2 min read
Openshift provides an object that tracks the number of requests made to the Kubernetes API server. It provides insights into the load on the cluster, the performance of applications, and helps in capacity planning. By monitoring APIRequestCount, you can identify potential bottlenecks, detect unusual spikes in traffic, and optimize resource allocation.
$ kubectl get apirequestcounts NAME REMOVEDINRELEASE REQUESTSINCURRENTHOUR REQUESTSINLAST24H alertmanagerconfigs.v1alpha1.monitoring.coreos.com 6 1706 alertmanagers.v1.monitoring.coreos.com 20 2891 apiservices.v1.apiregistration.k8s.io 994 99521 (...)
2 min read
After trying to set a custom default certificate for the OpenShift routes we might see how it's Pods starts crashing:
$ kubectl get pods NAME READY STATUS RESTARTS AGE router-10-rh8vf 1/1 Running 0 32m router-10-f2dt2 0/1 CrashLoopBackOff 6 7m router-10-m45b7 1/1 Running 0 31m
Checking it's logs we'll get a quite misleading message:
$ kubectl logs router-10-f2dt2 -n default Error from server: Get https://some.openshift.cluster:10250/containerLogs/default/router-10-f2dt2/router: x509: certificate has expired or is not yet valid
3 min read
If we want to take a look at the network traffic that we get out of an OpenShift node we can use the oc debug command to spin up a privileged pod with tcpdump installed. This way we don't need to ssh into the worker node.
2 min read
When running an OpenShift cluster we'll find that it exposes a web-based console that not only allows you to deploy applications, but also managing the cluster. However, since it is an additional way to access the cluster we might have some concerns about it, specially from the security perspective. Specifically, the console can be a potential attack vector to gain unauthorized access to the cluster. Let's see how to disable it.
4 min read
Combining oc-mirror with ImageContentSourcePolicy we can configure image mirrors for container images in OpenShift. We can use it to setup air gapped environments: The images won't be available for the source repository, just from the internal mirror. This way we can audit them before allowing our cluster to use them