Menyiapkan kemampuan observasi GKE Dataplane V2

Halaman ini menunjukkan cara mengonfigurasi cluster Google Kubernetes Engine (GKE) dengan kemampuan observasi GKE Dataplane V2, mulai dari GKE versi 1.28 atau yang lebih baru. Untuk mengetahui informasi selengkapnya tentang manfaat dan persyaratan kemampuan observasi GKE Dataplane V2, lihat Tentang kemampuan observasi GKE Dataplane V2.

Sebelum memulai

Sebelum memulai, pastikan Anda telah menjalankan tugas berikut:

• Aktifkan Google Kubernetes Engine API.
Aktifkan Google Kubernetes Engine API
• Jika ingin menggunakan Google Cloud CLI untuk tugas ini, instal lalu lakukan inisialisasi gcloud CLI. Jika sebelumnya Anda telah menginstal gcloud CLI, dapatkan versi terbaru dengan menjalankan gcloud components update.

Mengonfigurasi metrik GKE Dataplane V2

Untuk mengumpulkan metrik, Anda harus mengonfigurasi metrik GKE Dataplane V2. Anda dapat mengonfigurasi metrik GKE Dataplane V2 saat membuat cluster atau mengupdate cluster yang berjalan dengan GKE Dataplane V2. Anda dapat mengaktifkan atau menonaktifkan metrik GKE Dataplane V2 menggunakan gcloud CLI.

Sebaiknya aktifkan metrik GKE Dataplane V2 dan Google Cloud Managed Service for Prometheus di cluster GKE Anda. Setelah keduanya diaktifkan, metrik GKE Dataplane V2 akan dikirim ke Google Cloud Managed Service for Prometheus.

Membuat cluster Autopilot dengan metrik GKE Dataplane V2 yang diaktifkan

Saat Anda membuat cluster GKE Autopilot baru, GKE mengaktifkan metrik GKE Dataplane V2 secara default di cluster tersebut tanpa memerlukan flag tertentu.

Untuk menggunakan metrik GKE Dataplane V2 cluster GKE Autopilot dengan Google Cloud Managed Service for Prometheus, konfigurasikan resource ClusterPodMonitoring untuk menyalin metrik dan mengirimkannya ke Google Cloud Managed Service for Prometheus.

1. Buat manifes ClusterPodMonitoring:

   # Copyright 2023 Google LLC
   #
   # Licensed under the Apache License, Version 2.0 (the "License");
   # you may not use this file except in compliance with the License.
   # You may obtain a copy of the License at
   #
   #     https://www.apache.org/licenses/LICENSE-2.0
   #
   # Unless required by applicable law or agreed to in writing, software
   # distributed under the License is distributed on an "AS IS" BASIS,
   # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   # See the License for the specific language governing permissions and
   # limitations under the License.
   
