Actions 👉

To allow users to close the troubleshooting loop through Komodor, Komodor offers the ability to perform a number of Actions against Kubernetes resources. These Actions are auditable, meaning that a record is made of what Action was performed and by whom.

Prerequisites

  • Agent version 0.1.104
  • Required permissions (permissions can be modified as needed)
  - apiGroups:
    - apps
    resources:
    - deployments/scale
    - statefulsets/scale
    - deployments
    - replicasets
    - statefulsets
    - daemonsets
    verbs:
    - patch
  - apiGroups:
    - ""
    resources:
    - pods
    verbs:
    - delete
  - apiGroups:
    - batch
    resources:
    - jobs
    verbs:
    - delete
    - create
  - apiGroups:
    - ""
    resources:
    - pods
    - persistentvolumeclaims
    - configmaps
    - services
    - persistentvolumes
    - storageclasses
    verbs:
    - delete
    - patch
    - update
    - create
  - apiGroups:
    - apps
    resources:
    - replicasets
    - deployments
    - statefulsets
    - daemonsets
    verbs:
    - delete
    - patch
    - update
    - create
  - apiGroups:
    - batch
    resources:
    - cronjobs
    - jobs
    verbs:
    - delete
    - patch
    - update
    - create
  - apiGroups:
    - networking.k8s.io
    resources:
    - ingresses
    - networkpolicies
    verbs:
    - delete
    - patch
    - update
    - create
  - apiGroups:
    - ""
    resources:
    - nodes
    verbs:
    - patch
  - apiGroups:
    - ""
    resources:
    - pods/eviction
    verbs:
    - create
  • Please note: To perform actions against Kubernetes resources, the user has to be either an account-admin or be provided with permission to perform actions, to read more about Komodor RBAC

How to opt-in

For the sake of convenience, we've separated the Actions Helm chart values into two sections
- watcher.actions.basic - Enables basic actions (Delete pods, Scale and restart deployments, statefulsets, replicasets. Restart and trigger jobs)
- watcher.actions.advanced - Enables advanced actions (Update, Create, and Delete resources, Cordon/Uncordon nodes)

New agent installation

To install a new agent with Actions enabled, ensure that the Helm chart installation process includes the following flags

Cluster upgrade

helm repo add komodorio https://helm-charts.komodor.io ; helm repo update; helm upgrade --install k8s-watcher komodorio/k8s-watcher --set watcher.actions.basic=true --set watcher.actions.advanced=true --reuse-values

How to revoke

To disable the usage of Actions using Helm, apply the following command:

helm repo add komodorio https://helm-charts.komodor.io ; helm repo update; helm upgrade --install k8s-watcher komodorio/k8s-watcher --set watcher.actions.basic=false --set watcher.actions.advanced=false --reuse-values

How does it work?

  • User triggers a Manual Action through the Komodor platform
  • A command is registered to the Komodor SaaS
  • The Agent running in the cluster fetches the command from the Komodor SaaS (communication is always done from the Agent outside of the cluster)
  • The command is triggered against the Kubernetes API
  • Kubernetes will now execute the command
  • During the entire process you can track the changes/events through a dedicated Event that will be created on the Komodor timeline.

Please note: Due to Kubernetes' nature, this feature is built asynchronously, review the timeline after triggering any action for updates

Komodor Actions Demo - Watch Video

Audit

For auditing purposes, Manual Action events are created on the Komodor timeline

What type of Actions are supported and where can they be triggered from?

We currently support the following actions: 
- Scale service - Allows modifying the number of replicas for a Service. Can be triggered from Deployment/StatefulSet inspection pages (under Workloads) and also from a Service timeline page
- Delete Pod - Deletes/kills a specific Pod. Can be triggered from both the Pod inspection page (under Workloads) and the Pods & Logs screen
- Restart service - Triggers a rolling restart of all the Pods of a Service. Can be triggered from Deployment/StatefulSet inspection page (under Workloads) and also from a Service timeline page
- Rollback service - Rolls back a service to the previous generation
- Re-trigger Job/CronJob - Re-creates the Job to trigger a new run of it. Can be triggered from a Job/CronJob timeline, Job/CronJob inspection pages (under Workloads) and from a Job event drawer
- Cordon/Uncordon node - Allows marking a node as unscheduable, preventing new Pods from being scheduled on it. You can revert this by using the Uncordon action
- Delete/Edit resources

 

Pod Shell

Pod shell allows you to initiate a shell session against containers in your clusters so you can run various commands to examine the state of the container from within.

