Monday, 9 March 2026

Application Pod Disruption Budget (PDB) in Kubernetes



A Pod Disruption Budget (PDB) in Kubernetes:
  • It's an API object
  • Sets the minimum number of pods an application needs to function smoothly during disruptions
  • Limits the number of replicated pods that are down simultaneously during voluntary disruptions (e.g., node upgrades, maintenance, draining)
  • Ensures high availability by guaranteeing a minimum number or percentage of pods remain active. 

Key Aspects of PDBs:


In general, disruptions can be:
  • voluntary, such as maintenance operations or node scaling, or
  • involuntary, such as hardware failures or system crashes

Voluntary Focus: PDBs only protect against voluntary disruptions, such as kubectl drain or node repairs, not against involuntary, unavoidable failures.

Configuration: You define a PDB using either
  • either minAvailable 
    • minimum pods that must run
  • or maxUnavailable
    • maximum pods allowed to be down
    • PDB configuration setting defining the maximum number of pods that can be voluntarily taken down simultaneously.

Use Case: Ideal for quorum-based applications (e.g., Elasticsearch, Zookeeper) to ensure quorum is never lost during node maintenance.

Mechanism: When a cluster administrator drains a node, the system checks the PDB. If removing a pod violates the budget, the action is delayed until enough replicas are available elsewhere. 

Example PDB Configuration:


apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: web-pdb
spec:
  minAvailable: 2 # At least 2 pods must remain running
  selector:
    matchLabels:
      app: web-app


Best Practice: 


Use PDBs in conjunction with pod anti-affinity rules to ensure pods are spread across nodes.

How to check PDB in cluster?


Example:

% kubectl get pdb -A                          

NAMESPACE     NAME                        MIN AVAILABLE   MAX UNAVAILABLE   ALLOWED DISRUPTIONS   AGE
clickhouse    chi-clickhouse-ch           N/A             1                 1                     132d
kube-system   ws-cluster-autoscaler       N/A             1                 1                     133d
kube-system   coredns                     N/A             1                 1                     140d
kube-system   ebs-csi-controller          N/A             1                 1                     140d
kube-system   karpenter                   N/A             1                 1                     139d


ALLOWED DISRUPTIONS:
  • the real-time status indicator 
  • showing how many pods can currently be evicted without violating the set maxUnavailable or minAvailable constraints
  • The non-zero value means that the disruption controller has seen the pods, counted the matching pods, and updated the status of the PDB

To see the number of current and desired healthy pods (and how ALLOWED DISRUPTIONS is actually calculated):

% kubectl get poddisruptionbudgets karpenter -n kube-system -o yaml
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  annotations:
    meta.helm.sh/release-name: karpenter
    meta.helm.sh/release-namespace: kube-system
  creationTimestamp: "2025-10-21T14:05:33Z"
  generation: 1
  labels:
    app.kubernetes.io/instance: karpenter
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: karpenter
    app.kubernetes.io/version: 1.3.2
    helm.sh/chart: karpenter-1.3.2
  name: karpenter
  namespace: kube-system
  resourceVersion: "2664456"
  uid: 2b58340a-fd07-4567-95a9-2a43b5dd4bca
spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      app.kubernetes.io/instance: karpenter
      app.kubernetes.io/name: karpenter
status:
  conditions:
  - lastTransitionTime: "2025-10-27T10:52:01Z"
    message: ""
    observedGeneration: 1
    reason: SufficientPods
    status: "True"
    type: DisruptionAllowed
  currentHealthy: 2
  desiredHealthy: 1
  disruptionsAllowed: 1
  expectedPods: 2
  observedGeneration: 1


PDB and Rolling Update of Node Group

ALLOWED DISRUPTIONS = 1 is generally the safest and most standard setting for a rolling node group update, especially for high-availability workloads. 

Key Considerations for maxUnavailable: 1


Safety First: This setting ensures only one node is updated at a time. This is ideal for maintaining quorum in stateful applications like databases (e.g., Consul or ZooKeeper) where losing multiple nodes 
simultaneously could cause data loss or service failure.

Default Behavior: In Amazon EKS managed node groups, maxUnavailable defaults to 1 if not specified.

