The Controller provides a number of built in capabilities to assist developers and operators to debug and diagnose issues with deployed workloads.
In addition to aggregating "container logs", developers/operators require the ability to "securely" interact in real time with their containers on remote clusters.
Zero Trust Access Approach¶
In production, access to the Kubernetes cluster's control plane is
Highly Controlled Enabled ONLY for privileged administrators type personnel.
Locked Down Privileged users required to use SSH to interact with the control plane. In addition, organizations will also use a Bastion or VPN.
Cumbersome Managing credentials (roles, role bindings) and the burden to maintain an audit trail.
For multi cluster deployments, this gets extremely "Expensive" (for the associated access infrastructure) and "Cumbersome and Laborious" for the user (extreme latency and credential lifecycle management).
To address these issues, Rafay provides a "Zero Trust" debug and diagnostics channel from the "Controller" to the "Managed Clusters" enabling the following capabilities:
- No Inbound Access needed to Kubernetes Cluster Control Plane
- No need to make any firewall changes
- No need to manage 10s or 100s of kubeconfig files
- No need to manage roles and role bindings for users on every cluster
- No need to remember all low level kubectl commands and be an expert on low level aspects of Kubernetes
- Visibility limited to pods for allowed workloads
Status of Workload¶
- From the workload list screen, click on "Actions"
- Select "Debug"
The controller establishes a "LIVE" debug channel to the selected cluster multiplexed over the zero trust control channel ensuring that the user is presented with "Real Time" data.
The user is presented the status, events for all the pods associated with the specific workload.
Multi Cluster Debug¶
For workloads deployed to "multiple" clusters, the Controller provides users the ability to seamlessly switch the debug view between all deployed clusters.
- Click on the "Locations" drop down to view and select the list of clusters where the workload is deployed to
Click on "Show Events" for a specific container in the workload to view the latest Kubernetes events associated with the container.
Real Time Logs¶
Sometimes it is imperative to have access to container logs immediately. For example, the developer/operator is trying to reproduce a specific scenario.
Click on "Logs and Shell" for a specific container.
- The Controller provides the ability to "Live Stream" logs emitted by a container to the Rafay Console.
- This provides a "tail -f" experience for the user.
- The user can also "download" the logs and "pause" log streaming to ensure they can take their time to review the content on the screen
The live, interactive logging is possible only if your container is configured to emit logs to stdout and/or stderr.
Container Debug Shell¶
There are scenarios where the user needs immediate "Shell" access to their Kubernetes Pod for debugging.
- Click on "Logs and Shell" for a specific container.
- The Controller provides an Interactive Shell that users can use for debugging and diagnostic purposes.
With this facility, users no longer have the burden to punch holes in their firewalls to enable/maintain SSH access, bastion hosts etc.
Access to the interactive, debug shell is controlled by the user role permissions in the Rafay Console. Only "Admin" and "Developer" roles have access to the debug shell.
Ensure that your container base image provides necessary tooling for Shell etc.
By default, the information on the "Debug Page" will automatically refresh every "30 seconds".
- Users can also temporarily update the default refresh interval from 30 seconds to 10 or 20 seconds if they require.
- Users can click on the Refesh button if they would like to refresh the data immediately.