   apiVersion: monitoring.googleapis.com/v1
   kind: ClusterPodMonitoring
   metadata:
     name: advanced-datapath-observability-metrics
   spec:
     selector:
       matchLabels:
         k8s-app: cilium
     endpoints:
     - port: flowmetrics
       interval: 60s
       metricRelabeling:
       # only keep denormalized pod flow metrics
       - sourceLabels: [__name__]
         regex: 'pod_flow_(ingress|egress)_flows_count'
         action: keep
       # extract pod name
       - sourceLabels: [__name__, destination]
         regex: 'pod_flow_ingress_flows_count;([a-zA-Z0-9-\.]+)/([a-zA-Z0-9-\.]+)'
         replacement: '${2}'
         targetLabel: pod_name
         action: replace
       - sourceLabels: [__name__, source]
         regex: 'pod_flow_egress_flows_count;([a-zA-Z0-9-\.]+)/([a-zA-Z0-9-\.]+)'
         replacement: '${2}'
         targetLabel: pod_name
         action: replace
       # extract workload name by removing 2 last "-XXX" parts
       - sourceLabels: [pod_name]
         regex: '([a-zA-Z0-9-\.]+)((-[a-zA-Z0-9\.]+){2})'
         replacement: '${1}'
         targetLabel: workload_name
         action: replace
       # extract workload name by removing one "-XXX" part when pod name has only 2 parts (eg. daemonset)
       - sourceLabels: [pod_name]
         regex: '([a-zA-Z0-9\.]+)((-[a-zA-Z0-9\.]+){1})'
         replacement: '${1}'
         targetLabel: workload_name
         action: replace
       # extract pod namespace
       - sourceLabels: [__name__, destination]
         regex: 'pod_flow_ingress_flows_count;([a-zA-Z0-9-\.]+)/([a-zA-Z0-9-\.]+)'
         replacement: '${1}'
         targetLabel: namespace_name
         action: replace
       - sourceLabels: [__name__, source]
         regex: 'pod_flow_egress_flows_count;([a-zA-Z0-9-\.]+)/([a-zA-Z0-9-\.]+)'
         replacement: '${1}'
         targetLabel: namespace_name
         action: replace
       # extract remote workload name
       - sourceLabels: [__name__, source]
         regex: 'pod_flow_ingress_flows_count;([a-zA-Z0-9-\.]+)/([a-zA-Z0-9-\.]+)'
         replacement: '${2}'
         targetLabel: remote_workload
         action: replace
       - sourceLabels: [__name__, destination]
         regex: 'pod_flow_egress_flows_count;([a-zA-Z0-9-\.]+)/([a-zA-Z0-9-\.]+)'
         replacement: '${2}'
         targetLabel: remote_workload
         action: replace
       # extract remote workload namespace
       - sourceLabels: [__name__, source]
         regex: 'pod_flow_ingress_flows_count;([a-zA-Z0-9-\.]+)/([a-zA-Z0-9-\.]+)'
         replacement: '${1}'
         targetLabel: remote_namespace
         action: replace
       - sourceLabels: [__name__, destination]
         regex: 'pod_flow_egress_flows_count;([a-zA-Z0-9-\.]+)/([a-zA-Z0-9-\.]+)'
         replacement: '${1}'
         targetLabel: remote_namespace
         action: replace
       # default remote workload class to "pod"
       - replacement: 'pod'
         targetLabel: remote_class
         action: replace
       # extract remote workload class from reserved identity
       - sourceLabels: [__name__, source]
         regex: 'pod_flow_ingress_flows_count;reserved:([^/]*)'
         replacement: '${1}'
         targetLabel: remote_class
         action: replace
       - sourceLabels: [__name__, destination]
         regex: 'pod_flow_egress_flows_count;reserved:([^/]*)'
         replacement: '${1}'
         targetLabel: remote_class
         action: replace
     targetLabels:
       metadata: []
   

2. Terapkan manifes ClusterPodMonitoring:

   kubectl apply -f ClusterPodMonitoring.yaml
   

Membuat cluster Standard dengan metrik GKE Dataplane V2 yang diaktifkan

Untuk mengaktifkan metrik GKE Dataplane V2, buat cluster dengan flag --enable-dataplane-v2-metrics:

gcloud container clusters create CLUSTER_NAME \
    --enable-dataplane-v2 \
    --enable-ip-alias \
    --enable-managed-prometheus \
    --enable-dataplane-v2-metrics

Ganti kode berikut:

• CLUSTER_NAME: nama cluster Anda.

Flag --enable-managed-prometheus menginstruksikan GKE untuk menggunakan metrik dengan Google Cloud Managed Service for Prometheus.

Mengaktifkan metrik GKE Dataplane V2 pada cluster yang ada

Untuk mengaktifkan metrik GKE Dataplane V2 pada cluster yang ada, jalankan perintah berikut:

gcloud container clusters update CLUSTER_NAME \
    --enable-dataplane-v2-metrics

Ganti CLUSTER_NAME dengan nama cluster Anda.