Resource Availability: For this to work, your cluster must have enough spare capacity (CPU/Memory) on the remaining nodes to host the pods evicted from the node being updated.

Update Speed: While safe, updating one node at a time is the slowest method. For very large clusters, you might consider a higher absolute number or a percentage (e.g., 10%) to speed up the process. 

When 1 is NOT Enough


Blocking Drains: If you have a Pod Disruption Budget (PDB) where minAvailable equals your total replicas, the node drain will be blocked, and the update will stall because no pods can be legally moved.

Timeouts: Amazon EKS has a 15-minute timeout for draining pods. If pods take too long to terminate, the update may fail unless you have configured pre-stop hooks or adjusted your PDBs.


In-Depth Explanation


In a Pod Disruption Budget (PDB), the setting ALLOWED DISRUPTIONS = 1 (which results from either maxUnavailable: 1 or a minAvailable value that leaves one "slot" free) acts as a safety valve that synchronizes infrastructure changes with application health. 

Here is exactly how it makes a rolling node group update safe:

1. It Hooks into the "Eviction API" 

When a node group update begins, the automation doesn't just "kill" pods; it calls the Kubernetes Eviction API. 

The Check: Before a pod is removed from a node being updated, the Eviction API checks your PDB.
The Logic: If ALLOWED DISRUPTIONS is 1, the API allows exactly one pod to be terminated. Once that pod is gone, the "Allowed Disruptions" counter drops to 0. 

2. It Forces a Sequential Wait 

This is the most critical safety feature. If a second pod eviction is requested while the first one is still being replaced: 
  • The Block: The API sees ALLOWED DISRUPTIONS = 0 and rejects the eviction request.
  • The Wait: The node "drain" process pauses and retries. It will stay paused until the first pod's replacement is scheduled on a different node and passes its Readiness Probe.
  • The Reset: Only when the new pod is "Ready" does the ALLOWED DISRUPTIONS count return to 1, allowing the next pod to be safely evicted. 

3. It Prevents "Brain-Dead" Automation

Without this PDB setting, a node group update might try to drain a node that holds all replicas of your app. 
  • Without PDB: The node drains, kills all pods at once, and you have a total outage.
  • With ALLOWED DISRUPTIONS = 1: The automation is physically unable to kill the second pod until the first one is safely back online elsewhere, ensuring your app always has at least some capacity. 

Summary of the "Safety Loop"


Step Action                                                                 PDB State (Allowed Disruptions)
1 Node update starts; first pod eviction requested 1 → Eviction granted
2 First pod is terminating; replacement is starting 0 → All further evictions blocked
3 Replacement pod passes Readiness Probe         0 → 1 → Block lifted
4 Next pod eviction requested                                 1 → Process repeats

Important Note: If your app only has 1 replica total, a PDB with minAvailable: 1 will block the node update forever because it can never safely evict that single pod. You generally need at least 2 replicas for this safety mechanism to work without stalling your updates.


Can pod disruption budget be defined in deployment manifest?


No, a Pod Disruption Budget (PDB) cannot be defined directly inside a Deployment manifest. In Kubernetes, a PDB is a separate API resource (Kind: PodDisruptionBudget) that exists independently of the Deployment. 

While they are separate resources, they are linked by a Label Selector. You define the PDB to target specific pods by matching the labels specified in your Deployment's pod template. 

Why they are separate?


  • Decoupled Lifecycle: You can create, update, or delete a PDB without needing to redeploy your application or trigger a rolling update of your pods.
  • Multiple Controllers: A single PDB can protect pods across multiple Deployments, ReplicaSets, or StatefulSets as long as they share the same labels.
  • Administrative Control: Cluster administrators may manage PDBs separately from application developers to ensure cluster-wide stability during maintenance like node drains.

How to link them?


To make them work together, ensure the spec.selector.matchLabels in your PDB YAML matches the spec.template.metadata.labels in your Deployment YAML. 

