This feature provides an alternative to downloading a kubeconfig and installing kubectl locally. It opens a fully configured shell within a browser tab, equipped with kubectl and an associated kubeconfig. This convenient setup allows you to quickly access your Kubernetes clusters directly from the DuploCloud Portal, with no need for downloading or configuring files on your machine.

Enabling kubectl shell in the DuploCloud Platform

For EKS, kubectl is already enabled in the DuploCloud Platform. Once the EKS infrastructure is ready, you can navigate to Kubernetes -> Services in the DuploCloud platform and use the KubeCtl menu options to view the kubectl token, settings, and configuration details.

To set up the kubectl shell in DuploCloud for GKE and AKS users, see the links below.

• kubectl Shell for GKE

• kubectl Shell for AKS

Accessing kubectl Shell from the DuploCloud Portal

Use kubectl to access the Kubernetes cluster for your Tenant namespace.

1. From the Tenant list box, select the correct Tenant.

2. Navigate to Kubernetes -> Services.

3. Click on the Service name from the NAME column.

4. From the KubeCtl options, select KubeCtl Shell. A shell instance will launch, allowing you to interact with the Kubernetes cluster directly using kubectl commands.

Look at the following individual cloud provider-specific DuploCloud docs for a quick start that shows how to quickly launch a Kubernetes cluster, deploy a simple web app and expose it via Load Balancer.

• EKS Quick Start

• GKE Quick Start

• AKS Quick Start

kubectl is the command-line interface (CLI) for interacting with Kubernetes clusters. Use kubectl when you need more granular control and precision than what the DuploCloud portal provides. For further guidance on using kubectl, refer to the official Kubernetes documentation.

DuploCloud users have two primary options for using kubectl to interact with Kubernetes clusters:

• Download the kubeconfig and install kubectl locally. This setup allows full command-line access on your own machine and is ideal if you require persistent, scriptable access to Kubernetes resources.

• DuploCloud’s in-browser solution, where a preconfigured shell provides immediate access to kubectl without any local setup. This allows you to manage Kubernetes clusters from a browser tab, making it a quick and secure alternative to local configuration.

DuploCloud leverages Kubernetes as a foundational building block behind many managed Services.

How Kubernetes enables scaling and automation, boosting workload performance

DuploCloud supports Kubernetes Cluster enablement on all public cloud platforms so that you can work with many Kubernetes objects and components. This includes flexibility in choosing the instance type based on workload characteristics, such as compute or memory-intensive tasks and AI/ML workloads that may benefit from GPU instances. It's recommended to have a minimum disk capacity of 40GB per host to accommodate image sizes and application data.

Kubernetes and Low-Code/No-Code

Use the topics in this section to implement many Kubernetes features with little or no hard coding using DuploCloud's no-code/low-code approach. This encompasses configuring autoscaling for your EKS cluster based on CPU/memory usage through Horizontal Pod Autoscaler (HPA) or Auto Scaling Groups (ASG) to efficiently scale your Pods or underlying infrastructure as needed.

For information about cloud-provider-specific Kubernetes container features, see the Kubernetes Containers documentation in the DuploCloud User Guide for your cloud provider.

Kubernetes and Allocation Tags

Moreover, you can add allocation tags to existing nodes with running services when managing your Kubernetes clusters. This action modifies a label on the Kubernetes node, influencing future Pod scheduling without affecting currently running services. The services must be restarted to apply the new allocation tags to existing services. This allows for more granular control over resource allocation and utilization within your cluster.

Kubernetes Integration with CloudWatch

Additionally, DuploCloud can integrate with CloudWatch alarms via the DuploCloud UI to set up custom alerts for CPU/memory usage, ensuring proactive resource monitoring and management. This integration supports forwarding alerts to various notification systems like Sentry, PagerDuty, NewRelic, or OpsGenie for immediate action.

kubectl is the command-line tool used to interact with Kubernetes clusters. It allows you to deploy applications, inspect and manage cluster resources, and troubleshoot issues directly from your terminal. This setup guide will walk you through installing kubectl on your computer, downloading the kubeconfig file, and configuring kubectl for your environment.

Installing kubectl

Install kubectl on your local computer:

1. Use these tools to install kubectl locally.

2. Run these commands to enable kubectl to use the downloaded kubeconfig.

For Linux or macOS

export KUBECONFIG=/home/duplo/duploinfra-INFRASTRUCTURE_NAME.yaml # INFRASTRUCTURE_NAME is your DuploCloud Infrastructure name.

For Windows

setx KUBECONFIG "%USERPROFILE%\Downloads\duploinfra-INFRASTRUCTURE_NAME.yaml" # INFRASTRU

Downloading kubeconfig

The kubeconfig file is a configuration file used by kubectl to connect to a Kubernetes cluster. It contains essential information such as the cluster's API server address, authentication credentials, and context settings that define which cluster and namespace kubectl should interact with. Refer to this article for more information about kubeconfig. Download kubeconfig one of two ways: using duploctl or from within the DuploCloud Portal:

Downloading kubeconfig using duploctl

To download kubeconfig using duploctl, follow these instructions.

Downloading kubeconfig from the DuploCloud Portal

1. In the DuploCloud Portal, navigate to Administrators -> Infrastructure.

2. In the NAME column, select the Infrastructure where you want to set up kubectl.

3. Click the EKS (for AWS), GKE (for GCP), or the AKS (for Azure) tab. The Download Kubeconfig For Plan pane displays.

4. Click Download Kubeconfig to download the kubeconfig file.

Mirantis Lens, commonly referred to as Lens, is a popular open-source Kubernetes IDE (Integrated Development Environment) that simplifies Kubernetes cluster management and visualization. Lens provides an intuitive graphical user interface (GUI) to interact with and manage multiple Kubernetes clusters, local and remote, making it easier for developers and administrators to monitor, troubleshoot, and manage workloads.

Configuring Mirantis Lens for DuploCloud Authentication

Integrate Mirantis Lens with DuploCloud by following these steps:

1. Install the DuploCloud Client: Ensure the duploctl command-line tool is installed. If not, use the pip install duplocloud-client command to install it.

2. Install the Lens Client: Download and install the Lens Kubernetes IDE client from its official website.

3. Generate the Kubeconfig File: Using the DuploCloud UI or duploctl:

• Using the DuploCloud UI.

• Using duploctl, generate a kubeconfig file for Lens connection, as follows:

duploctl jit update_kubeconfig --plan nonprod01 --tenant $DUPLO_TENANT --host https://$DUPLO_HOST --token $DUPLO_TOKEN

1. Add Kubeconfig to Lens: In Lens, navigate to Catalog, click the + button to add the kubeconfig file, and configure Lens to connect to your Kubernetes cluster.

2. Connect to the Cluster: Lens will prompt for a login through a browser window. For private EKS cluster authentication, ensure VPN connectivity.

Integrating Mirantis Lens with DuploCloud enhances your Kubernetes cluster management by providing a powerful graphical interface alongside the direct command-line access provided by the kubectl token.

Configuring Read-only Access in Kubernetes

Complete the following steps to configure read-only access to a Kubernetes cluster.

1. Save the below content as a file name service-account-readonly-setup.yaml.

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: duplo-readonly-user
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: duplo-readonly-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
- kind: ServiceAccount
  name: duplo-readonly-user
  namespace: kube-system
---
apiVersion: v1
kind: Secret
metadata:
  name: duplo-readonly-token
  namespace: kube-system
  annotations:
    kubernetes.io/service-account.name: duplo-readonly-user
type: kubernetes.io/service-account-token
---

1. Run kubectl apply -f service-account-readonly-setup.yaml. This will create a new service account with read-only permission.