Menonaktifkan metrik GKE Dataplane V2

Untuk menonaktifkan metrik GKE Dataplane V2:

gcloud container clusters update CLUSTER_NAME \
    --disable-dataplane-v2-metrics

Ganti CLUSTER_NAME dengan nama cluster Anda.

Mengonfigurasi alat kemampuan observasi GKE Dataplane V2

Anda dapat menggunakan endpoint pribadi untuk mengakses alat pemecahan masalah kemampuan observasi GKE Dataplane V2. Untuk mengaktifkan alat kemampuan observasi GKE Dataplane V2, Anda harus memiliki cluster yang dikonfigurasi dengan GKE Dataplane V2. Anda dapat mengaktifkan alat kemampuan observasi GKE Dataplane V2 di cluster baru atau cluster yang sudah ada.

Membuat cluster Autopilot dengan kemampuan observasi yang diaktifkan

Untuk membuat cluster GKE Autopilot dengan kemampuan observasi GKE Dataplane V2 yang diaktifkan:

gcloud container clusters create-auto CLUSTER_NAME \
    --enable-dataplane-v2-flow-observability

Ganti CLUSTER_NAME dengan nama cluster Anda.

Membuat cluster Standard dengan kemampuan observasi yang diaktifkan

Untuk membuat cluster GKE Standard dengan kemampuan observasi GKE Dataplane V2 yang diaktifkan:

gcloud container clusters create CLUSTER_NAME \
    --enable-dataplane-v2 \
    --enable-ip-alias \
    --enable-dataplane-v2-flow-observability

Ganti CLUSTER_NAME dengan nama cluster Anda.

Mengaktifkan alat kemampuan observasi GKE Dataplane V2 di cluster yang ada

Untuk mengaktifkan kemampuan observasi GKE Dataplane V2 pada cluster yang ada, jalankan perintah berikut:

gcloud container clusters update CLUSTER_NAME \
    --enable-dataplane-v2-flow-observability

Ganti CLUSTER_NAME dengan nama cluster Anda.

Menonaktifkan alat kemampuan observasi GKE Dataplane V2

Untuk menonaktifkan alat kemampuan observasi GKE Dataplane V2 pada cluster yang ada, jalankan perintah berikut:

gcloud container clusters update CLUSTER_NAME \
    --disable-dataplane-v2-flow-observability

Ganti CLUSTER_NAME dengan nama cluster Anda.

Cara menggunakan Hubble CLI

Gunakan alat Hubble CLI di cluster setelah Anda mengaktifkan fitur kemampuan observasi GKE Dataplane V2.

1. Tentukan alias untuk biner hubble-cli:

   alias hubble="kubectl exec -it -n gke-managed-dpv2-observability deployment/hubble-relay -c hubble-cli -- hubble"
   

2. Untuk memeriksa status Hubble, dengan fitur kemampuan observasi GKE Dataplane V2 yang diaktifkan, gunakan Hubble CLI di semua cluster Autopilot:

   hubble status
   

3. Untuk melihat traffic saat ini, gunakan Hubble CLI sebagai berikut:

   hubble observe
   

Cara men-deploy distribusi biner UI Hubble

Setelah kemampuan observasi GKE Dataplane V2 diaktifkan, Anda dapat men-deploy UI Hubble open source.

1. Aktifkan kemampuan observasi di cluster GKE:

   1. Buat cluster GKE dengan kemampuan observasi yang diaktifkan:

      gcloud container clusters create-auto hubble-rc-auto \
          --location COMPUTE_LOCATION \
          --cluster-version VERSION \
          --enable-dataplane-v2-flow-observability
      

      Ganti kode berikut:

      • VERSION: versi cluster Anda.
      • COMPUTE_LOCATION: Lokasi Compute Engine untuk cluster.

