE: Certificate to use with TLS endpoint
• KUBENURSE_CERT_KEY: Key to use with TLS endpoint

Following variables are injected to the Pod by Kubernetes and should not be defined manually:

• KUBERNETES_SERVICE_HOST: Host to communicate to the kube-apiserver
• KUBERNETES_SERVICE_PORT: Port to communicate to the kube-apiserver

HTTP Endpoints

The kubenurse service listens for http requests on port 8080 (optionally https on port 8443) and exposes endpoints:

• /: Redirects to /alive
• /alive: Returns a pretty printed JSON with the check results, described below
• /alwayshappy: Returns http-200 which is used for testing itself
• /metrics: Exposes Prometheus metrics

The /alive endpoint returns a JSON like this with status code 200 if everything is OK else 500:

{
  "api_server_direct": "ok",
  "api_server_dns": "ok",
  "me_ingress": "ok",
  "me_service": "ok",
  "hostname": "kubenurse-1234-x2bwx",
  "neighbourhood_state": "ok",
  "neighbourhood": [
   {
    "PodName": "kubenurse-1234-8fh2x",
    "PodIP": "10.10.10.67",
    "HostIP": "10.12.12.66",
    "NodeName": "k8s-66.example.com",
    "Phase": "Running"
   },
   {
    "PodName": "kubenurse-1234-ffjbs",
    "PodIP": "10.10.10.138",
    "HostIP": "10.12.12.89",
    "NodeName": "k8s-89.example.com",
    "Phase": "Running"
   }
  ],
  "headers": {
   "Accept": [
    "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
   ],
   "Accept-Encoding": [
    "gzip, deflate, br"
   ],
   ...
  }
}

Health Checks

Every five seconds, the checks described below are run.

API Server Direct

Checks the /version endpoint of the Kubernetes API Server through the direct link (KUBERNETES_SERVICE_HOST, KUBERNETES_SERVICE_PORT).

Metric type: api_server_direct

API Server DNS

Checks the /version endpoint of the Kubernetes API Server through the Cluster DNS URL https://kubernetes.default.svc:$KUBERNETES_SERVICE_PORT. This also verifies a working kube-dns deployment.

Metric type: api_server_dns

Me Ingress

Checks if the kubenurse is reachable at the /alwayshappy endpoint behind the ingress. This address is provided by the environment variable KUBENURSE_INGRESS_URL that could look like https://kubenurse.example.com. This also verifies a correct upstream DNS resolution.

Metric type: me_ingress

Me Service

Checks if the kubenurse is reachable at the /alwayshappy endpoint through the Kubernetes service. The address is provided by the environment variable KUBENURSE_SERVICE_URL that could look like http://kubenurse.mynamespace.default.svc:8080. This also verifies a working kube-proxy setup.

Metric type: me_service

Neighbourhood

Checks if every neighbour kubenurse is reachable at the /alwayshappy endpoint. Neighbours are discovered by querying the kube-apiserver for every Pod in the KUBENURSE_NAMESPACE with label KUBENURSE_NEIGHBOUR_FILTER. The request is done directly to the Pod-IP (port 8080, or 8443 if TLS is enabled) and the metric types contains the prefix path_ and the hostname of the kubelet on which the neighbour kubenurse should run. Only kubenurses on nodes that are schedulable are considered as neighbours, this can be changed by setting KUBENURSE_ALLOW_UNSCHEDULABLE="true".

Metric type: path_$KUBELET_HOSTNAME

Neighbourhood filtering

The number of checks for the neighbourhood used to grow as $O(N^2)$, which rendered kubenurse impractical on large clusters, as documented in issue #55. To combat this, a node filtering feature was implemented, which works as follows

• kubenurse computes the sha256 checksums for all neighbours' node names
• it sorts those checksums (this is actually implemented with a max-heap)
• it computes its own node name checksum, and queries the next 10 (per default) nodes in the sorted checksums list

Here's an example with 6 nodes, where each node queries the next 3 nodes:

Thanks to this, every node is making queries to the same 10 nodes, unless one of those nodes disappears, in which case kubenurse will pick the next node in the sorted checksums list. This comes with several advantages:

• because of the way we first hash the node names, the checks are randomly distributed, independant of the node names. if we only picked the 10 next nodes in a sorted list of the node names, then we might have biased the results in environments where node names are sequential
• metrics-wise, a kubenurse pod should typically only have entries for ca. 10 other neighbouring nodes worth of checks, which greatly reduces the load on your monitoring infrastructure
• because we use a deterministic algorithm to choose which nodes to query, the metrics churn rate stays minimal. (that is, if we randomly picked 10 nodes for every check, then in the end there would be one prometheus bucket for every node on the cluster, which would put useless load on the monitoring infrastructure)

Per default, the neighbourhood filtering is set to 10 nodes, which means that on cluster with more than 10 nodes, each kubenurse will query exactly 10 nodes, as described above.

Neighbourhood incoming checks metric

It is possible to check that each node receives the proper number of neighbourhood queries with the kubenurse_neighbourhood_incoming_checks metric. If you have the neighbourhood limit set to e.g. 10, then this metric should be equal to 10 on all nodes, with some variations during a rollout restart.

To bypass the node filtering feature, you simply need to set the KUBENURSE_NEIGHBOUR_LIMIT environment variable to 0.