Deployment snippet:

metadata:
  labels:
    app: my-app
spec:
  template:
    metadata:
      labels:
        app: my-app

PDB snippet:

spec:
  selector:
    matchLabels:
      app: my-app
  minAvailable: 2


Here is an example of a complete multi-resource YAML that includes both the Deployment and the PDB:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-server
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: web-server-pdb
spec:
  # The PDB finds the pods using this selector
  selector:
    matchLabels:
      app: nginx
  # Ensures at least 2 pods stay up during voluntary disruptions
  minAvailable: 2


Key Takeaways:

  • The Link: The spec.selector.matchLabels in the PDB must exactly match the spec.template.metadata.labels in the Deployment.
  • Voluntary Disruptions: This PDB will protect your pods during actions like node drains or cluster upgrades, but it won't prevent "involuntary" issues like a hardware crash.

Using maxUnavailable is often better for autoscaling environments because it scales with your replica count. Instead of saying "I need X pods alive," you’re saying "I can afford to lose X pods."

Here is the updated manifest:


apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-server
spec:
  replicas: 5
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:latest
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: web-server-pdb
spec:
  selector:
    matchLabels:
      app: nginx
  # Only 1 pod can be taken down at a time during maintenance
  maxUnavailable: 1

Pro Tips for maxUnavailable:
  • Absolute Number: Using 1 ensures that even if you have 100 replicas, Kubernetes will only drain one node at a time for this app.
  • Percentage: You can use a string like "25%" if you want the "allowed downtime" to grow or shrink as your Deployment scales.
  • The "One" Rule: You cannot use both minAvailable and maxUnavailable in the same PDB; you have to pick one strategy.

How to use a percentage to make the PDB more flexible for Horizontal Pod Autoscaling (HPA)?


Using percentages for a Pod Disruption Budget (PDB) is highly recommended when combined with a Horizontal Pod Autoscaler (HPA). This allows the disruption budget to scale dynamically as your application grows or shrinks based on traffic. 

Dynamic YAML Example (Deployment + HPA + PDB)

This configuration ensures that no matter how many replicas the HPA creates, at least 80% of them will always remain available during maintenance.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: dynamic-app
spec:
  replicas: 2 # Initial count
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      containers:
      - name: nginx
        image: nginx:latest
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: web-hpa
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: dynamic-app
  minReplicas: 2
  maxReplicas: 10
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 50
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: web-pdb
spec:
  selector:
    matchLabels:
      app: web
  # Scales with HPA: if HPA scales to 10 pods, 8 must stay up.
  minAvailable: 80%

Key Behaviours to Note:

  • Rounding Logic: Kubernetes always rounds up the result of the percentage to the nearest integer. For example, if you have 7 pods and set minAvailable: 50%, Kubernetes requires 4 pods to remain available.
  • Maintenance Blockers: Be careful with 100% or 0%. Setting minAvailable: 100% or maxUnavailable: 0% will completely block node drains, preventing cluster administrators from performing upgrades or maintenance.
  • Single Replica Limitation: If your HPA scales down to 1 replica, a PDB with minAvailable: 1 or 100% will prevent that single pod from being evicted, which can stall cluster maintenance. 


How to troubleshoot a node drain that is stuck because of a PDB?


A kubectl drain typically gets stuck because the ALLOWED DISRUPTIONS for a specific PDB is 0. This means evicting even one more pod would violate your availability rules. 

1. Identify the Blocking PDB


Run this command to see which PDB is preventing the drain: 

kubectl get pdb -A

Look for any PDB where ALLOWED DISRUPTIONS is 0. If it’s 0, the eviction API will reject any attempt to move those pods, and the drain will wait indefinitely

2. Common Reasons for "Allowed Disruptions: 0"

  • Too Few Replicas: You have minAvailable: 1 but only 1 pod is currently running.
  • Unhealthy Pods: Your PDB requires 3 pods to be healthy, but one is crashing or not yet "Ready." The PDB won't allow any more to be removed until that one is fixed.
  • Misconfiguration: You set minAvailable equal to your total replicas (e.g., 3 out of 3), meaning you've effectively told Kubernetes "never take a pod down". 

