jcpowermac/a_README.md

## a_README.md

      
    Raw
  

              a_README.md
            
          
    kubectl trace in openshift

trace runs as a Job, if there are problems look there: oc get jobs.
oc trace run  --serviceaccount=kubectltrace pod/machine-api-controllers-56db5fcc9c-n9f4d -c machine-controller -f vsphere-session.bt 


## serviceaccount.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kubectltrace
  namespace: openshift-machine-api
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: kubectltrace
spec:
  fsGroup:
    rule: RunAsAny
  privileged: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'
  allowedCapabilities:
  - '*'
  hostPID: true
  hostIPC: true
  hostNetwork: true
  hostPorts:
  - min: 1
    max: 65536
---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubectltrace-psp
rules:
- apiGroups:
  - policy
  - security.openshift.io
  resources:
  - podsecuritypolicies
  - securitycontextconstraints
  resourceNames:
  - kubectltrace
  - privileged
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
    name: kubectltrace-psp
subjects:
- kind: ServiceAccount
  name: kubectltrace
  namespace: openshift-machine-api
roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: kubectltrace-psp

## vsphere-session.bt
#!/usr/bin/env bpftrace

uprobe:/proc/$container_pid/exe:"github.com/vmware/govmomi/session.(*Manager).SessionIsActive",
uprobe:/proc/$container_pid/exe:"github.com/openshift/machine-api-operator/pkg/controller/vsphere/session.GetOrCreate",
uprobe:/proc/$container_pid/exe:"github.com/vmware/govmomi.NewClient"
{
	@[probe] = count();
}

interval:s:600
{
	exit();
}
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: kubectltrace
	namespace: openshift-machine-api
	---
	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy
	metadata:
	name: kubectltrace
	spec:
	fsGroup:
	rule: RunAsAny
	privileged: true
	runAsUser:
	rule: RunAsAny
	seLinux:
	rule: RunAsAny
	supplementalGroups:
	rule: RunAsAny
	volumes:
	- '*'
	allowedCapabilities:
	- '*'
	hostPID: true
	hostIPC: true
	hostNetwork: true
	hostPorts:
	- min: 1
	max: 65536
	---

	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: kubectltrace-psp
	rules:
	- apiGroups:
	- policy
	- security.openshift.io
	resources:
	- podsecuritypolicies
	- securitycontextconstraints
	resourceNames:
	- kubectltrace
	- privileged
	verbs:
	- use
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: kubectltrace-psp
	subjects:
	- kind: ServiceAccount
	name: kubectltrace
	namespace: openshift-machine-api
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: kubectltrace-psp
	#!/usr/bin/env bpftrace

	uprobe:/proc/$container_pid/exe:"github.com/vmware/govmomi/session.(*Manager).SessionIsActive",
	uprobe:/proc/$container_pid/exe:"github.com/openshift/machine-api-operator/pkg/controller/vsphere/session.GetOrCreate",
	uprobe:/proc/$container_pid/exe:"github.com/vmware/govmomi.NewClient"
	{
	@[probe] = count();
	}

	interval:s:600
	{
	exit();
	}