Viewing Config Sync logs

Config Sync follows the same logging conventions as Kubernetes. By default, logging verbosity is set to 2.

On each enrolled cluster, multiple Deployments run in Pods in the config-management-system namespace. Each of these Deployments represents a different subsystem, as indicated by the name of the Deployment.

  • git-importer: imports configs found in the repo into the cluster as CustomResourceDefinitions (CRDs)
  • monitor: Exposes monitoring and metrics endpoints
  • syncer: Ensures that the cluster's configuration is kept in sync with the CRDs created by the git-importer

Even though tasks are divided by Deployment, you cannot query a Deployment's logs. However, you can use a label selector. Each Deployment has a label selector app=[Deployment name].

Use a Deployment's label selector to view its logs. The following example shows the logs for the syncer Deployment.

kubectl logs --namespace config-management-system -l app=syncer

The git-importer Pod has two different containers, importer and git-sync. To view the logs for only one of these containers, specify it with the -c option. The following example shows the logs for the importer container:

kubectl logs --namespace=config-management-system \
  -l app=git-importer \
  -c importer

Changing logging verbosity

The default logging verbosity is 2. If you need to increase the verbosity for debugging, follow these steps.

  1. Edit the config-management-operator Deployment:

    kubectl edit deployment -n=kube-system config-management-operator
    

    In the interactive editor, change the value of replicas to 0. This prevents the Operator from reverting the changes you make below.

  2. Get a list of all Deployments related to Config Sync. The names of the Deployments, and the number of Deployments, are both subject to change.

    kubectl get deployments -n=config-management-system
    
  3. For each Deployment you are debugging or monitoring, edit the object. Replace syncer with the name of the Deployment you want to change.

    kubectl edit deployment syncer
    
  4. After modifying all the relevant Deployments, edit the config-management-operator object again and set replicas to 1.

    kubectl get deployments -n=config-management-system
    

When you are finished debugging, you may want to reduce the verbosity of the logs back to 2, to conserve disk space on your nodes. To do that, follow the procedure again, setting the value to 2.

Finding the Git commit that updated an object

When the Operator applies a change to a Kubernetes object because of an update to the repo, the hash for the Git commit is stored in the configmanagement.gke.io/sync-token annotation. To view this hash, use kubectl get:

kubectl get clusterrolebinding namespace-readers -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{"configmanagement.gke.io/managed":"enabled","configmanagement.gke.io/cluster-name":"config-management-cluster","configmanagement.gke.io/source-path":"cluster/namespace-reader-clusterrolebinding.yaml","configmanagement.gke.io/sync-token":"5edf7fda0cfccc351adfa2811954c80c812c26c5"},"creationTimestamp":null,"name":"namespace-readers"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"namespace-reader"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"User","name":"cheryl@foo-corp.com"}]}
    configmanagement.gke.io/managed: enabled
    configmanagement.gke.io/cluster-name: config-management-cluster
    configmanagement.gke.io/source-path: cluster/namespace-reader-clusterrolebinding.yaml
    configmanagement.gke.io/sync-token: 5edf7fda0cfccc351adfa2811954c80c812c26c5
  creationTimestamp: 2019-02-11T19:39:37Z
  name: namespace-readers
  resourceVersion: "6301538"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/namespace-readers
  uid: c45257a4-2e34-11e9-8a5e-42010a800134
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: namespace-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: cheryl@foo-corp.com

You can then use commands such as git show [HASH] to view information about the commit.

What's next