3. How to Unstick the Drain

Depending on your situation, use one of these three strategies:

  • Strategy: Scale Up
    • Command:  kubectl scale deployment <name> --replicas=<current+1>
    • Best For: Safest: Adds a new pod on a different node so the PDB is satisfied.
  • Strategy: Relax PDB
    • Command: kubectl edit pdb <pdb-name>
    • Best For: Cleanest: Temporarily lower minAvailable or increase maxUnavailable.
  • Strategy: Temporary Delete
    • Command: kubectl delete pdb <pdb-name>
    • Best For: Emergency: Delete the PDB, finish the drain, then re-apply the PDB later.

Warning: The "Force" Flag

Using kubectl drain <node> --force does not bypass PDBs. It only forces the deletion of pods not managed by a controller (like standalone pods) or pods using emptyDir. To truly bypass a PDB, you must either delete the PDB or manually kubectl delete pod the blocking pods

How to find all pods on a specific node that are currently protected by a PDB?


To find pods on a specific node that are protected by a Pod Disruption Budget (PDB), you need to cross-reference the pods on that node with the label selectors defined in your PDBs. 

Option 1: The Quickest Way (Manual Check)

The most direct way to see all pods on a node and identify their labels is to use the describe node command. 

kubectl describe node <node-name>

Look for the Non-terminated Pods section. You can then check if those pods' labels match your PDB selectors. 

Option 2: Filtered Search (Best for Large Nodes)

If the node has many pods, use this command to list all pods on that node along with their labels:

kubectl get pods -A -o wide --field-selector spec.nodeName=<node-name> --show-labels

-A: Searches across all namespaces.
--field-selector spec.nodeName: Limits results to the specific node.
--show-labels: Displays the labels you need to compare against your PDB's spec.selector. 

Option 3: Identifying the PDB Selector

To see exactly what labels a PDB is looking for, run:

kubectl get pdb <pdb-name> -o jsonpath='{.spec.selector.matchLabels}'

Any pod on your node that has these exact labels is protected by that PDB. 

Summary of Useful Flags

Flag                 Purpose
-----------------         ----------
-o wide                 Shows the NODE column to verify where pods are running.
--field-selector Filters the list server-side by the node name.
-l or --selector         Filters pods by specific labels (e.g., kubectl get pods -l app=nginx).



---
Posted by at No comments:
Labels: ,

Thursday, 5 March 2026

How to install Clickhouse in AWS EKS cluster via Altinity Helm charts and Terraform


 
Installing ClickHouse on an AWS EKS cluster using Terraform and the Altinity Helm charts typically involves two stages:
  1. Installing the Altinity ClickHouse Operator
  2. Deploying a ClickHouse Installation (CHI)
The Altinity Helm repository is located at https://helm.altinity.com.


Prerequisites


Ensure your Terraform environment is configured with the following providers:
  • aws: To manage EKS and underlying infrastructure.
  • kubernetes: To interact with the EKS cluster.
  • helm: To install the operator.

Terraform Configuration


The following example uses the helm_release resource to install the operator and the kubernetes_manifest resource to deploy the actual ClickHouse cluster.

Step A: Install the Altinity Operator


The operator is the "brain" that manages ClickHouse instances on Kubernetes.


resource "helm_release" "clickhouse_operator" {
  name             = "clickhouse-operator"
  repository       = "https://helm.altinity.com"
  chart            = "altinity-clickhouse-operator"
  namespace        = "clickhouse-operator"
  create_namespace = true

  # Optional: Enable metrics for Prometheus
  set {
    name  = "metrics.enabled"
    value = "true"
  }
}


Step B: Deploy a ClickHouse Cluster (CHI)


Once the operator is running, you define your ClickHouse cluster using a Custom Resource (CRD). In Terraform, you use kubernetes_manifest.


resource "kubernetes_manifest" "clickhouse_cluster" {
  depends_on = [helm_release.clickhouse_operator]

  manifest = {
    apiVersion = "clickhouse.altinity.com/v1"
    kind       = "ClickHouseInstallation"
    metadata = {
      name      = "simple-clickhouse"
      namespace = "clickhouse-operator"
    }
    spec = {
      configuration = {
        clusters = [
          {
            name = "cluster1"
            layout = {
              shardsCount   = 1
              replicasCount = 1
            }
          }
        ]
      }
    }
  }
}


Production Considerations for EKS


When running ClickHouse on EKS, you should consider storage and networking:
  • Storage Class: Use AWS gp3 volumes for a good balance of price and performance. You can specify a volumeClaimTemplate in your kubernetes_manifest.
  • Node Affinity: It is recommended to run ClickHouse on specific node groups (e.g., using i3 or r5 instances) to ensure it doesn't compete with other workloads for IOPS.
  • Zookeeper/Keeper: For multi-node shards or replicas, you will need a Zookeeper cluster or the ClickHouse Keeper (also available via Altinity charts).

