{"id":6515,"date":"2020-09-14T14:20:09","date_gmt":"2020-09-14T14:20:09","guid":{"rendered":"https:\/\/bluetab.netpiando-a-tu-kubernetes-con-kubewath\/"},"modified":"2020-09-14T14:20:09","modified_gmt":"2020-09-14T14:20:09","slug":"spying-on-your-kubernetes-with-kubewatch","status":"publish","type":"post","link":"https:\/\/bluetab.org\/en\/2020\/09\/spying-on-your-kubernetes-with-kubewatch\/","title":{"rendered":"Spying on your Kubernetes with Kubewatch"},"content":{"rendered":"<h1>Spying on your Kubernetes with Kubewatch<\/h1>\n<figure><a href=\"https:\/\/www.linkedin.com\/company\/bluetab-solutions\/?viewAsMember=true\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/bluetab.net\/wp-content\/uploads\/2020\/10\/avatarP-bluetab.jpg.png\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/bluetab.net\/wp-content\/uploads\/2020\/10\/avatarP-bluetab.jpg.png 300w, https:\/\/bluetab.net\/wp-content\/uploads\/2020\/10\/avatarP-bluetab.jpg-150x150.png 150w, https:\/\/bluetab.net\/wp-content\/uploads\/2020\/10\/avatarP-bluetab.jpg-75x75.png 75w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/figure>\n<h4><a href=\"https:\/\/www.linkedin.com\/company\/bluetab-solutions\/?viewAsMember=true\" target=\"_blank\" rel=\"noopener\">Bluetab<\/a><\/h4>\n<p>Share on twitter<br \/>\nShare on linkedin<\/p>\n<p>At\u00a0<strong>Cloud Practice<\/strong>\u00a0we aim to encourage adoption of the cloud as a way of working in the IT world. To help with this task, we are going to publish numerous good practice articles and use cases and others will talk about those key services within the cloud.<\/p>\n<p>This time we will talk about\u00a0<strong>Kubewatch<\/strong>.<\/p>\n<h2>What is Kubewatch?<\/h2>\n<p>Kubewatch is a utility developed by\u00a0<strong>Bitnami Labs<\/strong>\u00a0that enables notifications to be sent to various communication systems.<\/p>\n<p>Supported webhooks are:<\/p>\n<ul>\n<li><em>Slack<\/em><\/li>\n<li><em>Hipchat<\/em><\/li>\n<li><em>Mattermost<\/em><\/li>\n<li><em>Flock<\/em><\/li>\n<li><em>Webhook<\/em><\/li>\n<li><em>Smtp<\/em><\/li>\n<\/ul>\n<h3>Kubewatch integration with Slack<\/h3>\n<p>The available images are published in the\u00a0<a href=\"\/\/hub.docker.com\/r\/bitnami\/kubewatch\">bitnami\/kubewatch<\/a>\u00a0GitHub<\/p>\n<p>You can download the latest version to test it in your local environment:<\/p>\n<pre><code class='language-python'>$ docker pull bitnami\/kubewatch <\/code><\/pre>\n<p>Once inside the container, you can play with the options:<\/p>\n<pre><code class='language-python'>$ kubewatch -h\nKubewatch: A watcher for Kubernetes\nkubewatch is a Kubernetes watcher that publishes notifications\nto Slack\/hipchat\/mattermost\/flock channels. It watches the cluster\nfor resource changes and notifies them through webhooks.\nsupported webhooks:\n - slack\n - hipchat\n - mattermost\n - flock\n - webhook\n - smtp\nUsage:\n  kubewatch [flags]\n  kubewatch [command]\nAvailable Commands:\n  config      modify kubewatch configuration\n  resource    manage resources to be watched\n  version     print version\nFlags:\n  -h, --help   help for kubewatch\nUse &quot;kubewatch [command] --help&quot; for more information about a command. <\/code><\/pre>\n<h3>For what types of resources can you get notifications?<\/h3>\n<ul>\n<li><a href=\"\/\/kubernetes.io\/docs\/concepts\/workloads\/controllers\/deployment\/\">Deployments<\/a><\/li>\n<li><a href=\"\/\/kubernetes.io\/docs\/concepts\/workloads\/controllers\/replicationcontroller\/\">Replication controllers<\/a><\/li>\n<li><a href=\"\/\/kubernetes.io\/docs\/concepts\/workloads\/controllers\/replicaset\/\">ReplicaSets<\/a><\/li>\n<li><a href=\"\/\/kubernetes.io\/docs\/concepts\/workloads\/controllers\/daemonset\/\">DaemonSets<\/a><\/li>\n<li><a href=\"\/\/kubernetes.io\/docs\/concepts\/services-networking\/service\/\">Services<\/a><\/li>\n<li><a href=\"\/\/kubernetes.io\/docs\/concepts\/workloads\/pods\/pod\/\">Pods<\/a><\/li>\n<li><a