Uploaded image for project: 'Couchbase Kubernetes'
  1. Couchbase Kubernetes
  2. K8S-2091

Log collection issues with pod/exec and in-memory clusters

    XMLWordPrintable

Details

    • 1

    Description

      `cbcollect_info` requires `pod/exec` permissions to run which is less than ideal for two reasons:

      1. RBAC configuration for the operator does not list it (it's nothing to do with the operator)
      2. It may not be acceptable for certain security postures (running arbitrary code on pods is not a good idea for security and performance reasons).

      Fully in-memory clusters (those without any persistent volumes) will prevent access to logs via a volume currently for a log shipping sidecar to use (K8S-1080). This means these logs are inaccessible via the usual means and doubly so if `pod/exec` is not allowed either. The logs will be destroyed with the pod.

      Ideally the changes to provide a log shipping sidecar are integrated into the server image directly which would mitigate both these problems. We would need to configure it to ship the logs somewhere for `cbcollect_info` to pick up (or update it to grab them by deploying a daemonset or log pipeline). A proof of concept of doing this by layering it on the server image has been demonstrated.

      Attachments

        Issue Links

          Activity

            People

              simon.murray Simon Murray
              patrick.stephens Patrick Stephens (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                PagerDuty