Controller's improvements
Here comes a new release of Spider Controller with a bunch of improvements:
- Lists Gociphers & Sidecar Whisperers
- Allows getting logs from Controller, Attachments, Sidecars & Gociphers
- Provides Sidecar Whisperers to Gociphers to allow TLS deciphering on their captured data
- When an Ephemeral Whisperer fails twice in 5 minutes, the Controller stops restarting it to avoid overloading the POD manifest
Storyโ
All these improvements were triggered by the fact that, when a Gossiper configuration is wrong (ex: it has a text instead of a number in a JSON field), it fails to start... And the Controller restarts it, again, and again, and again...
A few minutes later, the target POD manifest includes hundreds of ephemeral containers...
Which makes the Kubernetes API fails because it is too big (10 MB) !
Which at the end tends to freeze the cluster... ๐ฎ
I figured out I need to implement a back-off in the Controller itself, since Kubernetes does not do it there.
But then I need to expose logs to the user to explain WHY the Whisperer was not starting.
And it pulled all the rest:
- Inventory
- Logs
- And finally the ability to capture TLS secrets from sidecars Whisperers!
Controller inventoryโ
Controllers now list all deployed agent in the cluster they are in: Listing deployed agents.
Two tabs have been added aside Attachments
one:
Sidecars
Gpciphers
Example for Sidecars:
Getting logsโ
In these Whisperers or Gociphers container listing, the small black terminal icon allows you to get the last logs of the remote agent:
This is pretty neat when troubleshooting and debugging Spider ๐!
You may even access the complete log item if need be:
Wish you had this in all your product, don't you? ๐
TLS deciphering for Sidecarsโ
Previously, new TLS deciphering feature was only for Attached Whisperers.
Now, if your Sidecar Whisperer includes a WHISPERER
environment variable in its manifest, it will be exposed to Gociphers
as for Attached Whisperers.
And you will see them appear in the Gocipher targets.
Backoff implementationโ
The final goal of all these new cool features (that are in fact quick wins side effects): Controller backoff implementation.
When spawning a new Whisperer for an Attachment, now the Controller checks if the same Whisperer was previously attached to the target POD:
- If 2 recent attachments failed with and error code > 0 in the last 5 minutes, the Controller will delay the Whisperer attachment.
Thus letting you some time to fix the error (checking the terminated Whisperers logs)... before killing your cluster ๐
It will still continue creating ephemeral containers every 5 minutes if you don't fix it!