href=\"\/\/kubernetes.io\/docs\/concepts\/workloads\/controllers\/job\/\">Jobs<\/a><\/li>\n<li><a href=\"\/\/kubernetes.io\/docs\/concepts\/configuration\/secret\/\">Secrets<\/a><\/li>\n<li><a href=\"\/\/kubernetes.io\/docs\/tasks\/configure-pod-container\/configure-pod-configmap\/\">Config<\/a><a href=\"\/\/kubernetes.io\/docs\/tasks\/configure-pod-container\/configure-pod-configmap\/\">M<\/a><a href=\"\/\/kubernetes.io\/docs\/tasks\/configure-pod-container\/configure-pod-configmap\/\">aps<\/a><\/li>\n<li><a href=\"\/\/kubernetes.io\/docs\/concepts\/storage\/persistent-volumes\/\">Persiste<\/a><a href=\"\/\/kubernetes.io\/docs\/concepts\/storage\/persistent-volumes\/\">nt<\/a>\u00a0<a href=\"\/\/kubernetes.io\/docs\/concepts\/storage\/persistent-volumes\/\">volum<\/a><a href=\"\/\/kubernetes.io\/docs\/concepts\/storage\/persistent-volumes\/\">es<\/a><\/li>\n<li><a href=\"\/\/kubernetes.io\/docs\/concepts\/overview\/working-with-objects\/namespaces\/\">Namespaces<\/a><\/li>\n<li><a href=\"\/\/kubernetes.io\/docs\/concepts\/services-networking\/ingress-controllers\/\">Ingress controllers<\/a><\/li>\n<\/ul>\n<h3>When will you receive a notification?<\/h3>\n<p>As soon as there is an action on a Kubernetes object, as well as creation, destruction or updating.<\/p>\n<h3>Configuration<\/h3>\n<p>Firstly, create a Slack channel and associate a webhook with it. To do this, go to the Apps section of Slack, search for \u201c<strong>Incoming WebHooks<\/strong>\u201d and press \u201cAdd to Slack\u201d:<\/p>\n<p><img decoding=\"async\" width=\"1024\" height=\"378\" src=\"https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_add_incoming_webhooks-1024x378.png\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_add_incoming_webhooks-1024x378.png 1024w, https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_add_incoming_webhooks-300x111.png 300w, https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_add_incoming_webhooks-768x284.png 768w, https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_add_incoming_webhooks.png 1381w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>If there is no channel created for this purpose, register a new one:<\/p>\n<p><img decoding=\"async\" width=\"551\" height=\"540\" src=\"https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_create_channel.png\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_create_channel.png 551w, https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_create_channel-300x294.png 300w, https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_create_channel-75x75.png 75w\" sizes=\"(max-width: 551px) 100vw, 551px\" \/><\/p>\n<p>In this example, the channel to be created will be called\u00a0<strong>\u201ck8s-notifications\u201d<\/strong>. Then you have to configure the webhook at the \u201cIncoming WebHooks\u201d panel and adding a new configuration where you will need to select the name of the channel to which you want to send notifications. Once selected, the configuration will return a \u201d<strong>Webhook URL<\/strong>\u201d that will be used to configure Kubewatch. Optionally, you can select the icon (\u201c<strong>Customize Icon<\/strong>\u201d option) that will be shown on the events and the name with which they will arrive (\u201c<strong>Customize Name<\/strong>\u201d option).<\/p>\n<p><img decoding=\"async\" width=\"1024\" height=\"654\" src=\"https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_configure_webhook-1024x654.png\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_configure_webhook-1024x654.png 1024w, https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_configure_webhook-300x192.png 300w, https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_configure_webhook-768x491.png 768w, https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_configure_webhook.png 1387w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>You are now ready to configure the Kubernetes resources. There are some example manifests and also the option of installing by\u00a0<a href=\"\/\/helm.sh\/docs\/intro\/install\/\">Helm<\/a>\u00a0on the\u00a0<a href=\"\/\/github.com\/bitnami-labs\/kubewatch\">Kubewatch GitHub<\/a>\u00a0However, here we will build our own.