   2. Atau, aktifkan kemampuan observasi di cluster yang ada:

      gcloud container clusters update CLUSTER_NAME \
          --location COMPUTE_LOCATION \
          --enable-dataplane-v2-flow-observability
      

      Ganti kode berikut:

      • CLUSTER_NAME: nama cluster Anda.
      • COMPUTE_LOCATION: Lokasi Compute Engine untuk cluster.

2. Konfigurasi kubectl untuk terhubung ke cluster:

   gcloud container clusters get-credentials CLUSTER_NAME \
       --location COMPUTE_LOCATION
   

   Ganti

   • CLUSTER_NAME: nama cluster Anda.
   • COMPUTE_LOCATION: Lokasi Compute Engine untuk cluster.

3. Deploy UI Hubble:

   # Copyright 2024 Google LLC
   #
   # Licensed under the Apache License, Version 2.0 (the "License");
   # you may not use this file except in compliance with the License.
   # You may obtain a copy of the License at
   #
   #     https://www.apache.org/licenses/LICENSE-2.0
   #
   # Unless required by applicable law or agreed to in writing, software
   # distributed under the License is distributed on an "AS IS" BASIS,
   # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   # See the License for the specific language governing permissions and
   # limitations under the License.
   
   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: hubble-ui
     namespace: gke-managed-dpv2-observability
   ---
   kind: ClusterRole
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
     name: hubble-ui
     labels:
       app.kubernetes.io/part-of: cilium
   rules:
     - apiGroups:
         - networking.k8s.io
       resources:
         - networkpolicies
       verbs:
         - get
         - list
         - watch
     - apiGroups:
         - ""
       resources:
         - componentstatuses
         - endpoints
         - namespaces
         - nodes
         - pods
         - services
       verbs:
         - get
         - list
         - watch
     - apiGroups:
         - apiextensions.k8s.io
       resources:
         - customresourcedefinitions
       verbs:
         - get
         - list
         - watch
     - apiGroups:
         - cilium.io
       resources:
         - "*"
       verbs:
         - get
         - list
         - watch
   ---
   kind: ClusterRoleBinding
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
     name: hubble-ui
     labels:
       app.kubernetes.io/part-of: cilium
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: hubble-ui
   subjects:
     - kind: ServiceAccount
       name: hubble-ui
       namespace: gke-managed-dpv2-observability
   ---
   apiVersion: v1
   kind: ConfigMap
   metadata:
     name: hubble-ui-nginx
     namespace: gke-managed-dpv2-observability
   data:
     nginx.conf: |
       server {
           listen       8081;
           # uncomment for IPv6
           # listen       [::]:8081;
           server_name  localhost;
           root /app;
           index index.html;
           client_max_body_size 1G;
           location / {
               proxy_set_header Host $host;
               proxy_set_header X-Real-IP $remote_addr;
               # CORS
               add_header Access-Control-Allow-Methods "GET, POST, PUT, HEAD, DELETE, OPTIONS";
               add_header Access-Control-Allow-Origin *;
               add_header Access-Control-Max-Age 1728000;
               add_header Access-Control-Expose-Headers content-length,grpc-status,grpc-message;
               add_header Access-Control-Allow-Headers range,keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout;
               if ($request_method = OPTIONS) {
                   return 204;
               }
               # /CORS
               location /api {
                   proxy_http_version 1.1;
                   proxy_pass_request_headers on;
                   proxy_hide_header Access-Control-Allow-Origin;
                   proxy_pass http://127.0.0.1:8090;
               }
               location / {
                   # double `/index.html` is required here
                   try_files $uri $uri/ /index.html /index.html;
               }
           }
       }
   ---
   kind: Deployment
   apiVersion: apps/v1
   metadata:
     name: hubble-ui
     namespace: gke-managed-dpv2-observability
     labels:
       k8s-app: hubble-ui