2. Run kubectl -n kube-system describe secret duplo-readonly-token to fetch the token. This can be used in DuploCloud to import the cluster as a read-only infrastructure.

3. With the above token, EKS server URL, and certificate-authority-data, create a kubeconfig as follows. The server URL and certificate-authority-data are in the cloud console under the cluster settings. The DuploCloud service account can interact with the Kubernetes cluster with read-only permissions.

   Copy

   apiVersion: v1
   kind: Config
   clusters:
   - name: eks-cluster
     cluster:
       server: <url>
       certificate-authority-data: <put the certificate auth data here>
   contexts:
   - name: eks-context
     context:
       cluster: eks-cluster
       user: duplo-readonly-user
   current-context: eks-context
   users:
   - name: duplo-readonly-user
     user:
       token: <YOUR_BEARER_TOKEN>

Step 1. Create a DuploCloud Service

1. From the Tenant list box, select the correct Tenant.

2. Navigate to Kubernetes -> Services.

3. Click Add. The Add Service page displays.

4. Enter the values in the table below in the fields on the Add Service page. Accept default values for fields not specified.

Step 2: Create a Load Balancer

1. From the DuploCloud Portal, navigate to Kubernetes -> Services.

2. From the NAME column, select the kubectl service you created in the previous step.

3. Select the Load Balancers tab, and click Configure Load Balancer.

4. Select type Cluster IP.

5. Set external and container ports to 80.

6. In the Health Check field, enter /duplo_auth.

7. In the Backend Protocol field, select TCP.

8. Click Add.

Step 3: Add an Ingress

1. In the DuploCloud Portal, navigate to Kubernetes -> Ingress, and click Add.

2. In the Name field, enter kubect-shell. Add a Path that defaults all traffic to the kubectl Service we created in the previous step:

Step 4: Add the DNS Name to System Settings

1. Navigate to Administrator -> Systems Settings.

2. Select the System Config tab, and click Add. The Add Config pane displays.
3. From the Config Type list box, select AppConfig.

4. From the Key list box, select Other.

5. In the second Key field, enter DuploShellfqdn

6. In the Value field, paste the Ingress DNS name.

7. Click Submit. kubectl shell access is enabled.

Setting Kubernetes Secrets

To securely manage sensitive information in your deployment, set and reference Kubernetes secrets in the DuploCloud Portal.

1. In the DuploCloud Portal, navigate to Kubernetes -> Secrets. The Kubernetes Secrets page displays.

2. Click Add.

3. Fill in the fields (Secret Name, Secret Type, Secret Details, Secret Labels, and Secret Annotations).

4. Click Add. The Kubernetes Secret is set.

Troubleshooting Secret Format Issues

When entering a Kubernetes secret with a private key in Duplo, ensure the data is formatted as key/value pairs with all keys and values as strings. If you encounter format errors, it's likely due to non-string values or incorrect multiline string formatting. Use the | character to indicate multiline strings and manually split a single-line private key into multiple lines for compatibility. Matching the format of an existing, working secret can also aid in resolving these issues.

Managing Kubernetes Secrets Effectively

To enhance the security and management of Kubernetes secrets, consider the following strategies:

• Utilize Centralized Secret Management Tools: Centralize the management of secrets to streamline access and control.

• Implement Access Controls: Define who can access or modify secrets to minimize risk.

• Regularly Rotate Secrets: Change secrets periodically to reduce the impact of potential breaches.

• Audit Access Logs: Keep track of who accesses secrets and when, to detect unauthorized access or anomalies.

By integrating these practices, you can ensure a more secure and efficient handling of secrets within your Kubernetes environment.

Downloading a kubectl Token

Connect directly to your Kubernetes cluster namespace using a kubectl token. This facilitates direct interaction with your Kubernetes cluster through a command-line interface.

1. In the DuploCloud Portal, navigate to Kubernetes -> Services.

2. From the KubeCtl list box, select KubeCtl Token. The Token window displays. Copy the contents to your clipboard.

Downloading a kubectl Token for Non-Administrators

If you don't have administrator privileges, configure AWS credentials for interacting with cloud resources and download a kubectl token tied to a service account. This token is specifically for the selected Tenant. It is designed for use with a DuploCloud service account, not for human users.

1. In the DuploCloud Portal, navigate to Kubernetes -> Services. The Services page displays.

2. Select the Service name from the Name column.

3. From the KubeCtl item list, select KubeCtl Token. The KubeCtl Token window displays.
4. Click Copy to copy the kubectl commands in the Token window to your clipboard.

5. From the KubeCtl item list, select KubeCtl Shell to launch the shell instance.

In Kubernetes, you populate environment variables from application configurations or secrets.

Setting environment variables from a Kubernetes ConfigMap

Creating the Kubernetes ConfigMap

1. In the DuploCloud Portal, navigate to Kubernetes -> Config Maps.

2. Click Add. The Add Config Map pane displays.

3. Name the ConfigMap you want to create, such as my-config-map.

4. Add a Data key/value pair for each file in your ConfigMap, separated by a colon (:). The key is the file name, and the value is the file's contents.

5. Click Create.

Editing the DuploCloud Service

1. In the DuploCloud Portal, navigate to Kubernetes -> Services.

2. Select the Service you want to modify from the Name column.

3. Click the Actions menu and select Edit.

Configuring environment variables

You can import the entire ConfigMap as environment variables or choose specific keys to import as environment variables.

Importing the entire ConfigMap as Environment Variables

The most straightforward approach is to import the entire ConfigMap as environment variables. Using this approach, your service will recognize each key in the ConfigMap defined as an environment variable.

1. On the Edit Service: service_name Basic Options page, click Next to navigate to the Advanced Options page.

2. On the Advanced Options page, in the Other Container Config field, enter the configuration YAML to import environment variables from a ConfigMap. For example, to import all environment variables from a ConfigMap named my-env-vars, use the following YAML:

EnvFrom:
- ConfigMapRef:
    Name: my-env-vars

Selecting individual Environment Variables from a ConfigMap

Another approach is to select which keys to import from the ConfigMap as environment variables. This method gives you complete control over each environment variable and its name, but it requires more manual configuration.

1. Edit the DuploCloud Service.

2. On the Edit Service: service_name Basic Options page, in the Environment Variables field, enter the configuration for environment variables to import from a ConfigMap. For example, to set a single environment variable (ENV_VAR_ONE) to the value of the MY_ENV_VAR key in the my-env-vars config map, use the following YAML:

- Name: ENV_VAR_ONE
  ValueFrom:
    ConfigMapKeyRef:
      Name: my-env-vars
      Key: MY_ENV_VAR

Setting Environment Variables from a Kubernetes Secret

You can import Kubernetes Secrets as Environment Variables.

Create the Kubernetes Secret

1. In the DuploCloud Portal, navigate to Kubernetes -> Secrets.

2. Click Add. The Add Kubernetes Secret page opens.

3. Create a Secret Name, such as my-env-vars.

4. From the Secret Type list box, select Opaque.

5. In the Secret Details field, add key/value pairs for each EV in your ConfigMap, separated by a colon (:). The key is the EV name, and the value is the EV value.

6. Click Add to create the secret.

Configuring environment variables

Importing the entire Secret as environment variables

The most straightforward approach is to import the entire Secret as environment variables. Using this approach, your service will recognize each key in the Secret defined as an EV.

