pixie icon indicating copy to clipboard operation
pixie copied to clipboard

Published 20 hours ago verified publisher icon pixie-io

Support GKE AutoPilot clusters

Open swithinfoote opened this issue 4 years ago • 8 comments
trafficstars

Is your feature request related to a problem? Please describe. Deployment to GKE Aotopilot clusters is not currently supported.

Describe the solution you'd like It would be great if we could deploy to our Autopilot clusters

Describe alternatives you've considered We can run a standard GKE cluster which is working fine.

Additional context

Create an Autopilot cluster in GKE and attempt to deploy. Unfortunately this fails currently.

Output from px deploy command

px deploy --kubeconfig /Users/***/.kube/config
Pixie CLI

Running Cluster Checks:
 ✔    Kernel version > 4.14.0 
 ✔    Cluster type is supported 
 ✔    K8s version > 1.12.0 
 ✔    Kubectl > 1.10.0 is present 
 ✔    User can create namespace 
 ✔    Cluster type is in list of known supported types 
Installing version: 0.7.12
Generating YAMLs for Pixie
Deploying Pixie to the following cluster: ***-autopilot
Is the cluster correct? (y/n) [y] : 
Found 5 nodes
 ✔    Creating namespace 
 ✔    Deleting stale Pixie objects, if any 
 ✔    Deploying secrets and configmaps 
 ✔    Deploying dependencies: NATS 
 ✕    Deploying Cloud Connector  ERR: admission webhook "validation.gatekeeper.sh" denied the request: [denied by autogke-no-write-mode-hostpath] hostPath volume sys used in container app uses path /sys which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: ["/var/log/"]. Requesting user: <***> and groups: <["system:authenticated"]>
FATA[0153] Failed to deploy Vizier                       error="admission webhook \"validation.gatekeeper.sh\" denied the request: [denied by autogke-no-write-mode-hostpath] hostPath volume sys used in container app uses path /sys which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [\"/var/log/\"]. Requesting user: <***> and groups: <[\"system:authenticated\"]>"

swithinfoote avatar Jun 01 '21 21:06 swithinfoote

GKE Autopilot has restrictions that makes it currently incompatible with BPF:

https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-overview?_ga=2.142566970.-940892016.1612382046#host_options_restrictions

We need access to the host namespaces, and Autopilot does not currently allow that.

oazizi000 avatar Jun 02 '21 18:06 oazizi000

@oazizi000 @swithinfoote - feel free to ping me directly and we can chat about how we can enable this for Autopilot.

mastersingh24 avatar Oct 18 '21 22:10 mastersingh24

@mastersingh24 That'd be awesome! Can you join the Pixie community slack? pixie-community.slack.com

oazizi000 avatar Oct 19 '21 20:10 oazizi000

@mastersingh24 That'd be awesome! Can you join the Pixie community slack? pixie-community.slack.com

Done

mastersingh24 avatar Oct 20 '21 13:10 mastersingh24

Looks like they published eBPF support. Not sure if the limitations originally mentioned by @oazizi000 are still present. https://cloud.google.com/blog/products/containers-kubernetes/ip-masquerading-and-ebpf-are-now-in-gke-autopilot

sourcec0de avatar Mar 10 '24 03:03 sourcec0de