EKS Module


Altinity maintains a dedicated Terraform EKS ClickHouse module that automates the entire VPC, EKS, and ClickHouse setup if you prefer a pre-packaged solution.


How to view Clickhouse Installation Configuration?



% kubectl get chi -n clickhouse -o yaml                      
apiVersion: v1
items:
- apiVersion: clickhouse.altinity.com/v1
  kind: ClickHouseInstallation
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
 {"apiVersion":"clickhouse.altinity.com/v1","kind":"ClickHouseInstallation","metadata":....}
    creationTimestamp: "2025-01-28T14:35:46Z"
    finalizers:
    - finalizer.clickhouseinstallation.altinity.com
    generation: 12
    name: clickhouse
    namespace: clickhouse
    resourceVersion: "67251031"
    uid: 9fxxxx1-81e7-429b-9cf7-ffxxxxxxef
  spec:
    configuration:
      clusters:
      - layout:
          replicasCount: 1
          shardsCount: 1
        name: ch
        templates:
          dataVolumeClaimTemplate: ch-data
          podTemplate: ch-pod
          serviceTemplate: ch-svc
      users:
        admin/grants/query: GRANT ALL ON *.*
        admin/networks/ip: 0.0.0.0/0
        admin/password: my-admin-password
(or     admin/password_sha256_hex: my-admin-password-in-sha256)
        admin/profile: xxxx
        admin/quota: xxxxx
        admin/settings/enable_http_compression: 1
        default/k8s_secret_password_sha256_hex: <namespace/secretName/key>
        default/profile: default
        default/quota: default
    templates:
      podTemplates:
      - name: ch-pod
        spec:
          containers:
          - image: altinity/clickhouse-server:24.8.14.10544.altinitystable
            name: clickhouse
          - args:
            - server
            env:
            - name: LOG_LEVEL
              value: info
            - name: API_LISTEN
              value: 0.0.0.0:7171
            - name: API_CREATE_INTEGRATION_TABLES
              value: "true"
            - name: REMOTE_STORAGE
              value: s3
            - name: BACKUPS_TO_KEEP_REMOTE
              value: "2"
            - name: S3_BUCKET
              value: my-clickhouse-backups
            - name: S3_REGION
              value: us-east-1
            - name: CLICKHOUSE_HOST
              value: localhost
            - name: CLICKHOUSE_USERNAME
              value: xxxxx
            - name: CLICKHOUSE_PASSWORD
              value: xxxx
            image: altinity/clickhouse-backup:latest
            imagePullPolicy: IfNotPresent
            name: clickhouse-backup
          serviceAccountName: clickhouse-backup
          tolerations:
          - effect: NoSchedule
            key: karpenter/clickhouse
            operator: Exists
      serviceTemplates:
      - metadata:
          annotations:
            service.beta.kubernetes.io/aws-load-balancer-ip-address-type: ipv4
            service.beta.kubernetes.io/aws-load-balancer-name: my-clickhouse-nlb
            service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
            service.beta.kubernetes.io/aws-load-balancer-scheme: internal
            service.beta.kubernetes.io/aws-load-balancer-type: nlb
          name: clickhouse
        name: ch-svc
        spec:
          ports:
          - name: http
            port: 8123
            targetPort: 8123
          - name: native
            port: 9000
            targetPort: 9000
          type: LoadBalancer
      volumeClaimTemplates:
      - name: ch-data
        spec:
          accessModes:
          - ReadWriteOnce
          resources:
            requests:
              storage: 100Gi
  status:
    chop-commit: 9abcd12
    chop-date: 2025-01-24T08:40:12
    chop-ip: 10.x.x.x
    chop-version: 0.25.5
    clusters: 1
    endpoint: clickhouse-clickhouse.clickhouse.svc.cluster.local
    fqdns:
    - chi-clickhouse-ch-0-0.clickhouse.svc.cluster.local
    hosts: 1
    hostsWithTablesCreated:
    - chi-clickhouse-ch-0-0.clickhouse.svc.cluster.local
    pods:
    - chi-clickhouse-ch-0-0-0
    shards: 1
    status: Completed
    taskID: auto-1xxxxd2-5ba4-4c3a-9daa-baxxxxx850
    taskIDsCompleted:
    - auto-1fxxxxxd2-5ba4-4c3a-9daa-baxxxxxx50
      ...
    - auto-bbxxxx6-31e3-4a4c-b04b-e5xxxxxx91
    taskIDsStarted:
    - auto-31xxxxx37-492f-4109-b515-4axxxxxx6c8
      ... 
    - auto-b8xxxxx7-0396-41e0-b5d1-95xxxxd48
kind: List
metadata:
  resourceVersion: ""