1. Edit the DuploCloud Service.

2. On the Edit Service: service_name Basic Options page, click Next to navigate to the Advanced Options page.

3. On the Advanced Options page, in the Other Container Config field, enter the configuration YAML to import environment variables from a Secret. For example, to import all environment variables from a secret named my-env-vars, use the following YAML:

EnvFrom:
- SecretRef:
    Name: my-env-vars

Selecting individual environment variables from a Secret

Another approach is to select which keys to import from the Secret as environment variables. This method gives you complete control over each environment variable and its name, but it requires more manual configuration.

1. Edit the DuploCloud Service.

2. On the Edit Service: service_name Basic Options page, in the Environment Variables field, enter the configuration for specific environment variables to import from a Secret. For example, to set a single environment variable (ENV_VAR_ONE) to the value of the SECRET_ENV_VAR key in the my-env-vars secret, use the following YAML:

- Name: ENV_VAR_ONE
  ValueFrom:
    SecretKeyRef:
      Name: my-env-vars
      Key: SECRET_ENV_VAR

In Kubernetes, you can mount application configurations or secrets as files.

Creating and mounting a Kubernetes ConfigMap

Creating a Kubernetes ConfigMap

1. In the DuploCloud Portal, navigate to Kubernetes -> Config Maps.

2. Click Add. The Add Kubernetes Config Map pane displays.

3. Give the ConfigMap a name, such as my-config-map.

4. In the Data field, add a key/value pair for each file in your config map, separated by a colon (:). The key is the file name, and the value is the file's contents.

5. Click Create.

Editing the DuploCloud Service

1. In the DuploCloud Portal, navigate to Kubernetes -> Services.

2. Select the Service you want to modify from the Name column.

3. Click the Actions menu and select Edit.

Mounting the Kubernetes ConfigMap as a volume

1. On the Edit Service: service_name Basic Options page, click Next to navigate to the Advanced Options page.

2. In the Volumes field on the Advanced Options page, enter the configuration YAML to mount the ConfigMap as a volume.

Example: mounting a ConfigMap as a volume

For example, to mount a config map named my-config-map to a directory named /app/my-config enter the following YAML code block in the Volumes field:

- Name: my-config
  Path: /app/my-config
  Spec:
    ConfigMap:
      Name: my-config-map

Example: adding a Key value to select individual ConfigMap items

If you want to select individual ConfigMap items and specify the subpath for mounting, you can use a different configuration. For example, if you want the key named my-file-name to be mounted to /app/my-config/config-file use the following YAML:

  Path: /app/my-config
  Spec:
    ConfigMap:
      Name: my-config-map
      Items:
      - Key: my-file-name
        Path: config-file

Creating and Mounting a Kubernetes Secret

Before you create and mount a Kubernetes Secret, you must create a DuploCloud Service.

Creating a Kubernetes Secret

1. In the DuploCloud Portal, navigate to Kubernetes -> Secrets.

2. Click Add. The Add Kubernetes Secret pane displays.

3. Give the secret a name, such as my-secret-files.

4. Add Secret Details such as a key/value pair for each file in your secret separated by a colon (:). The key is the file name, and the value is the file's contents.

5. Click Add to create the secret.

Creating a multi-line Kubernetes Secret

1. Follow the steps in creating a Kubernetes Secret, defining a Key value using the PRIVATE_KEY_FILENAME in the Secret Details field, as shown below.

2. Click Add to create the multi-line secret.

Mounting a Kubernetes Secret as a volume

1. In the DuploCloud Portal, edit the DuploCloud Service.

2. On the Edit Service: service_name Basic Options page, click Next to navigate to the Advanced Options page.

3. In the Volumes field on the Advanced Options page, enter the configuration YAML to mount the Secret as a volume.

Example: mounting a Kubernetes Secret as a volume

For example, to mount a Secret named my-secret-files to a directory named /app/my-config Enter the following YAML code block in the Volumes field:

- Name: my-config
  Path: /app/my-config
  Spec:
    Secret:
      SecretName: my-secret-files

Example: adding a Key value to select individual Secret items

If you want to select individual Secret items and specify the subpath for mounting, you can use a different configuration. For example, if you want the key named secret-file to be mounted to /app/my-config/config-file use the following YAML:

- Name: my-config
  Path: /app/my-config
  Spec:
    Secret:
      SecretName: my-secret-files
      Items:
      - Key: secret-file
        Path: config-file

In Kubernetes, a Job is a controller object representing a task or a set of tasks that runs until successful completion. It is designed to manage short-lived batch workloads in a Kubernetes cluster. Use a Kubernetes Job when you need to run a task or a set of tasks once, to completion, rather than continuously, as in other types of controllers like Deployments.

Refer to the Kubernetes Job documentation for use cases and examples of when to use Kubernetes Jobs.

Using Kubernetes Jobs for Pod management

Pods are the smallest deployable computing units that you can create and manage in Kubernetes. A Pod is a group of one or more containers with shared storage and network resources, including a specification that dictates how to run the containers. A Pod's contents are always co-located and co-scheduled and run in a shared context. A Pod models an application-specific "logical host": it contains one or more tightly coupled application containers.

In the DuploCloud Portal, you can create K8s Jobs to create one or more Pods. The Job retries until a specified number of Pods are successfully executed. Kubernetes Jobs tracks successful terminations. When the specified number of successful terminations are completed, the Job is marked as completed in Kubernetes. Deleting a Kubernetes Job cleans up the Pods that it created. Suspending a Kubernetes Job deletes its active Pods until it is resumed again.

You typically create one Kubernetes Job object to run one Pod to completion reliably. The Job object starts a new Pod if the first Pod fails or is deleted (for example, in case of a node hardware failure or a node reboot).

You can also use a Kubernetes Job to run multiple Pods in parallel. If you want to run a Kubernetes Job (a single task or several in parallel) on a schedule, see Kubernetes CronJobs.

Creating a Kubernetes Job in the DuploCloud portal

1. In the DuploCloud Portal, select the Tenant from the Tenant list box at the top-left of the DuploCloud Portal.

2. Navigate to Kubernetes -> Job.

3. Click Add. The Add Kubernetes Job page displays.

4. In the Basic Options step, specify the Kubernetes Job name.

5. In the Container - 1 area, specify the Container Name and associated Docker Image.

1. In the Command field, specify the command attributes for Container - 1. Click the Info Tip icon for examples. Select and copy commands as needed.

2. In the Command field, specify the command attributes for Container - 1. Click the Info Tip icon for examples. Select and Copy commands as needed.

2. In the Init Container - 1 area, specify the Container Name and associated Docker Image.
3. Click Next to open the Advanced Configuration step.

4. In the Other Spec Configuration field, specify the Kubernetes Job spec (in YAML) for Init Container - 1. Click the Info Tip icon for examples. Select and copy commands as needed.
5. Click Create. The Kubernetes Job is created and displayed on the Job page with a status of Active.

7. In the Init Container - 1 area, specify the Container Name and associated Docker Image.
8. Click Next to open the Advanced Configuration step.

9. In the Other Spec Configuration field, specify the Kubernetes Job spec (in YAML) for Init Container - 1. Click the Info Tip icon for examples. Select and Copy commands as needed.
10. Click Create. The job is created and displayed on the Job page with a status of Active.

Using Allocation Tags with Kubernetes Jobs

Allocation tags for Kubernetes Jobs (labels, node selectors, or node affinity) help manage resources in a Kubernetes environment. They can be useful for:

• Resource Organization

• Scheduling and Affinity Rules

• Resource Quotas and Limits

• Monitoring and Logging

• Cost Allocation and Billing

You can add allocation tags in the Allocation Tag field when creating Kubernetes Jobs.