In essence, it is similar to the experience provided by the kubectl exec -it POD_NAME -- /bin/bash command

Prerequisites

  • Agent version >= 0.1.173
  • Prerequisites for performing actions via the agent (see here)
  • Required Permissions
  - apiGroups:
      - ""
    resources:
      - pods/exec
    verbs:
      - create

User permissions

Pod Shell is available for admin users or users with the pod:exec Komodor RBAC permission, read more about Komodor RBAC here

Opting-in

For convenience, the following flag has been added to configure the agent to support pod shell access:

watcher.actions.podExec=true

Agent Upgrade

To upgrade an existing agent to support pod shell access execute the following command:

helm repo add komodorio https://helm-charts.komodor.io ; helm repo update; helm upgrade --install k8s-watcher komodorio/k8s-watcher --set watcher.actions.basic=true --set watcher.actions.advanced=true --set watcher.actions.podExec=true --reuse-values

Revoking Shell Access

If you would like to revoke only pod shell access run the following command:

helm repo add komodorio https://helm-charts.komodor.io ; helm repo update; helm upgrade --install k8s-watcher komodorio/k8s-watcher --set watcher.actions.podExec=false --reuse-values

If you would also like to revoke actions permission from the agent run the following command:

helm repo add komodorio https://helm-charts.komodor.io ; helm repo update; helm upgrade --install k8s-watcher komodorio/k8s-watcher --set watcher.actions.basic=false --set watcher.actions.advanced=false --set watcher.actions.podExec=false --reuse-values

Accessing pod shell

Pod shell is accessible from two main places in Komodor

Option 1: Via Pods Page

Navigate to the pods page on the left navbar 1-select-pods.png

Select a pod in the Running state 2-select-a-running-pod.png

Either Click on actions -> PodExec 3-click-on-action.png

OR Click the pod row -> Click the Pod Shell button on the top 5-pod-shell-button.png

The shell is opened 6-terminal.png

Option 2: Via Service Page

Select the services page on the left navbar 1-select-services.png

Select a service with at least one healthy pod 2-select-a-service.png

Select the Pods tab 3-select-pods-tab.png

Select a pod in the Running state 4-select-a-running-pod.png

Either click on actions -> Pod Exec 5-actions-pod-exec.png

Or click on the pod row -> Click on the Pod Shell button on the top 5-pod-shell-button.png

The shell is opened 6-terminal.png

How does it work?

  • Both client and agent keep a persistent connection to Komodor's backend
  • Client initiates a pod shell session
  • If there are multiple containers the user will have to choose the container to open the shell session to
  • Authentication and authorization take place to make sure the client has permission to run a shell session against the requested pod
  • An audit record and an event on the corresponding service timeline are created so you can track pod shell usage
  • The agent receives the message and opens a shell session against the requested pod and container using the Kubernetes API
  • All subsequent messages are passed from the Client to the Agent, injected into the session, and then routed back to the Client for display
  • The agent will close the shell session if the client closes the session voluntarily or if the session has been idle for more than 5 minutes.

Please note: Agent restarts will cause the session to restart and any in-session state will be lost (environment variables for example)

The remote container has to have either sh or bash installed on it to open a shell session against it

Multiple Shells & Shell Minimization

You can minimize a shell session. The session will be kept in a tab on the bottom side of the web application. While it is minimized, you can keep exploring your system, move between different pages, and interact regularly with the web application. When you'd like to resume the shell session, click the tab at the bottom of the screen and the terminal will be displayed again.

You can also open and keep multiple shell sessions minimized. In this case, you will be able to choose which session you'd like to resume by using the select menu from the shells tab on the bottom side of the web application.

multiple-minimized.png

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.