AKS Periscope install failure

[dstampfli]

Hi, I'm trying to install AKS Periscope on a private cluster with egress through a firewall. Diagnostics settings for the cluster are configured and point to a storage account. When I try to run az aks kollect, I get the following error:

azureuser@jbl-vm1:~$ az aks kollect --name spoke1-aks --resource-group spoke1-vnet-rg
No storage account specified. Try getting storage account from diagnostic settings

This will deploy a daemon set to your cluster to collect logs and diagnostic information and save them to the storage account spoke1akslogs as outlined in http://aka.ms/AKSPeriscope.

If you share access to that storage account to Azure support, you consent to the terms outlined in http://aka.ms/DiagConsent.

Do you confirm? (y/N): y

Getting credentials for cluster spoke1-aks
Merged "spoke1-aks-admin" as current context in /tmp/tmpgfmwgfz_

Starts collecting diag info for cluster spoke1-aks

Cleaning up aks-periscope resources if existing
serviceaccount "aks-periscope-service-account" deleted
serviceaccount "default" deleted
configmap "containerlogs-config" deleted
configmap "kubeobjects-config" deleted
configmap "nodelogs-config" deleted
daemonset.extensions "aks-periscope" deleted
secret "azureblob-secret" deleted
secret "default-token-tgdh6" deleted
clusterrolebinding.rbac.authorization.k8s.io "aks-periscope-role-binding" deleted
clusterrolebinding.rbac.authorization.k8s.io "aks-periscope-role-binding-view" deleted
clusterrole.rbac.authorization.k8s.io "aks-periscope-role" deleted
diagnostic.aks-periscope.azure.github.com "aks-periscope-diagnostic-aks-nodepool1-36173997-vmss000000" deleted
diagnostic.aks-periscope.azure.github.com "aks-periscope-diagnostic-aks-nodepool1-36173997-vmss000002" deleted
customresourcedefinition.apiextensions.k8s.io "diagnostics.aks-periscope.azure.github.com" deleted

Deploying aks-periscope

The command failed with an unexpected error. Here is the traceback:

'NoneType' object has no attribute 'replace'
Traceback (most recent call last):
File "/opt/az/lib/python3.6/site-packages/knack/cli.py", line 206, in invoke
cmd_result = self.invocation.execute(args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 608, in execute
raise ex
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 666, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 659, in _run_job
six.reraise(*sys.exc_info())
File "/opt/az/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 636, in _run_job
result = cmd_copy(params)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 306, in call
return self.handler(*args, **kwargs)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/init.py", line 493, in default_command_handler
return op(**command_args)
File "/home/azureuser/.azure/cliextensions/aks-preview/azext_aks_preview/custom.py", line 1442, in aks_kollect
normalized_fqdn = mc.fqdn.replace('.', '-')
AttributeError: 'NoneType' object has no attribute 'replace'

[Tatsinnit]

Cool, I tried replicating this but not able to generate the error mentioned above, unless you have some old version of az cli running. The error mentioned is not specific to Periscope but failure in the underlying aks-preview, I tried looking little deep and the failure in your machine is caused by NoneType object here this: https://github.com/Azure/azure-cli-extensions/blob/master/src/aks-preview/azext_aks_preview/custom.py#L1442

💡 Can you please share the specific steps how you are able to get the above error?

I have a feeling update az cli if its running on old version might help along with https://github.com/Azure/aks-periscope#user-guide removing and adding the aks-extension again.

cc: @JunSun17 , for anything extra which can be added.

Thanks heaps,

[dstampfli]

I tested from the same VM using another cluster that is not private (public API server endpoint) and I was able to get periscope installed. However, I still can't deploy to a private cluster with egress through a firewall. When I look at the pods in the aks-periscope namespace, they are in a error state. To reproduce, start with a private cluster and try installing periscope.

[Tatsinnit]

Update:

I think cli donot support or has gap in support of private cluster aks-preview.

As far as I can see by playing around with it, seem like even though via a jumpbox the private-cluster is pingable, there is no support from periscope or the aks-preview command via az-cli to handle managed client and its fully qualified names.

I will reach-out to few folks to get clarity, and update the document in this case (If that is the scenario).

Essentially from the cli point of view this jumpbox scenario on private DNS Zone is not getting correct qualified name hence the cli errors our in case of normal cluster this is not the case hence it works.

Surely there must be some network complexity in play here, will keep this thread updated further if I dig any information further for the storage.

Thanks,

[dstampfli]

Thanks @Tatsinnit for checking on this. As part of my testing, I also noted that I needed to open my firewall to allow access to "aksrepos.azurecr.io" on port 443. This is not mentioned here - https://docs.microsoft.com/en-us/azure/aks/limit-egress-traffic .

[Tatsinnit]

Just keeping this thread up-to-date:

Cool, to dig a little deeper, I have also opened an associated bug against az-cli-extension just to get full understanding, should be able to get to the bottom soon. Thanks.

Detail: Azure/azure-cli-extensions#1679

[dstampfli]

@Tatsinnit Thanks for your help. It looks like the fix for this was merged yesterday - Azure/azure-cli-extensions#1685. Not sure when a new release will be pushed but I will test as soon as it is available.

[Tatsinnit]

👍 All good @dstampfli , while playing with the whole thing I was able to replicate couple of other things which were relating to private cluster and team here collaborated across to fix all of those thing in 1 go.

Gist:

• I have tested this internal with our test acr and it worked from my jumpbox in same subnet as private-cluster.
• Once we have an official acr I can share documentation for direct deployment which you should be able to test.
• Fyi: I am unsure as to when the cli-extension repo release cycle is to use it via Kollect command (will update latter on this).

Thanks

[Tatsinnit]

#TLDR

💡 Note: The new acr image for periscope is out. With regards to the az-cli release this will go to release S-169 and S-170 which to me seems like in few week. (I will check what these time line means from az-cli release).

#DETAILED

To unblock any other user for private-cluster , I did this to test our periscope level changes and it worked for me.

Use Direct Kubectl apply deployment command:

• When user create private-cluster they should be aware how it works, I find this doc https://docs.microsoft.com/en-us/azure/aks/private-clusters and this section helpful https://docs.microsoft.com/en-us/azure/aks/private-clusters#options-for-connecting-to-the-private-cluster when I tried to replicate the above.
• Once user create a JumpBox VM in the same Subnet (mine was ubuntu) as their private cluster, which will guarantee that your Private-cluster is visible to that VM.
• Within that Jumpbox as sudo user, git clone the aks repo: https://github.com/Azure/aks-periscope
• Open deployment/aks-periscope.yaml file and add Base64 Encoded Account Name and Account Key this is positional here https://github.com/Azure/aks-periscope/blob/master/deployment/aks-periscope.yaml#L108 (Save and close the file in your jump box)
• Then run this command: https://github.com/Azure/aks-periscope/blob/master/docs/appendix.md For Example from my cloned repo I ran like this: kubectl apply -f deployment/aks-periscope.yaml

You will see output from periscope run and then check your storage account, I was successfully able to see a new container name > along with latest logs from my private-cluster

[Tatsinnit]

💡 Hiya: @dstampfli Can you you please check now, I think you need to update your az cli version and command should be hooked from az cli thanks.

[dstampfli]

@Tatsinnit I tested on 2 private clusters and it is working now!!! I tested using az aks kollect with a storage account configured in the RG's diagnostic settings. Thank you for your help!

[Tatsinnit]

Thank you so much for this loop back sounds awesome!! Closing this issue. 😊🙏