<\/p>\n<p>First, create a file \u201ckubewatch-configmap.yml\u201d with the ConfigMap that will be used to configure the Kubewatch container:<\/p>\n<pre><code class='language-python'>apiVersion: v1\nkind: ConfigMap\nmetadata:\n  name: kubewatch\ndata:\n  .kubewatch.yaml: |\n    handler:\n      webhook:\n        url: https:\/\/hooks.slack.com\/services\/&lt;your_webhook&gt;\n    resource:\n      deployment: true\n      replicationcontroller: true\n      replicaset: false\n      daemonset: true\n      services: true\n      pod: false\n      job: false\n      secret: true\n      configmap: true\n      persistentvolume: true\n      namespace: false <\/code><\/pre>\n<p>You simply need to enable the types of resources on which you wish to receive notifications with\u00a0<strong>\u201ctrue\u201d<\/strong>\u00a0or disable them with\u00a0<strong>\u201cfalse\u201d<\/strong>. Also set the url of the Incoming WebHook registered previously.<\/p>\n<p>Now, for your container to have access the Kubernetes resources through its\u00a0<a href=\"\/\/kubernetes.io\/docs\/concepts\/overview\/kubernetes-api\/\">api<\/a>, register the\u00a0<strong>\u201ckubewatch-service-account.yml\u201d<\/strong>\u00a0file with a Service Account, a Cluster Role and a Cluster Role Binding:<\/p>\n<pre><code class='language-python'>kind: ClusterRole\napiVersion: rbac.authorization.k8s.io\/v1\nmetadata:\n  name: kubewatch\nrules:\n- apiGroups: [&quot;*&quot;]\n  resources: [&quot;pods&quot;, &quot;pods\/exec&quot;, &quot;replicationcontrollers&quot;, &quot;namespaces&quot;, &quot;deployments&quot;, &quot;deployments\/scale&quot;, &quot;services&quot;, &quot;daemonsets&quot;, &quot;secrets&quot;, &quot;replicasets&quot;, &quot;persistentvolumes&quot;]\n  verbs: [&quot;get&quot;, &quot;watch&quot;, &quot;list&quot;]\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: kubewatch\n  namespace: default\n---\napiVersion: rbac.authorization.k8s.io\/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n  name: kubewatch\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: kubewatch\nsubjects:\n  - kind: ServiceAccount\n    name: kubewatch\n    namespace: default <\/code><\/pre>\n<p>Finally, create a\u00a0<strong>\u201ckubewatch.yml\u201d<\/strong>\u00a0file to deploy the application:<\/p>\n<pre><code class='language-python'>apiVersion: v1\nkind: Pod\nmetadata:\n  name: kubewatch\n  namespace: default\nspec:\n  serviceAccountName: kubewatch\n  containers:\n  - image: bitnami\/kubewatch:0.0.4\n    imagePullPolicy: Always\n    name: kubewatch\n    envFrom:\n      - configMapRef:\n          name: kubewatch\n    volumeMounts:\n    - name: config-volume\n      mountPath: \/opt\/bitnami\/kubewatch\/.kubewatch.yaml\n      subPath: .kubewatch.yaml\n  - image: bitnami\/kubectl:1.16.3\n    args:\n      - proxy\n      - &quot;-p&quot;\n      - &quot;8080&quot;\n    name: proxy\n    imagePullPolicy: Always\n  restartPolicy: Always\n  volumes:\n  - name: config-volume\n    configMap:\n      name: kubewatch\n      defaultMode: 0755 <\/code><\/pre>\n<p>You will see that the value of the \u201c<strong>mountPath<\/strong>\u201d key will be the file path where the configuration of your ConfigMap will be written within the container (<strong>\/opt\/bitnami\/kubewatch\/.kubewatch.yaml<\/strong>). You can expand the information on how to mount configurations in Kubernetes\u00a0<a href=\"\/\/kubernetes.io\/docs\/tasks\/configure-pod-container\/configure-pod-configmap\/\">here<\/a>. In this example, you can see that our application deployment will be through a single pod. Obviously, in a production system you would need to define a Deployment with the number of replicas considered appropriate to keep it active, even in case of loss of the pod.