In the YAML below, the following act as allocation tags:

• labels are key-value pairs used to organize, categorize, and identify resources such as Pods, Nodes, Jobs, and more. Thecompliance: HIPAA label applied in the example indicates that the Kubernetes Job is associated with a HIPAA compliance context.

• nodeSelector specifies that the Kubernetes Job should be scheduled on specific nodes. In this example, it will be scheduled on nodes with the label security-level: high.

  labels:
    compliance: HIPAA
spec:
  template:
    spec:
      nodeSelector:
        security-level: high

To learn more about allocation tags for Kubernetes Jobs, see the Kubernetes documentation on labels and selectors and node selectors and node affinity.

Managing Kubernetes Jobs faults

You can manage/override Kubernetes Jobs faults on a Tenant or Job level. If a Job fails, and no Tenant- or Job-level fault setting is configured, DuploCloud will generate a fault by default.

Tenant-level Kubernetes Jobs faults

Enable or disable faults for failed Kubernetes Jobs in a specific Tenant.

1. From the DuploCloud Portal, navigate to Administrator -> Tenant.

2. Click the Tenant name in the NAME column.

3. Select the Settings tab, and click Add. The Add Tenant Feature pane displays.

4. From the Select Feature list box, select Enable K8s job fault logging by default, and use the toggle switch to enable or disable the setting.

5. Click Add. The Jobs fault setting is added.

You can view the Jobs fault setting on the Tenants page (Navigate to Administrator -> Tenant, select the Tenant name) under the Settings tab. If the value is true, DuploCloud will generate a fault. If the value is false, DuploCloud will not generate a fault.

Jobs-level Kubernetes Jobs faults

You can configure the faults for a specific Job when creating the Job in DuploCloud. Fault settings added this way override Tenant-level settings. On the Add Kubernetes Job page, in the Metadata Annotations field, enter:

duplocloud.net/fault/when-failed: true. or

duplocloud.net/fault/when-failed: false.

When the value is true and the Job fails, DuploCloud will generate a fault. When the value is false and the Job fails, a fault will not be generated.

Viewing a Kubernetes Job

1. In the DuploCloud Portal, navigate to Kubernetes -> Job.

2. Select the Kubernetes Job you want to view and click the Overview, Containers, and Details tabs for more information about the Job status and history.

Using the Containers page to view linked Kubernetes Jobs

You can view K8s Jobs linked to Containers by clicking the Container Name on the Containers page (Kubernetes -> Containers).

You can filter container names by using the search field at the top of the page, as in this example:

Editing a Kubernetes Job

1. In the DuploCloud Portal, navigate to Kubernetes -> Job.

2. Select the K8s Job you want to edit.

You can edit and modify the following fields in the DuploCloud portal:

• Cleanup After Finished in Seconds

• Other Spec Configuration

• Metadata Annotations

• Labels

Deleting a Kubernetes Job

1. In the DuploCloud Portal, navigate to Kubernetes -> Job.

2. Select the K8s Job you want to delete.

Creating a Storage Account and File Shares

Refer to the DupoCloud documentation to configure Storage Account and File Share in Azure.

Copy the Storage Account Key and File Share Name from the DuploCloud Portal to prepare to create Kubernetes Secrets in the next step.

Creating Kubernetes Secret

Navigate to Kubernetes -> Secrets. Create a Kubernetes Secret Object using an Azure Storage Account.

For more information, see Kubernetes Configs and Secrets.

azurestorageaccountkey: >-
    <storage-account-key>
azurestorageaccountname: <storage-account-name>

Mounting the Azure Storage connection in your deployment

While creating a deployment, provide the configuration below under Other Pod Config and Other Container Config to create and mount the storage volume for your Service. In the configuration below, shareName is the File Share name, which you can get from the Storage Account screen.

PodLabels:
  app: azuretest
Volumes:
  - name: azurefileshare
    azureFile:
      secretName: my-storage-account-key
      shareName: fileshare1
      readOnly: false

VolumesMounts:
  - name: azurefileshare
    mountPath: /myfileshare

Enabling kubectl shell access in GCP is part of a one-time DuploCloud Portal setup process.

Step 1: Create a Node Pool

1. In the Tenant list box, select the correct Tenant.

2. Navigate to Kubernetes -> Nodes.

3. Select the Node Pool tab, and click Add.

1. Complete the required fields, and click Create. Once the node pool is complete, it will display on the GCP VM tab with a status of Running.

Step 2. Create a DuploCloud Service

1. In the Tenant list box, select the correct Tenant.

2. Navigate to Kubernetes -> Services.

3. Click Add. The Add Service page displays.

4. From the table below, enter the values that correspond to the fields on the Add Service page. Accept default values for fields not specified.

1. In the Environment Variables field, enter the following YAML. Replace the flask app secret (b33d13ab-5b46-443d-a19d-asdfsd443 in this example) with a string of random numbers and letters in the same format and replace CUSTOMER_PREFIX with your customer URL prefix.

- Name: FLASK_APP_SECRET
 Value: b33d13ab-5b46-443d-a19d-asdfsd443
- Name: DUPLO_AUTH_URL
 Value: https://<CUSTOMER_PREFIX>.duplocloud.net

1. Click Next. The Advanced Options page displays.

2. Click Create. The Service is created.

Step 3: Create a Load Balancer

1. Navigate to Kubernetes -> Services.

2. Select the kubectl Service from the NAME column.

3. Select the Load Balancers tab, and click Configure Load Balancer. The Add Load Balancer Listener pane displays.

4. In the Select Type list box, select K8s Cluster IP.

5. In the Container port and External port fields, enter 80.

6. In the Health Check field, enter /duplo_auth.

7. In the Backend Protocol list box, select TCP

8. Select Advanced Kubernetes settings and Set HealthCheck annotations for Ingress.

9. Click Add. The Load Balancer listener is added.

Step 4: Add an Ingress

1. In the Tenant list box, select the correct Tenant.

2. Navigate to Kubernetes -> Ingress.

3. Click Add. The Add Kubernetes Ingress page displays.

4. In the Ingress Name field, enter kubect-shell.

5. From the Ingress Controller list box, select gce.

6. In the Visibility list box, select Public.

7. In the DNS Prefix field, enter the DNS name prefix.

8. In the Certificate ARN list box, select the ARN added to the Plan in the Certificate for Load Balancer and Ingress step.

1. Click Add Rule. The Add Ingress Rule pane displays.

2. In the Path field, enter (/)

3. In the Service Name list box, select the Service previously created (kubectl:80)

4. Click Add Rule. A rule directing all traffic to the kubectl Service is created.

13. On the Add Kubernetes Ingress page, click Add. The Ingress is created.

Step 5: Add the DNS Name to System Settings

1. Navigate to Administrator -> Systems Settings.

2. Select the System Config tab, and click Add. The Add Config pane displays.
3. From the Config Type list box, select AppConfig.

4. From the Key list box, select Other.

5. In the second Key field, enter DuploShellfqdn

6. In the Value field, paste the Ingress DNS. To find the Ingress DNS, navigate to Kubernetes -> Ingress, and copy the DNS from the DNS column.
7. Click Submit. kubectl shell access is enabled.

You can restrict or enable read-only user access to Kubernetes by configuring DuploCloud systems settings:

1. From the DuploCloud Portal, navigate to Administrator -> Systems Settings.

2. Select the System Config tab, and click Add. The Add Config pane displays.
3. In the Config Type list box, select AppConfig.

