Soak Test
Source: hello-pepr-soak
Background
Section titled “Background”Pepr watches for Pods with labels api and bug and for Secrets with label deletedeletedelete in pepr-demo namespace.
A successful soak should result in:
- No pods in the
pepr-demonamespace - No secrets in the
pepr-demonamespace
The Watcher deployment is running at LOG_LEVEL debug while the admission deployment is on info to keep the irrelevant noise down.
Cluster Setup
Section titled “Cluster Setup”Create a k3d cluster with audit logging enabled
cat <<EOF > audit-policy.yamlapiVersion: audit.k8s.io/v1kind: Policyrules:- level: MetadataEOFk3d cluster create auditer \ --k3s-arg '--kube-apiserver-arg=audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml@server:*' \ --k3s-arg '--kube-apiserver-arg=audit-log-path=/var/log/kubernetes/audit.log@server:*' \ --k3s-arg '--kube-apiserver-arg=audit-log-format=json@server:*' \ --volume $(pwd)/audit-policy.yaml:/etc/kubernetes/policies/audit-policy.yamlView audit logs
docker exec -it k3d-auditer-server-0 cat /var/log/kubernetes/audit.logCreate a kind cluster with auditing.
cat <<EOF > audit-policy.yamlapiVersion: audit.k8s.io/v1kind: Policyrules:- level: MetadataEOFcat <<EOF > kind-config.yamlkind: ClusterapiVersion: kind.x-k8s.io/v1alpha4nodes:- role: control-plane kubeadmConfigPatches: - | kind: ClusterConfiguration apiServer: # enable auditing flags on the API server extraArgs: audit-log-path: /var/log/kubernetes/kube-apiserver-audit.log audit-policy-file: /etc/kubernetes/policies/audit-policy.yaml # mount new files / directories on the control plane extraVolumes: - name: audit-policies hostPath: /etc/kubernetes/policies mountPath: /etc/kubernetes/policies readOnly: true pathType: "DirectoryOrCreate" - name: "audit-logs" hostPath: "/var/log/kubernetes" mountPath: "/var/log/kubernetes" readOnly: false pathType: DirectoryOrCreate # mount the local file on the control plane extraMounts: - hostPath: ./audit-policy.yaml containerPath: /etc/kubernetes/policies/audit-policy.yaml readOnly: trueEOFkind create cluster --config kind-config.yamlMake sure you got audit logs
docker exec kind-control-plane cat /var/log/kubernetes/kube-apiserver-audit.logTroubleshoot
docker exec kind-control-plane ls /etc/kubernetes/policiesexpected
audit-policy.yamlAPI Server contain the mounts and arugments?
docker exec kind-control-plane cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep auditexpected
- --audit-log-path=/var/log/kubernetes/kube-apiserver-audit.log - --audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml name: audit-logs name: audit-policies name: audit-logs name: audit-policiesGet Started
Section titled “Get Started”Install Istio
Section titled “Install Istio”Download istioctl
curl -L https://istio.io/downloadIstio | sh -sudo mv istio-*/bin/istioctl /usr/local/bin/istioctl install --set profile=demo -yDeploy the module and watch logs in one terminal
istioctl install --set profile=demo -ykubectl apply -f distkubectl apply -f -<<EOFapiVersion: v1kind: Namespacemetadata: creationTimestamp: null name: pepr-demo labels: istio-injection: enabledspec: {}status: {}---apiVersion: batch/v1kind: CronJobmetadata: creationTimestamp: null name: podgen0 namespace: pepr-demospec: jobTemplate: metadata: creationTimestamp: null name: podgen spec: ttlSecondsAfterFinished: 5 template: metadata: creationTimestamp: null labels: "zarf.dev/agent": "ignore" bug: "reproduce" api: "call" spec: containers: - image: ubuntu command: ["sh","-c","sleep 10"] name: sleepanddie resources: {} restartPolicy: Never schedule: 0/1 * * * *status: {}---apiVersion: batch/v1kind: CronJobmetadata: creationTimestamp: null name: podgen1 namespace: pepr-demospec: jobTemplate: metadata: creationTimestamp: null name: podgen spec: ttlSecondsAfterFinished: 5 template: metadata: creationTimestamp: null labels: bug: "reproduce" api: "call" "zarf.dev/agent": "ignore" spec: containers: - image: ubuntu command: ["sh","-c","sleep 10"] name: sleepanddie resources: {} restartPolicy: Never schedule: 0/1 * * * *status: {}EOFk label ns pepr-system istio-injection=enabledk delete po -n pepr-system --all --forcek run curler -n pepr-system --image=nginxsleep 10;k exec -it curler -n pepr-system -- curl -k https://pepr-6233c672-7fca-5603-8e90-771828dd30fa-watcher/metricsLogs
kubectl logs -n pepr-system -l pepr.dev/controller=watcher -f | jq 'select(.url != "/healthz")'Create 10 CronJob(s) that produces 10 pods with sidecars every 60 seconds