<\/p>\n<p>Once the manifests are ready\u00a0<a href=\"\/\/kubectl.docs.kubernetes.io\/pages\/app_management\/apply.html\">apply them<\/a>\u00a0to your cluster:<\/p>\n<pre><code class='language-python'>$ kubectl apply  -f kubewatch-configmap.yml -f kubewatch-service-account.yml -f kubewatch.yml <\/code><\/pre>\n<p>The service will be ready in a few seconds:<\/p>\n<pre><code class='language-python'>$ kubectl get pods |grep -w kubewatch\nkubewatch                                  2\/2     Running     0          1m <\/code><\/pre>\n<p>The Kubewatch pod has two containers associated:\u00a0<strong>Kubewatch<\/strong>\u00a0and\u00a0<strong>kube-proxy<\/strong>, the latter to connect to the API.<\/p>\n<pre><code class='language-python'>$   kubectl get pod kubewatch  -o jsonpath='{.spec.containers[*].name}'\nkubewatch proxy <\/code><\/pre>\n<p>Check through the logs that the two containers have started up correctly and without error messages:<\/p>\n<pre><code class='language-python'>$ kubectl logs kubewatch kubewatch\n==&gt; Config file exists...\nlevel=info msg=&quot;Starting kubewatch controller&quot; pkg=kubewatch-daemonset\nlevel=info msg=&quot;Starting kubewatch controller&quot; pkg=kubewatch-service\nlevel=info msg=&quot;Starting kubewatch controller&quot; pkg=&quot;kubewatch-replication controller&quot;\nlevel=info msg=&quot;Starting kubewatch controller&quot; pkg=&quot;kubewatch-persistent volume&quot;\nlevel=info msg=&quot;Starting kubewatch controller&quot; pkg=kubewatch-secret\nlevel=info msg=&quot;Starting kubewatch controller&quot; pkg=kubewatch-deployment\nlevel=info msg=&quot;Starting kubewatch controller&quot; pkg=kubewatch-namespace\n... <\/code><\/pre>\n<pre><code class='language-python'>$ kubectl logs kubewatch proxy\nStarting to serve on 127.0.0.1:8080 <\/code><\/pre>\n<p>You could also access the Kubewatch container to test the cli, view the configuration, etc.:<\/p>\n<pre><code class='language-python'>$  kubectl exec -it kubewatch -c kubewatch \/bin\/bash <\/code><\/pre>\n<h3>Your event notifier is now ready!<\/h3>\n<p>Now you need to test it. Let\u2019s use the creation of a deployment as an example to test proper operation:<\/p>\n<pre><code class='language-python'>$ kubectl create deployment nginx-testing --image=nginx\n$ kubectl logs -f  kubewatch kubewatch\nlevel=info msg=&quot;Processing update to deployment: default\/nginx-testing&quot; pkg=kubewatch-deployment <\/code><\/pre>\n<p>The logs now alert you that the new event has been detected, so go to your Slack channel to confirm it:<\/p>\n<p><img decoding=\"async\" width=\"1024\" height=\"89\" src=\"https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_show_notification-1024x89.png\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_show_notification-1024x89.png 1024w, https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_show_notification-300x26.png 300w, https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_show_notification-768x67.png 768w, https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_show_notification-1536x134.png 1536w, https:\/\/bluetab.net\/wp-content\/uploads\/2020\/09\/slack_show_notification.png 1546w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<h3>The event has been successfully reported!<\/h3>\n<p>Now you can eliminate the test deployment:<\/p>\n<pre><code class='language-python'>$ kubectl delete deploy nginx-testing <\/code><\/pre>\n<h3>Conclusions<\/h3>\n<p>Obviously, Kubewatch does not replace the basic warning and monitoring systems that all production orchestrators need to maintain, but it does provide an easy and effective way to\u00a0<strong>extend control<\/strong>\u00a0over the creation and modification of\u00a0<strong>resources in Kubernetes<\/strong>. In this example case we performed a Kubewatch configuration across the whole cluster,\u00a0<strong>\u201cspying\u201d<\/strong>\u00a0on all kinds of events, some of which are perhaps