Users section shows users config in form USER_NAME/ATTRIBUTE. In the example above we have two users: admin and default.

USER_NAME/password values is plain text password. This is very convenient for debugging (though usually a security "no-no" for production, especially if that's admin or default user!).

USER_NAME/password_sha256_hex is a SHA256 hashed password.

USER_NAME/k8s_secret_password_sha256_hex: <namespace/SECRET_NAME/KEY_NAME > shows that USER_NAME ClickHouse user is secured using a Kubernetes Secret. This maps the default user's password to a specific Kubernetes Secret. 

  • USER_NAME/k8s_secret_password_sha256_hex: Specifies that for the user named USER_NAME, the password should be read from a Kubernetes Secret as a SHA256 hex string.
  • <namespace/SECRET_NAME/KEY_NAME >: This is the reference to the secret itself, structured as namespace/SECRET_NAME/KEY_NAME.
  • Purpose: This allows for secure, GitOps-friendly password management, preventing plain-text passwords from appearing in Kubernetes manifests.
  • Implementation: The ClickHouse Operator reads this secret and places the hashed password into the users.xml file for the ClickHouse server. Operator reads the secret, hashes the password (if necessary), and writes it into a file called /etc/clickhouse-server/users.d/chop-generated-users.xml inside your ClickHouse pod. If you have External Secrets installed, this secret is likely being pulled from AWS Secrets Manager.
  • Alternative: You can also use k8s_secret_env_password_sha256_hex to load the password via an environment variable.

In the Altinity Operator, the syntax USER_NAME/k8s_secret_password_sha256_hex is a pointer. It tells the operator to look into a specific secret to find the password hash for the USER_NAME user.

To get the password:

% kubectl get secret <SECRET_NAME> \
    -n <NAMESPACE> \
    -o jsonpath="{.data.<KEY_NAME>}" \
    | base64 -d

NAMESPACE is usually clickhouse.


How to check Clickhouse health?


Since ClickHouse is running in our cluster, the best way to verify it's "working fine" is to move beyond just checking the Pod status and actually query the database engine itself.

Here is a 3-step approach to verify health, connectivity, and data integrity.

1. The "Internal" Health Check


The quickest way is to execute a command directly inside the pod using the clickhouse-client. This bypasses networking issues and tells you if the engine is responsive. Run this command:

kubectl exec -it chi-clickhouse-ch-0-0 \
-n clickhouse \
-- clickhouse-client --query "SELECT version(), uptime()"

chi-clickhouse-ch-0-0 is the name of the pod, it can also be like chi-clickhouse-ch-0-0-0.

If this returns data, it means ClickHouse is successfully reading from its system tables on the EBS volume.

What to look for: It should return the version string and the number of seconds the server has been up. If this fails, the DB engine itself is hung.

If you are using default user which has a password, or, default user was disabled, the output might show the error similar to this:

% kubectl exec -it chi-clickhouse-ch-0-0-0 -n clickhouse -- clickhouse-client --query "SELECT version(), uptime()"
Defaulted container "clickhouse" out of: clickhouse, clickhouse-backup
Code: 516. DB::Exception: Received from localhost:9000. DB::Exception: default: Authentication failed: password is incorrect, or there is no user with such name.