4. In the Key list box, select Allow Readonly Users to view Kubernetes Secrets.

5. In the Value field, enter True or False. A true value allows read-only users to view Kubernetes Secrets. A false value prohibits read-only users from viewing Kubernetes Secrets.

6. Click Submit. The setting is configured.

A Kubernetes CronJob is a variant of a Kubernetes Job you can schedule to run at periodic intervals.

See the Kubernetes CronJob documentation for more information.

Creating a Kubernetes CronJob in the DuploCloud portal

1. In the DuploCloud Portal, navigate to Kubernetes -> CronJob.

2. Click Add. The Add Kubernetes CronJob page displays.

3. In the Basic Options step, specify the Kubernetes CronJob name.

4. In the Schedule field, specify the Cron Schedule in Cron Format. Click the Info Tip icon for examples. When specifying a Schedule in Cron Format, ensure you separate each value with a space. For example, 0 0 * * 0 is a valid Cron Format input; 00**0 is not. See the Kubernetes documentation for detailed information about Cron Format.

5. In the Container - 1 area, specify the Container Name and associated Docker Image.

1. In the Command field, specify the command attributes for Container - 1. Click the Info Tip icon for examples. Select and copy commands as needed.

1. In the Init Container - 1 area, specify the Container Name and associated Docker Image.

2. Click Next to open the Advanced Configuration step.

1. Click Create. The Kubernetes CronJob is created and displayed on the CronJob page. It will run according to the schedule you specified.

Viewing a Kubernetes CronJob

Managing Kubernetes CronJobs faults

You can manage/override Kubernetes Jobs faults on a Tenant or CronJob level. If a CronJob fails, and no Tenant- or Job-level fault setting is configured, DuploCloud will generate a fault by default.

Tenant-level Kubernetes CronJobs faults

Enable or disable faults for failed Kubernetes CronJobs in a specific Tenant.

1. From the DuploCloud Portal, navigate to Administrator -> Tenant.

2. Click the Tenant name in the NAME column.

3. Select the Settings tab, and click Add. The Add Tenant Feature pane displays.

4. From the Select Feature list box, select Enable K8s job fault logging by default, and use the toggle switch to enable or disable the setting.

5. Click Add. The CronJobs fault setting is added.

You can view the CronJobs fault setting on the Tenants page (Navigate to Administrator -> Tenant, select the Tenant name) under the Settings tab. If the value is true, DuploCloud will generate a fault. If the value is false, DuploCloud will not generate a fault.

Jobs-level Kubernetes CronJobs faults

You can configure the faults for a specific CronJob when creating the CronJob in DuploCloud. Fault settings added this way override Tenant-level settings. On the Add Kubernetes Job page, in the Metadata Annotations field, enter:

duplocloud.net/fault/when-failed: true. or

duplocloud.net/fault/when-failed: false.

When the value is true and the CronJob fails, DuploCloud will generate a fault. When the value is false and the CronJob fails, a fault will not be generated.

Viewing a Kubernetes CronJob

1. In the DuploCloud Portal, navigate to Kubernetes -> CronJobs.

2. Select the Kubernetes CronJob you want to view and click the Overview, Schedule, and Details tabs for more information about the CronJob schedule and history.

Using the Container page to view linked Kubernetes CronJobs

You can view Kubernetes CronJobs linked to containers by clicking the container name on the Containers page (Kubernetes -> Containers).

You can filter container names by using the search field at the top of the page, as in this example:

Editing a Kubernetes CronJob

1. In the DuploCloud Portal, navigate to Kubernetes -> CronJob.

2. Select the Kubernetes CronJob you want to edit.

You can edit and modify the following fields in the DuploCloud Portal:

• Cleanup After Finished in Seconds

• Other Spec Configuration

• Metadata Annotations

• Labels

Deleting a Kubernetes CronJob

1. In the DuploCloud Portal, navigate to Kubernetes -> CronJob.

2. Select the Kubernetes CronJob you want to delete.

Ingress controllers abstract the complexity of routed Kubernetes application traffic, providing a bridge between Kubernetes services and services that you define.

Prerequisites

Creating Services with EKS

See the DuploCloud documentation for instructions to add , , and .

Enabling the AWS Application Load Balancer

An administrator needs to enable the AWS Application Load Balancer controller for your Infrastructure before you can use Ingress.

1. In the DuploCloud Portal, navigate to Administrator -> Infrastructure and select the Infrastructure name from the NAME column.

2. Select the Settings tab, and click Add. The Infra - Custom Data pane displays.

3. From the Setting Name list box, select Enable ALB Ingress Controller.

4. Select Enable.

5. Click Set. In the Settings tab, the Enable ALB Ingress Controller setting displays a value of true.

Adding a Load Balancer with Kubernetes NodePort

Add a Load Balancer listener that uses Kubernetes (K8s) NodePort.

1. In the DuploCloud Portal, navigate to Kubernetes -> Services.

2. Select your Service name from the NAME column.

3. Select the Load Balancers tab.

4. Click Configure Load Balancer. The Add Load Balancer Listener pane appears.

5. In the Select Type field, select K8S Node Port.

6. Enter the Container port and External port.

7. Optionally, enable Advanced Kubernetes settings.

8. Kubernetes Health Check and Probes are enabled by default. To manually configure Health Check settings, select Additional health check configs.

9. Click Add. The Load Balancer listener is displayed under LB Listeners on the Load Balancers tab.

1. In the Select Type field, select K8S Node Port.

2. Complete the Container port and External port fields.

3. In the Health Check field, enter /.

4. Complete the other required fields in the Add Load Balancer Listener pane as needed.

5. Click Add. The Load Balancer displays in the Load Balancers tab.

Adding a Kubernetes Ingress

1. Select Kubernetes -> Ingress from the navigation pane.

2. Click Add. The Add Kubernetes Ingress page displays.

1. Enter a name in the Ingress Name field.

3. From the Visibility list box, select either Internal Only or Public.

4. From the Certificate ARN list box, select the appropriate ARN.

5. To expose your services over HTTP or HTTPS, enter the listener ports in the HTTP Listener Port and HTTPS Listener Port fields.

6. In the Target Type field, specify how you want to route traffic to Pods. You can choose between Instance (Worker Nodes) or IP (Pod IPs).

   • Instance (Worker Nodes) routes traffic to all EC2 instances within the cluster on the NodePort opened for your Service. To use the Instance target type, the Service must be NodePort or LoadBalancer type.

   • IP (Pod IPs) routes traffic directly to the Pod IP. The network plugin must use secondary IP addresses on ENI (e.g., amazon-vpc-cni-k8s) for the Pod IP to use IP mode. The Service can be of any type (e.g., ClusterIP, NodePort, or LoadBalancer). IP mode is required for sticky sessions to work with Application Load Balancers.

Defining Ingress rules

1. On the Add Kubernetes Ingress page, click Add Rule. The Add Ingress Rule pane displays.

1. Specify the Path (/ in the example above) and Path Type (Exact, Prefix, or Implementation Specific).

2. Optionally, enter a Host in the Host field.

3. Select the Service Name (the Container Port field is automatically completed), or, use the toggle switch to enable Use Container Port Name, and manually complete the Service Name and Container Port Name fields.

4. Click Add Rule. The rule will be displayed on the Add Kubernetes Ingress page. Repeat steps 1-7 to add additional rules.

Configuring Ingress redirect configurations and annotations

1. On the Add Kubernetes Ingress page, click Add Redirect Config. The Add Redirect Config pane displays.
2. In the Name field, enter a descriptive name for the Ingress redirect configuration.