useless if the platform is maintained as a service, as we would be aware of each of the pods created, removed or updated by each development team in its own namespace, which is common, legitimate and does not add value. It may be more appropriate to\u00a0<strong>filter<\/strong>\u00a0by the namespaces for which you wish to receive notifications, such as\u00a0<a href=\"\/\/kubernetes.io\/docs\/concepts\/overview\/working-with-objects\/namespaces\/\">kube-system<\/a>, which is where we generally host administrative services and where only administrators should have access. In that case, you would simply need to specify the\u00a0<strong>namespace<\/strong>\u00a0in your ConfigMap:<\/p>\n<pre><code class='language-python'>apiVersion: v1\nkind: ConfigMap\nmetadata:\n  name: kubewatch\ndata:\n  .kubewatch.yaml: |\n    namespace: &quot;kube-system&quot;\n    handler:\n      webhook:\n        url: https:\/\/hooks.slack.com\/services\/&lt;your_webhook&gt;\n    resource:\n      deployment: true\n      replicationcontroller: true\n      replicaset: false <\/code><\/pre>\n<p>Another interesting utility may be to \u201clisten\u201d to our cluster after a\u00a0<strong>significant configuration adjustment<\/strong>, such as our\u00a0<strong>self-scaling strategy<\/strong>, integration tools and so on, as it will always notify us of the scale ups and scale downs, which could be especially useful initially. In short, Kubewatch extends control over clusters, and we decide the scope we give it. In later articles we will look at how to manage logs and metrics productively.<\/p>\n<h5>Do you want to know more about what we offer and to see other success stories?<\/h5>\n<p><a href=\"\/\" role=\"button\"><br \/>\nDISCOVER BLUETAB<br \/>\n<\/a><br \/>\nShare on twitter<br \/>\nShare on linkedin<\/p>\n<p><b>SOLUTIONS<\/b>, WE ARE EXPERTS<\/p>\n<p><a href=\"\/soluciones\/data-strategy\/\"><\/p>\n<h5>\n\t\t\t\t\t\tDATA STRATEGY<\/h5>\n<p><\/a><br \/>\n<a href=\"\/soluciones\/data-fabric\/\"><\/p>\n<h5>\n\t\t\t\t\t\tDATA FABRIC<\/h5>\n<p><\/a><br \/>\n<a href=\"\/soluciones\/augmented-analytics\/\"><\/p>\n<h5>\n\t\t\t\t\t\tAUGMENTED ANALYTICS<\/h5>\n<p><\/a><\/p>\n<p>You may be interested in<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Spying on your Kubernetes with Kubewatch Bluetab Share on twitter Share on linkedin At\u00a0Cloud Practice\u00a0we aim to encourage adoption of the cloud as a way of working in the IT world. To help with this task, we are going to publish numerous good practice articles and use cases and others will talk about those key [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":20774,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"elementor_header_footer","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[7,29,30],"tags":[],"class_list":["post-6515","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-es","category-practices-en","category-tech-en"],"acf":[],"jetpack_featured_media_url":"https:\/\/bluetab.org\/wp-content\/uploads\/2020\/09\/enlaces-linkedin-2.png","_links":{"self":[{"href":"https:\/\/bluetab.org\/en\/wp-json\/wp\/v2\/posts\/6515","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bluetab.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bluetab.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bluetab.org\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/bluetab.org\/en\/wp-json\/wp\/v2\/comments?post=6515"}],"version-history":[{"count":0,"href":"https:\/\/bluetab.org\/en\/wp-json\/wp\/v2\/posts\/6515\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bluetab.org\/en\/wp-json\/wp\/v2\/media\/20774"}],"wp:attachment":[{"href":"https:\/\/bluetab.org\/en\/wp-json\/wp\/v2\/media?parent=6515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bluetab.org\/en\/wp-json\/wp\/v2\/categories?post=6515"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bluetab.org\/en\/wp-json\/wp\/v2\/tags?post=6515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}