If you have installed ClickHouse and forgot password you can reset it in the configuration file.
The password for default user is typically located at /etc/clickhouse-server/users.d/default-password.xml
and deleting this file will reset the password.
See also /etc/clickhouse-server/users.xml on the server where ClickHouse is installed.

. (AUTHENTICATION_FAILED)

command terminated with exit code 4

Seeing an AUTHENTICATION_FAILED error instead of a Connection Refused error is actually a positive result for this check:
  • Networking works: Your kubectl exec reached the pod.
  • Process is alive: The ClickHouse server is running and actively rejecting bad logins.
  • Storage is mounted: ClickHouse can't check credentials if it can't read its config files from disk.

If we know the Clickhouse credentials, we can perform the health check:

% kubectl exec -it chi-clickhouse-ch-0-0-0 -n clickhouse -- clickhouse-client --user USER --password PASS --query "SELECT version(), uptime(), name FROM system.clusters"
Defaulted container "clickhouse" out of: clickhouse, clickhouse-backup
24.8.14.10544.altinitystable 501389 all-clusters
24.8.14.10544.altinitystable 501389 all-replicated
24.8.14.10544.altinitystable 501389 all-sharded
24.8.14.10544.altinitystable 501389 ch
24.8.14.10544.altinitystable 501389 default


The output above is exactly what we wanted to see. The database is responsive, healthy, and has an uptime of ~5.8 days (501,389 seconds). The version 24.8.14.10544.altinitystable indicates we are on a very recent, stable Altinity build.


2. Check Replication and Disk Health


Since you are using the Altinity Operator, ClickHouse is likely managing data across disks. You want to ensure the "System" tables report no errors. Run this to check if the disks are mounted and have space:

% kubectl exec -it chi-clickhouse-ch-0-0-0 \
-n clickhouse \
-- clickhouse-client --user USER --password PASS \
--query "SELECT name, path, formatReadableSize(free_space) AS free, formatReadableSize(total_space) AS total FROM system.disks"

Defaulted container "clickhouse" out of: clickhouse, clickhouse-backup
default /var/lib/clickhouse/ 89.60 GiB 95.80 GiB

If you have multiple replicas (e.g., a ch-0-1 pod), check for replication lag:

% kubectl exec -it chi-clickhouse-ch-0-0-0 \
-n clickhouse \
-- clickhouse-client --user USER --password PASS \
--query "SELECT type, last_exception, num_tries FROM system.replication_queue WHERE last_exception != ''"     

Defaulted container "clickhouse" out of: clickhouse, clickhouse-backup

Result: This should ideally be empty (or as above) . If you see exceptions here, your nodes aren't syncing correctly.


3. Verify the "Operator" View


The Altinity Operator provides a "Status" field in its Custom Resource that summarizes the health of the entire installation.

% kubectl get chi -n clickhouse

NAME         CLUSTERS   HOSTS   STATUS      HOSTS-COMPLETED   AGE
clickhouse   1          1       Completed                     123d

What to look for: Look for the STATUS column. It should say Completed. If it says InProgress or Error, the Operator is struggling to configure the cluster.

4. Check the Backup (Safety Net)

Since you saw clickhouse-backup pods earlier, verify that the last backup actually succeeded. This is your "point of no return" check before the upgrade.

kubectl logs -n clickhouse -l job-name=clickhouse-backup-cron-<TIMESTAMP> 

(Replace <TIMESTAMP> with one of the strings from your previous get all output, e.g., 29543400).

Look for: Done, Success, or Upload finished.

5. Check the Status of All Replicas 


To be absolutely sure the cluster is "Green" before you start the EKS upgrade, run this to check the status of all replicas in the cluster:

% kubectl exec -it chi-clickhouse-ch-0-0-0 -n clickhouse -- clickhouse-client --user USER --password PASS --query "SELECT replica_path, is_leader, is_readonly, future_parts FROM system.replicas"

is_readonly: Should be 0. If it's 1, the node can't write data (usually a Zookeeper issue).
is_leader: One of your replicas should be 1.


