Shulou(Shulou.com)05/31 Report--

To improve the efficiency of K8S troubleshooting example analysis, in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

As a leading multi-cluster Kubernetes management platform, Rancher enables the operation and maintenance team to deploy, manage and protect enterprise Kubernetes clusters. Rancher also provides users with a range of container network interface (CNI) options, including the open source project Calico (https://www.projectcalico.org/). Calico provides native Layer3 routing for Kubernetes Pod, which simplifies the network architecture, improves network performance, and provides a rich network policy model that can easily block traffic. Therefore, only the traffic you specify can flow.

A common problem in deploying Kubernetes is to gain visibility into the clustered environment to effectively monitor and troubleshoot network and security issues. Visibility and troubleshooting is one of the top three Kubernetes use cases we see on Tigera. This is particularly important in production deployments because downtime is valuable and distributed applications are difficult to troubleshoot. If you are a member of the platform team, you also need to bear the pressure of SLA. If you are a member of the DevOps team, you need to start the production workload. For both teams, the common goal is to solve the problem as soon as possible.

Why is K8S troubleshooting so challenging?

Because Kubernetes workloads are dynamic, connectivity issues are very difficult to solve. The conventional network monitoring tools are designed for static environment. They do not understand the Kubernetes context and are not efficient when applied to Kubernetes. Without a specific Kubernetes diagnostic tool, troubleshooting can be frustrating for platform teams. For example, when a connection to pod-to-pod is denied, it is almost impossible to determine which network security policy denies traffic. Of course, you can manually log in to the node and view the system log, but this is not feasible and cannot be extended to multiple nodes.

Based on this, you really need a way to quickly identify the root cause of any connection or security problem. Or better yet, you can have some predictive tools to avoid problems. As Kubernetes deployments grow, limitations around visibility, monitoring, and logging can lead to undiagnosable system failures, resulting in service disruptions and affecting customer satisfaction and your business.

Traffic logs and traffic visibility

For users running Rancher on production, Calico Enterprise (https://www.tigera.io/tigera-products/calico-enterprise/) network traffic logs can provide a solid foundation for solving Kubernetes network and security problems. For example, the traffic log can be used to run queries to analyze all traffic from a given namespace or workload label. However, to effectively troubleshoot the Kubernetes environment, you need traffic logs with Kubernetes-specific data, such as pod, tags, and namespaces, and which policies accept or reject connections.

Calico Enterprise Flow Visualizer

A large number of Rancher users belong to the DevOps team. Although traditional ITOps has management network and security policies, we see that the DevOps team is looking for solutions that can achieve self-sufficiency and accelerate the CI/CD process. For Rancher users running in a production environment, Calico Enterprise includes Flow Visualizer, a powerful tool that simplifies connection troubleshooting. This method can interact with network traffic intuitively and study it deeply. DevOps can use this tool for troubleshooting and policy creation, while ITOps can use RBAC to establish a policy hierarchy to enforce protection, so the DevOps team does not cover any enterprise-wide policies.

Firewalls create visible space for security teams

Kubernetes workloads use the network heavily and generate a lot of east-west traffic. If you deploy a regular firewall in the Kubernetes architecture, you will not be able to visualize traffic and troubleshoot. Firewalls do not understand the context required for Kubernetes traffic (namespaces, Pod, tags, container id, and so on). This makes it impossible to troubleshoot network problems, conduct forensic analysis, or report whether security controls are compliant.

To achieve the required visibility, Rancher users can deploy Calico Enterprise to convert zone-based firewall rules into Kubernetes network policies that divide the cluster into zones and apply the correct firewall rules. You can then use existing firewalls and firewall managers to define zones and create rules in Kubernetes, just like all other rules. Traffic can be sent through the zone to the security team's security information and event management platform (SIEM), giving them the same visibility as regular firewalls for troubleshooting.

Other Kubernetes troubleshooting considerations

For platforms, networks, DevOps, and security teams that use the Rancher platform, Tigera provides additional visibility and monitoring tools to help you troubleshoot faster:

You can add thresholds and alerts to all monitored data. For example, a surge in rejected traffic will alert your DevOps team or the Security Operations Center (SOC) for further investigation.

Filter enables you to analyze in depth by namespace, pod, and view state (such as allowed or denied traffic).

Logs can be stored in the EFK (Elasticsearch, Fluentd, and Kibana) stack for future access.

Whether you are new to Kubernetes, simply want to understand the "cause" of unexpected cluster behavior, or are in a production environment where large-scale workloads are deployed, effective troubleshooting with the right tools will help you avoid outages and service disruptions.

This is the answer to the sample analysis question about improving the efficiency of K8S troubleshooting. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.