Enable Kubectl logs/exec to debug pods on the edge

Prepare certs

  1. Make sure you can find the kubernetes ca.crt and ca.key files. If you set up your kubernetes cluster by kubeadm , those files will be in /etc/kubernetes/pki/ dir.

    1. ls /etc/kubernetes/pki/
  2. Set CLOUDCOREIPS env. The environment variable is set to specify the IP address of cloudcore, or a VIP if you have a highly available cluster.

    1. export CLOUDCOREIPS="192.168.0.139"

    (Warning: the same terminal is essential to continue the work, or it is necessary to type this command again.) Checking the environment variable with the following command:

    1. echo $CLOUDCOREIPS
  3. Generate the certificates for CloudStream on cloud node, however, the generation file is not in the /etc/kubeedge/, we need to copy it from the repository which was git cloned from GitHub. Change user to root:

    1. sudo su

    Copy certificates generation file from original cloned repository:

    1. cp $GOPATH/src/github.com/kubeedge/kubeedge/build/tools/certgen.sh /etc/kubeedge/

    Change directory to the kubeedge directory:

    1. cd /etc/kubeedge/

    Generate certificates from certgen.sh

    1. /etc/kubeedge/certgen.sh stream

Set Iptables Rule

  1. Set iptables on the host. This command should be executed on every node which deployed apiserver.(In this case, it is the master node, and execute this command by root.)

    Run the following command on the host on which each apiserver runs:

    Note: Make sure CLOUDCOREIPS environment variable is set

    1. iptables -t nat -A OUTPUT -p tcp --dport 10350 -j DNAT --to $CLOUDCOREIPS:10003

    Port 10003 and 10350 are the default ports for the CloudStream and edgecore, use your own ports if you have changed them.

    If you are not sure whether you have a setting of iptables, and you want to clean all of them. (If you set up iptables wrongly, it will block you out of this feature)

    The following command can be used to clean up iptables:

    1. iptables -F && iptables -t nat -F && iptables -t mangle -F && iptables -X

Update Configurations

  1. Update cloudcore configuration to enable cloudStream.

    If cloudcore is installed as binary, you can directly modify /etc/kubeedge/config/cloudcore.yaml with using editor. If cloudcore is running as kubernetes deployment, you can use kubectl edit cm -n kubeedge cloudcore to update cloudcore‘s ConfigurationMap.

    1. cloudStream:
    2. enable: true
    3. streamPort: 10003
    4. tlsStreamCAFile: /etc/kubeedge/ca/streamCA.crt
    5. tlsStreamCertFile: /etc/kubeedge/certs/stream.crt
    6. tlsStreamPrivateKeyFile: /etc/kubeedge/certs/stream.key
    7. tlsTunnelCAFile: /etc/kubeedge/ca/rootCA.crt
    8. tlsTunnelCertFile: /etc/kubeedge/certs/server.crt
    9. tlsTunnelPrivateKeyFile: /etc/kubeedge/certs/server.key
    10. tunnelPort: 10004
  2. Update edgecore configuration to enable edgeStream.

    This modification needs to be done all edge system where edgecore runs to update /etc/kubeedge/config/cloudcore.yaml. Make sure the server IP address to the cloudcore IP (the same as $CLOUDCOREIPS).

    1. edgeStream:
    2. enable: true
    3. handshakeTimeout: 30
    4. readDeadline: 15
    5. server: 192.168.0.139:10004
    6. tlsTunnelCAFile: /etc/kubeedge/ca/rootCA.crt
    7. tlsTunnelCertFile: /etc/kubeedge/certs/server.crt
    8. tlsTunnelPrivateKeyFile: /etc/kubeedge/certs/server.key
    9. writeDeadline: 15

Restart

  1. Restart all the cloudcore and edgecore to apply the Stream configuration.

    If cloudcore is installed as binary:

    1. sudo systemctl restart cloudcore.service

    or cloudcore is running in kubernetes deployment:

    1. kubectl rollout restart deployment -n kubeedge cloudcore

    At the all edge side where edgecore runs:

    1. sudo systemctl restart edgecore.service