use of kubectl log in readiness probe

1/21/2020

I have a server which is running inside of a kubernetes pod. Its log output can be retrieved using "kubectl logs".

The application goes through some start up before it is ready to process incoming messages. It indicates its readiness through a log message.

The "kubectl logs" command is not available from within the pod. I think it would be insecure to even try to install it.

Is there a way of either:

  • getting the log from within the container? or
  • running a readiness probe that is executed outside of the container? (rather than as a docker exec)

Here are some options I've considered:

  • Redirecting the output to a log file loses it from "Kubectl log"
  • Teeing it to a log file avoids that limitation but creates an unnecessary duplicate log.

  • stdout and stderr of the application are anonymous pipes (to kubernetes) so eavesdropping on /proc/1/fd/1 or /proc/1/fd/2 will not work.

A better option may be to use the http API. For example this question

kubectl proxy --port=8080

And from within the container:

curl -XGET http://127.0.0.1:8080/api

However I get an error:

Starting to serve on 127.0.0.1:8080
I0121 17:05:38.928590   49105 log.go:172] http: Accept error: accept tcp 127.0.0.1:8080: accept4: too many open files; retrying in 5ms
2020/01/21 17:05:38 http: proxy error: dial tcp 127.0.0.1:8080: socket: too many open files

Does anyone have a solution or a better idea?

-- Bruce Adams
kubernetes

2 Answers

1/21/2020

You can actually do what you want. Create a kubernetes "serviceaccount" object with permissions just to do what you want, use the account for your health check pod, and just run kubectl logs as you described. You install kubectl, but limit the permissions avaialable to it.

However, there's a reason you don't find examples of that- its not a great way of building this thing. Is there really no way that you can do a health check endpoint in your app? That is so much more convenient for your purposes.

Finally, if the answer to that really is "NO", could you have your app write a ready file? Instead of print "READY" do touch /app/readyfile. then your health check can just check if that file exists. (to make this work, you would have to create a volume and mount it at /app in both your app container and the health check container so they can both see the generated file)

-- Paul Becotte
Source: StackOverflow

1/21/2020

Too many open files was because I did not run kubectl with sudo. So the log can be retrieved via the http API with:

sudo kubectl proxy --port 8080

And then from inside the app:

curl -XGET http://127.0.0.1:8080/api/v1/namespaces/default/pods/mypodnamehere/log

That said, I agree with @Paul Becotte that having the application created a ready file would be a better design.

-- Bruce Adams
Source: StackOverflow