3. In the Host field, specify the domain name for which this redirect rule will apply.

4. In the Path field, Define the path that should trigger the redirect.

5. Enter the Port for the backend service or redirect.

6. Enter the Protocol to enforce (e.g., HTTPS).

7. If Applicable, in the Query field, specify query parameters for the redirect.

8. In the Status Codes field, enter the HTTP status code for the redirect.

9. Optionally, in the Annotations field, enter additional configuration options specific to the Ingress controller.

10. Click Add to add the Kubernetes Ingress with defined rules and configurations. The Ingress you added displays in the K8S Ingress tab.

Viewing Ingress

Viewing Ingress details in the DuploCloud Portal

When Ingress is configured, view details by navigating to Kubernetes -> Ingress, and selecting your Ingress from the NAME column.

Viewing Ingress details using curl Commands

You can also view Ingress details using curl commands. Curl commands are configured with the DNS names and paths (as defined in your Ingress rules) in the format: curl http://<dns1>/<path1>. The responses from these requests will show how traffic is being routed according to the Ingress configuration. For example, see the following three commands and responses:

Command: curl http://ig-nev-ingress-ing-t2-1-duplopoc.net/path-x/

Response: this is service1

Command: curl http://ing-doc-ingress-ing-t2-1-duplopoc.net/path-y/

Response: this is service2

Command: curl http://ing-public-ingress-ing-t2.1.duplopoc.net/path-z/

Response: this is ING2-PUBLIC

Ingress controllers abstract the complexity of routed Kubernetes application traffic, providing a bridge between Kubernetes services and external services. They play a crucial role in managing access to the services within a Kubernetes cluster, ensuring that traffic is efficiently directed to the appropriate backend services.

Creating Tenants, Hosts, and Services

See the DuploCloud documentation on creating , , and for your cloud provider. These foundational steps are essential for deploying and managing your applications and services within a Kubernetes environment.

Once your Service is deployed, you can add and configure Kubernetes Ingress. To make services deployed via Helm charts accessible through an ingress controller, it's necessary to adjust the values.yaml file of your Helm chart. This involves enabling ingress and specifying the ingress resource attributes such as hostnames and paths, which are crucial for routing external traffic to your services. The steps to create Ingress for each cloud provider are slightly different, but the core principle of configuring ingress settings in the Helm chart remains consistent across environments. Ingress setup is a critical step in defining how external traffic is routed to your services, providing a scalable and secure entry point for your applications.

Monitoring and Troubleshooting

To ensure the smooth operation of services within a cluster, it's important to have access to and understand how to view container logs. For troubleshooting or monitoring purposes, you can easily view the logs of containers within a cluster directly from the containers' user interface. This is achieved by utilizing the context menu in the UI, offering a straightforward method to access the necessary log information. This capability is crucial for diagnosing issues, understanding service behavior, and ensuring the reliability and performance of your applications.

In summary, setting up Ingress controllers, configuring Helm charts for ingress, and understanding how to access container logs are fundamental aspects of managing and troubleshooting Kubernetes applications. By following the documented steps for creating tenants, hosts, and services, adjusting Helm chart values for ingress, and by utilizing the UI for log access, you can effectively manage traffic flow and monitor the health and performance of your services.

Kubernetes DaemonSets are controllers that manage Pod lifecycles, ensuring that one copy of a Pod runs on each node (or a selected subset of nodes) in the cluster. It is defined using a YAML or JSON configuration file, similar to other Kubernetes resources like Deployments or StatefulSets. See the for more information.

Creating a DaemonSet in DuploCloud (AWS or GCP)

1. From the DuploCloud Portal, navigate to Kubernetes -> DaemonSet, and click Add. The Add DaemonSet page displays.

2. In the Name field, specify a unique name for the DaemonSet.

3. Set the Local Tenant toggle switch. When set to true, the Daemon set deploys only on hosts in this Tenant instead of the entire cluster.

4. In the Configurations field, enter the DaemonSet configurations. See the example DaemonSet JSON below.

5. Click Create. The DaemonSet is created and the configurations applied.

DuploCloud Portal provides the ability to create Custom Resource (CR) SecretProviderClass.

This capability allows Kubernetes (K8s) to mount secrets stored in external secrets stores into the Pods as volumes. After the volumes are attached, the data is mounted into the container’s file system.

Prerequisites

An Administrator must set the Infrastructure setting Enable Secrets CSI Driver as True. This setting is available by navigating to Administrator -> Infrastructure, selecting your Infrastructure, and clicking Settings).

Creating the K8s SecretProviderClass

1. In the DuploCloud Portal, navigate to Kubernetes -> Secret Provider.

2. Click Add. The Add Kubernetes Sercet Provider Class page displays.

3. Map the AWS Secrets and SSM Parameters configured in DuploCloud Portal (Cloud Services -> App Integration) to the Parameters section of the configuration.

4. Optionally, use the Secret Objects field to define the desired state of the synced Kubernetes secret objects.

The following is an example SecretProviderClass configuration where AWS secrets and Kubernetes Secret Objects are configured:

Creating a Kubernetes Service and mounting volumes based on the configured secrets

To ensure your application is using the Secrets Store CSI driver, you need to configure your deployment to reference the SecretProviderClass resource created in the previous step.

The following is an example of configuring a Pod to mount a volume based on the SecretProviderClass created in prior steps to retrieve secrets from Secrets Manager.

1. In the DuploCloud Portal, create a Kubernetes Service by navigating to Kubernetes -> Services and clicking Add.

2. Complete the required fields and click Next to display the Advanced Options page.

3. On the Advanced Options page, in the Cloud Credentials list box, select From Kubernetes.

4. Add code to the Other Pod Config field, as in the example below.

5. Add code for VolumeMounts in the Other Container Config field, as in the example below.

6. Click Create to create the Kubernetes service.

Configure and use Kubernetes Secret Objects

Optionally, you can define secretObjects in the SecretProviderClass to define the desired state of your synced Kubernetes secret objects.

The following is an example of how to create a SecretProviderClass CR that syncs a secret from AWS Secrets Manager to a Kubernetes secret:

Configuring Secret Objects in deployments

In the Other Container Config field, specify mount details with the secretobject-name. Refer to the following example:

Configuring Secret Objects using Environment Variables

Set environment variables in your deployment to refer to your Kubernetes secrets.

In DuploCloud environments, you can pass configurations and Kubernetes using Kubernetes or through various strategies tailored to enhance security and management efficiency:

• Setting Kubernetes Secrets directly in DuploCloud: You can create secrets under Kubernetes -> Secrets in the DuploCloud Portal. These secrets are then available in the Kubernetes environment and can be utilized as either files or environment variables. This method is straightforward, incurs no additional cost, and allows for the visibility of both secret keys and values in the DuploCloud console. For detailed instructions, see .

• Settings Environment Variables (EVs) from a K8s ConfigMap or Secret: This traditional method continues to be supported, offering a familiar approach to those accustomed to Kubernetes' native secrets management.

• Mounting ConfigMaps and Secrets as files: This method seamlessly integrates configuration data directly into your application's file system.

Additionally, DuploCloud supports advanced secrets management strategies, including:

• Using AWS as the Source of Truth: By creating secrets in AWS Secrets Manager or Parameter Store and integrating them into Kubernetes secrets with SecretProviderClass, you benefit from advanced features like automatic rotation. This method displays only the secret keys in the DuploCloud console and involves a more complex setup but is ideal for centralizing secret management across DuploCloud and non-DuploCloud resources. For more on this setup, visit .

