Last active
April 24, 2024 00:00
-
-
Save matthewpalmer/047738f3b3804a5e91d08909ce7024a9 to your computer and use it in GitHub Desktop.
Example Kubernetes pod for the multi-container sidecar design pattern
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Example YAML configuration for the sidecar pattern. | |
# It defines a main application container which writes | |
# the current date to a log file every five seconds. | |
# The sidecar container is nginx serving that log file. | |
# (In practice, your sidecar is likely to be a log collection | |
# container that uploads to external storage.) | |
# To run: | |
# kubectl apply -f pod.yaml | |
# Once the pod is running: | |
# | |
# (Connect to the sidecar pod) | |
# kubectl exec pod-with-sidecar -c sidecar-container -it bash | |
# | |
# (Install curl on the sidecar) | |
# apt-get update && apt-get install curl | |
# | |
# (Access the log file via the sidecar) | |
# curl 'http://localhost:80/app.txt' | |
apiVersion: v1 | |
kind: Pod | |
metadata: | |
name: pod-with-sidecar | |
spec: | |
# Create a volume called 'shared-logs' that the | |
# app and sidecar share. | |
volumes: | |
- name: shared-logs | |
emptyDir: {} | |
# In the sidecar pattern, there is a main application | |
# container and a sidecar container. | |
containers: | |
# Main application container | |
- name: app-container | |
# Simple application: write the current date | |
# to the log file every five seconds | |
image: alpine # alpine is a simple Linux OS image | |
command: ["/bin/sh"] | |
args: ["-c", "while true; do date >> /var/log/app.txt; sleep 5;done"] | |
# Mount the pod's shared log file into the app | |
# container. The app writes logs here. | |
volumeMounts: | |
- name: shared-logs | |
mountPath: /var/log | |
# Sidecar container | |
- name: sidecar-container | |
# Simple sidecar: display log files using nginx. | |
# In reality, this sidecar would be a custom image | |
# that uploads logs to a third-party or storage service. | |
image: nginx:1.7.9 | |
ports: | |
- containerPort: 80 | |
# Mount the pod's shared log file into the sidecar | |
# container. In this case, nginx will serve the files | |
# in this directory. | |
volumeMounts: | |
- name: shared-logs | |
mountPath: /usr/share/nginx/html # nginx-specific mount path |
Hello,
Now i am trying to use Pod user Manage Identity instead of service principle, Now I am able to update pod identity on my cluster and but now while trying to create ResoureGroup I am getting following error
message: "DefaultAzureCredential: failed to acquire a token.\nAttempted credentials:\n\tEnvironmentCredential:
incomplete environment variable configuration. Only AZURE_TENANT_ID and AZURE_CLIENT_ID
are set\n\tWorkloadIdentityCredential: no token file specified. Check pod
configuration or set TokenFilePath in the options\n\tManagedIdentityCredential:
managed identity timed out\n\tAzureCLICredential: fork/exec /bin/sh: no such
file or directory"
observedGeneration: 1
reason: UnknownError
Below are the steps I have performed it on our Private AKS cluster
Step1:
az aks update \
--resource-group dev \
--name dev-cluster \
--enable-managed-identity \
--assign-identity /subscriptions/aaaaaaaaaa/resourceGroups/dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/dev-azureoperator
az aks update --enable-pod-identity --name dev-magenta-mlops-cluster --resource-group dev-magenta --enable-pod-identity-with-kubenet
export POD_IDENTITY_NAMESPACE=azureserviceoperator-system
export IDENTITY_RESOURCE_ID="/subscriptions/aaaaaaaaaa/resourceGroups/dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/dev-azureoperator"
export POD_IDENTITY_NAME=az-pod-identity
az aks pod-identity add --resource-group dev --cluster-name dev-cluster --namespace ${POD_IDENTITY_NAMESPACE} --name ${POD_IDENTITY_NAME} --identity-resource-id ${IDENTITY_RESOURCE_ID}
Step2: I have deployed Azure Operator using v2 helm charts
helm upgrade --install azure-service-operator . \
--create-namespace \
--namespace=azureserviceoperator-system \
--set azureSubscriptionID=aaaaaaa \
--set azureTenantID=aaaaaa \
--set azureClientID=<Manager Identiy Clientid> \
--set crdPattern='resources.azure.com/*;storage.azure.com/*;authorization.azure.com/*;managedidentity.azure.com/*'
Step3: Here I was getting above error
Now I am trying to create Resources on Azure
apiVersion: resources.azure.com/v1beta20200601
kind: ResourceGroup
metadata:
name: dev-mlflow-rg
namespace: azureserviceoperator-system
spec:
location: Westeurope
kubectl create resource.yaml
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
to send any command to a container inside a pod that is not default (there's more than 1) use -c "containerName". Example:
kubectl exec -it pod-with-sidecar -c sidecar-container -- ls -la /usr/share/nginx/html