kubectl apply -f -<<EOFapiVersion: v1kind: Namespacemetadata: creationTimestamp: null name: pepr-demo labels: istio-injection: enabledspec: {}status: {}---apiVersion: batch/v1kind: CronJobmetadata: creationTimestamp: null name: podgen0 namespace: pepr-demospec: jobTemplate: metadata: creationTimestamp: null name: podgen spec: ttlSecondsAfterFinished: 5 template: metadata: creationTimestamp: null labels: "zarf.dev/agent": "ignore" bug: "reproduce" api: "call" spec: containers: - image: ubuntu command: ["sh","-c","sleep 10"] name: sleepanddie resources: {} restartPolicy: Never schedule: 0/1 * * * *status: {}---apiVersion: batch/v1kind: CronJobmetadata: creationTimestamp: null name: podgen1 namespace: pepr-demospec: jobTemplate: metadata: creationTimestamp: null name: podgen spec: ttlSecondsAfterFinished: 5 template: metadata: creationTimestamp: null labels: bug: "reproduce" api: "call" "zarf.dev/agent": "ignore" spec: containers: - image: ubuntu command: ["sh","-c","sleep 10"] name: sleepanddie resources: {} restartPolicy: Never schedule: 0/1 * * * *status: {}---apiVersion: batch/v1kind: CronJobmetadata: creationTimestamp: null name: podgen2 namespace: pepr-demospec: jobTemplate: metadata: creationTimestamp: null name: podgen spec: ttlSecondsAfterFinished: 5 template: metadata: creationTimestamp: null labels: "zarf.dev/agent": "ignore" bug: "reproduce" api: "call" spec: containers: - image: ubuntu command: ["sh","-c","sleep 10"] name: sleepanddie resources: {} restartPolicy: Never schedule: 0/1 * * * *status: {}---apiVersion: batch/v1kind: CronJobmetadata: creationTimestamp: null name: podgen3 namespace: pepr-demospec: jobTemplate: metadata: creationTimestamp: null name: podgen spec: ttlSecondsAfterFinished: 5 template: metadata: creationTimestamp: null labels: "zarf.dev/agent": "ignore" bug: "reproduce" api: "call" spec: containers: - image: ubuntu command: ["sh","-c","sleep 10"] name: sleepanddie resources: {} restartPolicy: Never schedule: 0/1 * * * *status: {}---apiVersion: batch/v1kind: CronJobmetadata: creationTimestamp: null name: podgen4 namespace: pepr-demospec: jobTemplate: metadata: creationTimestamp: null name: podgen spec: ttlSecondsAfterFinished: 5 template: metadata: creationTimestamp: null labels: "zarf.dev/agent": "ignore" bug: "reproduce" api: "call" spec: containers: - image: ubuntu command: ["sh","-c","sleep 10"] name: sleepanddie resources: {} restartPolicy: Never schedule: 0/1 * * * *status: {}---apiVersion: batch/v1kind: CronJobmetadata: creationTimestamp: null name: podgen5 namespace: pepr-demospec: jobTemplate: metadata: creationTimestamp: null name: podgen spec: ttlSecondsAfterFinished: 5 template: metadata: creationTimestamp: null labels: bug: "reproduce" api: "call" "zarf.dev/agent": "ignore" spec: containers: - image: ubuntu command: ["sh","-c","sleep 10"] name: sleepanddie resources: {} restartPolicy: Never schedule: 0/1 * * * *status: {}---apiVersion: batch/v1kind: CronJobmetadata: creationTimestamp: null name: podgen6 namespace: pepr-demospec: jobTemplate: metadata: creationTimestamp: null name: podgen spec: ttlSecondsAfterFinished: 5 template: metadata: creationTimestamp: null labels: bug: "reproduce" api: "call" "zarf.dev/agent": "ignore" spec: containers: - image: ubuntu command: ["sh","-c","sleep 10"] name: sleepanddie resources: {} restartPolicy: Never schedule: 0/1 * * * *status: {}---apiVersion: batch/v1kind: CronJobmetadata: creationTimestamp: null name: podgen7 namespace: pepr-demospec: jobTemplate: metadata: creationTimestamp: null name: podgen spec: ttlSecondsAfterFinished: 5 template: metadata: creationTimestamp: null labels: bug: "reproduce" api: "call" "zarf.dev/agent": "ignore" spec: containers: - image: ubuntu command: ["sh","-c","sleep 10"] name: sleepanddie resources: {} restartPolicy: Never schedule: 0/1 * * * *status: {}---apiVersion: batch/v1kind: CronJobmetadata: creationTimestamp: null name: podgen8 namespace: pepr-demospec: jobTemplate: metadata: creationTimestamp: null name: podgen spec: ttlSecondsAfterFinished: 5 template: metadata: creationTimestamp: null labels: bug: "reproduce" api: "call" "zarf.dev/agent": "ignore" spec: containers: - image: ubuntu command: ["sh","-c","sleep 10"] name: sleepanddie resources: {} restartPolicy: Never schedule: 0/1 * * * *status: {}---apiVersion: batch/v1kind: CronJobmetadata: creationTimestamp: null name: podgen9 namespace: pepr-demospec: jobTemplate: metadata: creationTimestamp: null name: podgen spec: ttlSecondsAfterFinished: 5 template: metadata: creationTimestamp: null labels: bug: "reproduce" api: "call" "zarf.dev/agent": "ignore" spec: containers: - image: ubuntu command: ["sh","-c","sleep 10"] name: sleepanddie resources: {} restartPolicy: Never schedule: 0/1 * * * *status: {}EOFWatch for secrets and pods, because if any stick around then you have reproduced the issue:
while true; do kubectl get secret,po -n pepr-demo --no-headers sleep 5 cleardoneWatch the Watch Controller pods:
kubectl logs -n pepr-system -l pepr.dev/controller=watcher -f | jq 'select(.url != "/healthz")'Watch the audit logs
while true; do docker exec kind-control-plane cat /var/log/kubernetes/kube-apiserver-audit.log | tail | jq sleep 5doneInstall Kubeshark
Section titled “Install Kubeshark”helm repo add kubeshark https://helm.kubeshark.cohelm install kubeshark kubeshark/kubesharkPort-forward to the UI
kubectl port-forward service/kubeshark-front 8899:80