• Application Directly Reads Secrets from AWS: This approach allows the application code to fetch secrets directly from the AWS Secret Manager or Parameter Store, managed via IAM roles facilitated by DuploCloud. It provides an added layer of protection and is particularly beneficial for development environments, though it requires modifications to the application code. Implementation guidance can be found in the AWS SDK for PHP—.

By leveraging these strategies, DuploCloud offers flexible and secure options for managing Kubernetes ConfigMaps and Secrets, catering to various operational needs and security requirements.

GCP's Ingress Controller for GKE automatically manages traffic routing to Kubernetes services, integrating Kubernetes workloads with Google Cloud's load-balancing infrastructure. It simplifies external access to applications, handling SSL termination and global load distribution.

GCP offers its own Ingress Controller, specifically created for Google Kubernetes Engine (GKE), to seamlessly integrate Kubernetes services with Google Cloud's advanced load balancing features.

Container-native load balancing with GKE Ingress

Container-native load balancing on Google Cloud Platform (GCP) allows Load Balancers to directly target Kubernetes Pods instead of using a node-based proxy. This approach improves performance by enabling more efficient routing, reducing latency by eliminating extra hops, and providing better health-checking capabilities.

It leverages the network endpoint groups (NEGs) feature to ensure that traffic is directed to the appropriate container instances, enabling more granular and efficient load distribution for applications running on GKE.

Prerequisites

Creating Tenants and Services

Once your Tenant and Service are deployed, you are ready to add and configure a Load Balancer listener.

Adding a Load Balancer listener with Kubernetes ClusterIP

Add a Load Balancer listener that uses Kubernetes (K8s) ClusterIP. Kubernetes Health Check and probes are enabled by default. To specifically configure the settings for Health Check, select Additional health check configs when you add the Load Balancer.

1. In the DuploCloud Portal, navigate Kubernetes -> Services.

2. On the Services page, select the Service name from the NAME column.

3. Click the Load Balancers tab.

4. Click Configure Load Balancer. The Add Load Balancer Listener pane appears.

1. From the Select Type list box, select K8s Cluster IP.

2. Enable Advanced Kubernetes Settings and Set HealthCheck annotations for Ingress, if needed. (This will add required annotations in Kubernetes Service to be recognized by the GKE Ingress Controller)

3. Click Add. The Load Balancer listener details display in the Load Balancers tab on the Service details page.

Creating a GCP Managed Certificate (optional)

To enable SSL, create a GCP-managed certificate resource in the application namespace.

Adding a Kubernetes Ingress

Once a Service and Load Balancer are deployed, add an Ingress:

1. Select Kubernetes -> Ingress from the navigation pane.

2. Click Add. The Add Kubernetes Ingress page displays.

3. Enter an Ingress Name.

4. From the Ingress Controller list box, select GCE.

5. From the Visibility list box, select Internal Only or Public.

6. Enter your DNS prefix in the DNS Prefix field.

7. Select your ARN from the Certificate ARN list box.

1. Enter labels in the Labels field, if required.

2. Click Add to add the Ingress.

Configuring Kubernetes Ingress rules

1. In the Add Kubernetes Ingress page, click Add Rule. The Add Ingress Rule pane displays.

1. Specify the Path (/samplePath/ in the example).

3. From the Service Name list box, select the Service exposed through the K8S ClusterIP (nginx-test in the example). The Container port field is completed automatically.

4. Click Add Rule. The rule displays on the Add Kubernetes Ingress page. Repeat the preceding steps to add additional rules.

5. Click Add to add the Kubernetes Ingress. The Ingress displays on the Ingress page.

The Ingress creation will take a few minutes. Once the IP is attached to the Ingress, you are ready to use your path- or host-based routing defined via Ingress.

Viewing Ingress

You can view the Ingresses you have created by navigating to Kubernetes -> Ingress.

A Kubernetes Lifecycle Hook triggers events to run at different stages of a container's lifecycle. These hooks run scripts or commands before or after a specific event, such as a container being created, started, or stopped. Lifecycle hooks perform tasks like starting services, or initializing, configuring, or verifying containers.

Implementing Kubernetes Lifecycle Hooks

You can implement Kubernetes Lifecycle Hooks while adding a DuploCloud EKS Service by adding YAML, like the example below, to the Other Container Config field.

#lifecycle hook sample
lifecycle:
  postStart:
    exec:
      command:
        - /bin/sh
        - '-c'
        - date > /container-started.txt
  preStop:
    exec:
      command:
        - /usr/sbin/nginx
        - '-s'
        - quit

Using the Horizontal Pod Autoscalar (HPA) in AWS

See the Autoscaling in Kubernetes topic in the AWS DuploCloud documentation.

Managing Services with HPA

When working with Kubernetes Services configured with Horizontal Pod Autoscaler (HPA), it's essential to understand how to manage and troubleshoot them effectively.

Stopping a Service with HPA

To stop a Service that is hung in a Running state due to HPA, you cannot directly delete Pods, as new ones are created to maintain the set number of replicas. Instead, remove the HPA configuration and adopt a static replication strategy by setting the replica count to 0. This ensures the Service is effectively stopped without attempting to set minReplicas to 0, which is an invalid configuration for HPA.

Troubleshooting

If issues arise while stopping a Service with HPA configured, avoid setting minReplicas it to 0 and ensure the HPA configuration is removed in favor of a static replication strategy. For further troubleshooting, consult the Faults menu under the DevOps section in the DuploCloud UI, where all errors are logged, facilitating efficient diagnosis and resolution.

UI Improvements

DuploCloud is planning enhancements to the UI to improve the management of Services running with HPA configurations. These improvements include adding validation to prevent users from setting minReplicas to 0, potentially removing the Stop option for Services with HPA, and documenting the correct procedure for stopping such Services. These updates simplify the process and prevent common configuration mistakes, ensuring a smoother experience managing Kubernetes Services with HPA.

HPA and Handling High Memory Demand

The Kubernetes Horizontal Pod Autoscaler (HPA) is critical for managing resources efficiently in a Kubernetes environment. It automatically adjusts the number of Pods in a deployment based on observed CPU utilization or other selected metrics. For detailed guidance on autoscaling in Kubernetes, see the Autoscaling in Kubernetes topic in the AWS DuploCloud documentation.

Handling High Memory Demand

When a Service Pod requires more memory than is available on any single node, such as a Pod demanding 30GB on a node with a maximum of 16GB, it's essential to isolate the resource-intensive Service. By moving the script, which causes high memory demand for its service, and allocating it to a more prominent instance with a highmem allocation tag, you can ensure that your services continue to run efficiently. This approach allows for instances with up to 64GB of memory, accommodating high-demand applications without compromising the performance of other services.

Best Practices for Autoscaling

When configuring autoscaling for an EKS cluster, it's crucial to base the autoscaler on CPU/memory requests or limits to ensure optimal performance and resource utilization. This method allows for dynamic scaling that responds to the actual needs of your applications, preventing over-provisioning and resource wastage.

Custom Monitoring and Alerts

For advanced monitoring and alerting, DuploCloud supports the integration of its Prometheus endpoints with external Grafana instances. This capability enables the Pod to set up custom alerts for memory usage, allowing for proactive resource management and issue resolution. Whether using DuploCloud's Grafana instance or an external one, these integrations provide valuable insights into your Kubernetes environment's health and performance.