       app.kubernetes.io/name: hubble-ui
       app.kubernetes.io/part-of: cilium
   spec:
     replicas: 1
     selector:
       matchLabels:
         k8s-app: hubble-ui
     template:
       metadata:
         labels:
           k8s-app: hubble-ui
           app.kubernetes.io/name: hubble-ui
           app.kubernetes.io/part-of: cilium
       spec:
         securityContext:
           fsGroup: 1000
           seccompProfile:
             type: RuntimeDefault
         serviceAccount: hubble-ui
         serviceAccountName: hubble-ui
         containers:
           - name: frontend
             image: quay.io/cilium/hubble-ui:v0.11.0
             ports:
               - name: http
                 containerPort: 8081
             volumeMounts:
               - name: hubble-ui-nginx-conf
                 mountPath: /etc/nginx/conf.d/default.conf
                 subPath: nginx.conf
               - name: tmp-dir
                 mountPath: /tmp
             terminationMessagePolicy: FallbackToLogsOnError
             securityContext:
               allowPrivilegeEscalation: false
               readOnlyRootFilesystem: true
               runAsUser: 1000
               runAsGroup: 1000
               capabilities:
                 drop:
                   - all
           - name: backend
             image: quay.io/cilium/hubble-ui-backend:v0.11.0
             env:
               - name: EVENTS_SERVER_PORT
                 value: "8090"
               - name: FLOWS_API_ADDR
                 value: "hubble-relay.gke-managed-dpv2-observability.svc:443"
               - name: TLS_TO_RELAY_ENABLED
                 value: "true"
               - name: TLS_RELAY_SERVER_NAME
                 value: relay.gke-managed-dpv2-observability.svc.cluster.local
               - name: TLS_RELAY_CA_CERT_FILES
                 value: /var/lib/hubble-ui/certs/hubble-relay-ca.crt
               - name: TLS_RELAY_CLIENT_CERT_FILE
                 value: /var/lib/hubble-ui/certs/client.crt
               - name: TLS_RELAY_CLIENT_KEY_FILE
                 value: /var/lib/hubble-ui/certs/client.key
             ports:
               - name: grpc
                 containerPort: 8090
             volumeMounts:
               - name: hubble-ui-client-certs
                 mountPath: /var/lib/hubble-ui/certs
                 readOnly: true
             terminationMessagePolicy: FallbackToLogsOnError
             securityContext:
               allowPrivilegeEscalation: false
               readOnlyRootFilesystem: true
               runAsUser: 1000
               runAsGroup: 1000
               capabilities:
                 drop:
                   - all
         volumes:
           - configMap:
               defaultMode: 420
               name: hubble-ui-nginx
             name: hubble-ui-nginx-conf
           - emptyDir: {}
             name: tmp-dir
           - name: hubble-ui-client-certs
             projected:
               # note: the leading zero means this number is in octal representation: do not remove it
               defaultMode: 0400
               sources:
                 - secret:
                     name: hubble-relay-client-certs
                     items:
                       - key: ca.crt
                         path: hubble-relay-ca.crt
                       - key: tls.crt
                         path: client.crt
                       - key: tls.key
                         path: client.key
   ---
   kind: Service
   apiVersion: v1
   metadata:
     name: hubble-ui
     namespace: gke-managed-dpv2-observability
     labels:
       k8s-app: hubble-ui
       app.kubernetes.io/name: hubble-ui
       app.kubernetes.io/part-of: cilium
   spec:
     type: ClusterIP
     selector:
       k8s-app: hubble-ui
     ports:
       - name: http
         port: 80
         targetPort: 8081
   

4. Terapkan manifes hubble-ui-128.yaml:

   kubectl apply -f hubble-ui-128.yaml
   

5. Mengekspos Layanan dengan penerusan port:

   kubectl -n gke-managed-dpv2-observability port-forward service/hubble-ui 16100:80 --address='0.0.0.0'
   

6. Akses UI Hubble di browser web Anda:

   http://localhost:16100/

Langkah berikutnya

• Mengamati traffic menggunakan kemampuan observasi GKE Dataplane V2