event bridge 快速测试
此处测试由于lambda 调用 s3 传文件 都是数据事件,没有可靠的cloud trail 所以不方便(三大数据事件还一个dynamodb), 所以这里选用iam role 附加策略进行测试
创建一个测试角色 general, 然后创建eventbridge rule, 使用下边的事件模式
{
"source": ["aws.iam"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["iam.amazonaws.com"],
"eventName": ["AttachRolePolicy"],
"requestParameters": {
"roleName": ["general"]
}
}
}eks 相关测试
kubectl run entry --image=public.ecr.aws/amazonlinux/amazonlinux:latest --restart=Never -- sh -c "sleep infinity"分享一个精准分配内存的pod
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: default
name: memalloc
spec:
selector:
matchLabels:
app: memalloc
replicas: 1
template:
metadata:
labels:
app: memalloc
spec:
containers:
- name: memalloc
image: shijuliu/mem_alloc:v1
args: ["/mem_alloc","200"]
测试sa
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: entry
name: entry
spec:
containers:
- args:
- sh
- -c
- sleep infinity
image: public.ecr.aws/amazonlinux/amazonlinux:latest
name: entry
resources: {}
serviceAccountName: felix
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}
好用的apply
sed 's/felix/YOUR_SA/' pods.yaml|kubectl apply -n kube-system -f -获取插件对应版本
aws eks describe-addon-versions --kubernetes-version 1.25 --query 'addons[].[addonName,addonVersions[].addonVersion]|[]'
output
[
"vpc-cni",
[
"v1.12.6-eksbuild.2",
"v1.12.6-eksbuild.1",
"v1.12.5-eksbuild.2",
"v1.12.5-eksbuild.1",
"v1.12.2-eksbuild.1",
"v1.12.0-eksbuild.2",
"v1.11.5-eksbuild.1",
"v1.11.4-eksbuild.3",
"v1.10.4-eksbuild.3"
],
"aws-ebs-csi-driver",
[
"v1.18.0-eksbuild.1",
"v1.17.0-eksbuild.1",
"v1.16.1-eksbuild.1",
"v1.16.0-eksbuild.1",
"v1.15.1-eksbuild.1",
"v1.15.0-eksbuild.1",
"v1.14.1-eksbuild.1",
"v1.14.0-eksbuild.1",
"v1.13.0-eksbuild.3",
"v1.13.0-eksbuild.2",
"v1.13.0-eksbuild.1",
"v1.12.1-eksbuild.3",
"v1.12.1-eksbuild.2",
"v1.12.1-eksbuild.1",
"v1.11.5-eksbuild.2",
"v1.11.5-eksbuild.1"
],
"kube-proxy",
[
"v1.25.9-eksbuild.1",
"v1.25.6-eksbuild.2",
"v1.25.6-eksbuild.1",
"v1.24.10-eksbuild.2",
"v1.24.9-eksbuild.1",
"v1.23.16-eksbuild.2",
"v1.23.15-eksbuild.1"
],
"coredns",
[
"v1.9.3-eksbuild.3",
"v1.9.3-eksbuild.2",
"v1.8.7-eksbuild.4",
"v1.8.7-eksbuild.3",
"v1.8.4-eksbuild.2"
],
"adot",
[
"v0.74.0-eksbuild.1",
"v0.70.0-eksbuild.1",
"v0.66.0-eksbuild.1",
"v0.62.1-eksbuild.2"
]
]
nodeshell
直接使用特权容器挂载到pods里来获取日志
使用过程
在集群中启动如下nodeshell容器,这里可以提前封装好一些组件加速
- pod中使用hostpath挂载了节点的根卷
- 将卷挂载到pod中(可写模式)
apiVersion: v1
kind: Pod
metadata:
annotations:
kubernetes.io/psp: eks.privileged
name: k9s-shell
namespace: default
spec:
containers:
- command:
- bash
image: public.ecr.aws/amazonlinux/amazonlinux:2
imagePullPolicy: IfNotPresent
name: k9s-shell
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 100m
memory: 100Mi
securityContext:
privileged: true
stdin: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /host
name: root-vol
readOnly: false
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-zh92t
readOnly: false
dnsPolicy: ClusterFirst
enableServiceLinks: true
hostNetwork: true
hostPID: true
nodeName: ip-192-168-6-84.cn-north-1.compute.internal
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Never
schedulerName: default-scheduler
securityContext: {}
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 0
tolerations:
- operator: Exists
volumes:
- hostPath:
path: /
type: ""
name: root-vol
- name: kube-api-access-zh92t
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace进入到挂载目录并chroot
chroot /host使用脚本收集工具收集脚本
sudo bash /opt/cni/bin/aws-cni-support.sh授权节点访问s3的权限,并将日志文件上传到s3中
sh-4.2# aws s3 cp /var/log/eks_i-09353e3192ec4a400_2023-04-15_0827-UTC_0.7.1.tar.gz s3://temptest/ekslog.tar.gz从s3中下载日志文件并进行之后的排障工作即可