Considerations for Allocation Groups

Adding an allocation group to an existing node with running Services requires careful consideration regarding Service continuity and the potential need for restarts. While the specific behavior may vary, understanding the implications of such changes is crucial for maintaining uninterrupted Service availability during scaling and resource adjustments.

By following these guidelines and leveraging DuploCloud's support for HPA, teams can effectively manage Kubernetes resources, ensuring that applications remain performant and resilient under varying loads.

Configuring Kubernetes Storage

You can configure the Storage Class and Persistent Volume Claims (PVCs) from the DuploCloud Portal.

1. In the DuploCloud Portal, navigate to Kubernetes -> Storage. The Kubernetes Storage page displays. You define your Kubernetes Persistent Volume Claims and Storage Classes from this page. The Persistent Volume Claims option is selected by default.
2. Click Add. The Add Kubernetes Persistent Volume Claim page displays.

1. Define the PVC Name, Storage Class Name, Volume Name, Volume Mode, and other details such as volume Access Modes.

2. Click Add.

3. On the Kubernetes Storage page, select the Storage Class option.

4. Click Add. The Add Kubernetes Storage Class page displays.
5. Define the Storage Class Name, Provisioner, Reclaim Policy, and Volume Binding Mode. Select other options, such as whether to Allow Volume Expansion.

6. Click Add.

Creating a Storage Class

1. In the DuploCloud Portal, navigate to Kubernetes -> Storage.

2. Click Add. The Add Kubernetes Storage Class page displays.

3. Create a Storage Class, as in the example below.

Ingress controllers abstract the complexity of routed Kubernetes application traffic, providing a bridge between Kubernetes services and services that you define.

Prerequisites

Creating Services with AKS

To run the Load Balancers, you must create one or more Services. To add a service, follow the steps in the Services topic. In this example, we created two Services named s1-alb and s4-nlb.

Enabling the Ingress Controller

Before you add an Ingress rule, you need to enable the Ingress Controller for the application gateway.

1. In the DuploCloud Portal, navigate to Administrator -> Infrastructure.

2. Select the Infrastructure from the NAME column.

3. Select the Settings tab, and click Add. The Infra-Set Custom Data pane displays.

4. In the Setting Name list box, select Enable App Gateway Ingress Controller. Enable the setting and click Set. The Enable App Gateway Ingress Controller setting value is true.

Adding a Load Balancer Listener using K8S NodePort

1. In the DuploCloud Portal, navigate Kubernetes -> Services.

2. Select the Service from the NAME column.

3. Click the Load Balancers tab.

4. Click Configure Load Balancer. The Add Load Balancer Listener pane appears.
5. In the Select Type field, select K8S Node Port.

6. In the Health Check field, add the Kubernetes Health Check URL for this container.

7. Complete the other fields in the Add Load Balancer Listener and click Add.

Adding Kubernetes Ingress

1. In the DuploCloud Portal, navigate to Kubernetes -> Ingress.

2. Click Add. The Add Kubernetes Ingress page displays.

3. Supply the Ingress Name, select the Ingress Controller (in this example, azure-application-gateway), and set Visibility to Public.
4. In the DNS Prefix field, provide the DNS prefix to expose services.

5. From the Certificate ARN list box, select the certificate ARN to expose services over HTTPS.

6. Optionally, in the Port Override field, select a port to override. This field allows configuring frontend listeners to use ports other than 80/443 for HTTP/HTTPS. If you use a port other than 80, you must define an additional Security Group rule for that port. See this section for more information.

Configuring Ingress rules

1. On the Add Kubernetes Ingress page, click Add Rule. The Add Ingress Rule pane displays.
2. Enter a Path.

3. In the Path Type list box, select Exact, Prefix, or Implementation Specific.

4. In the Service Name field, select the Service (s1-alb:80 in this example).

5. Click Add Rule to add the Ingress rule.

6. Repeat steps 1-5 to add additional rules. In this example, we added a second rule for Service s4-nlb:80.

7. On the Add Kubernetes Ingress page, click Add to create the Ingress.

Adding a Security Group Rule

1. In the DuploCloud Portal, navigate to Administrator -> Infrastructure.

2. Select the Infrastructure from the NAME column.

3. Select the Security Group Rules tab.

4. Click Add. The Add Infrastructure Security pane displays.
5. Define the rule and click Add. The rule is added to the Security Group Rules list.

Viewing Ingress

Viewing Ingress details in the DuploCloud Portal

When Ingress is configured, view details by navigating to Kubernetes -> Ingress, and selecting your Ingress from the NAME column.

Viewing Ingress details using curl Commands

You can also view Ingress details using curl commands. Curl commands are configured with the DNS names and paths (as defined in your Ingress rules) in the format: curl http://<dns1>/<path1>. The responses from these requests will show how traffic is being routed according to the Ingress configuration. For example, see the following three commands and responses:

Command: curl http://ig-nev-ingress-ing-t2-1.duplopoc.net/path1/

Response: this is IG-NEV

Command: curl http://ing-doc-ingress-ing-t2-1.duplopoc.net/path2/

Response: this is ING-DOC

Command: curl http://ing-public-ingress-ing-t2.1.duplopoc.net/path3/

Response: this is ING2-PUBLIC

An Azure Application Gateway SSL policy allows you to configure the security settings for SSL/TLS connections between clients and the application gateway. By defining an SSL policy, you can specify which protocols and cipher suites to use, enhancing security, meeting compliance requirements, and optimizing performance. Configuration can be done via the Azure portal, Azure CLI, or ARM templates. See the Microsoft documentation for more information.

To use an Application Gateway SSL policy with Ingress for your ALB Load Balancer, follow these steps:

1. From the DuploCloud Portal, navigate to Administrator -> Systems Settings.

2. Select the System Config tab, and click Add. The Add Config pane displays.

3. In the Config Type list box, select AppConfig.

4. In the Key field, enter AZURE_APP_GATEWAY_SSL_POLICY.

5. In the Value field, enter your Azure Application Gateway SSL Policy (for example AppGwSslPolicy20220101).

6. Click Submit.

DuploCloud supports the customization of many Kubernetes (K8s) YAML operators, such as tolerations. If you are using a Docker container, you can specify the tolerations operator configuration in the Other Container Config field in the container definition in DuploCloud

Specifying Pod Toleration

1. In the DuploCloud Portal, navigate to Kubernetes -> Services. The Services page displays.

2. Select the Service from the NAME column.

3. From the Actions menu, select Edit. The Edit Service page displays.

4. Click Next to proceed to the Advanced Options page.

5. In the Other Container Config field, add the tolerations operator YAML you have customized for your container.

6. Click Update. Your container has been updated with your custom specifications for the tolerations operator.

Example Code: tolerations operator YAML

In this example:

• If a Pod is running and a taint matching key1 exists on the node, then the Pod will not schedule the node (NoSchedule).

• If a Pod is running and a taint matching example-key exists on the node, then the Pod stays bound to the node for 6000 seconds and then is evicted (NoExecute). If the taint is removed before that time, the Pod will not be evicted.

tolerations:
  - key: key1
    operator: Equal
    value: value1
    effect: NoSchedule
  - key: example-key
    operator: Exists
    effect: NoExecute
    tolerationSeconds: 6000

Mounting Native Azure Built-In Storage Classes

AKS provides a few out-of-the-box StorageClass objects. To mount the built-in storage classes, configure the Volumes field as shown below when adding a Service.

- AccessMode: ReadWriteMany
  Name: data
  Path: /attachedvolume
  StorageClassName: azurefile #if empty default storage class will be used which is disk
  Size: 20Gi