Summary Checklist


Test      Command Goal     Good Result
Ping      SELECT  1        1
Uptime    SELECT uptime()  >0
Storage   system.disks     Free space > 10%
Operator  kubectl get chi  Completed


Resources:



Posted by at No comments:
Labels: , , ,

Introduction to ArgoCD


ArgoCD is a tool for deploying applications in Kubernetes cluster following the GitOps principles. 

Argo CD is a declarative, GitOps-based continuous delivery (CD) tool designed specifically for Kubernetes. It acts as a controller that monitors running applications, compares their live state to the desired state defined in a Git repository, and automatically syncs them to ensure consistency. 

Key Aspects of an Argo CD Application:
  • GitOps Source of Truth: Git repositories hold the desired state (manifests, Helm charts, Kustomize configs), which Argo CD pulls to apply to clusters.
  • Automated Synchronization: It automatically detects "OutOfSync" applications—where the live cluster state differs from Git—and can automatically or manually sync them to match.
  • Continuous Monitoring: It acts as a Kubernetes controller that continuously monitors applications.
  • Visualization & Management: It provides a web UI to visualize application structure, monitor status, and manage rollbacks.
  • Key Capabilities: Supports automated deployment, drift detection, and easy rollbacks. 

Argo CD is often used to ensure that the actual state of a Kubernetes cluster matches the configuration stored in a Git repository, making the deployment process more reliable and transparent.

ArgoCD GitOps flow:
  • Commit and push infra code changes (Terraform, Helm values etc) to the main branch of your GitHub repository.
  • ArgoCD Sync:
    • Manual: Log in to our ArgoCD Dashboard and click the "Sync" or "Refresh" button on the psmdb-default-sharded application.
    • Automatic: If "Self-Heal" or "Auto-Sync" is enabled, ArgoCD will detect the Git change within ~3 minutes and apply it to the cluster automatically.
  • Monitor the Operator: Once ArgoCD syncs, infra will get changed e.g. operators will see the updated custom resources and then trigger the further actions.

Installation


Installing ArgoCD in a Kubernetes cluster is primarily done using manifests or Helm charts. The most common and recommended approach for beginners is using the Official Argo CD Manifests. 

Prerequisites:
  • A running Kubernetes cluster (v1.22 or later).
  • kubectl command-line tool installed and configured to your cluster.
  • At least 2GB of available memory in your cluster.

Applications


ArgoCD defines custom Kubernetes objects like ApplicationAppProject, settings...which can be defined declaratively using Kubernetes manifests and deployed via kubectl apply to the ArgoCD namespace which is argocd by default.

To check ArgoCD applications:

% kubectl get applications -A        
NAMESPACE   NAME                    SYNC STATUS   HEALTH STATUS
argocd      my-app                  Synced        Progressing 



Dashboard


If you don't know the url of the ArgoCD dashboard, find the IP of the ArgoCD server and port-forward it:

% kubectl get svc argocd-server -n argocd
NAME          TYPE      CLUSTER-IP    EXTERNAL-IP PORT(S)        AGE
argocd-server ClusterIP 172.21.103.127 <none>     80/TCP,443/TCP 1d


By default, ArgoCD includes a built-in admin user with full super-user access. For better security practices, it is recommended that you use the admin account only for the initial configuration, then disable it once all required users have been added.

For this example, we can stick to this default admin user. Its password can be obtain via this command:

% kubectl get secret \
argocd-initial-admin-secret \
-n argocd \
-o jsonpath="{.data.password}" \
| base64 -d

Port forwarding:

% kubectl port-forward svc/argocd-server -n argocd 8080:443
Forwarding from 127.0.0.1:8080 -> 8080
Forwarding from [::1]:8080 -> 8080
Handling connection for 8080
Handling connection for 8080
Handling connection for 8080
Handling connection for 8080
Handling connection for 8080
Handling connection for 8080
...

We can now open the address http://localhost:8080/ in the browser to get the ArgoCD dashboard and log in with credentials above.

If there are no application registered with ArgoCD, we will see something like this:



---

Resources:


Posted by at No comments:
Labels: , , ,

Thursday, 26 February 2026

Introduction to KubePug (Kubernetes tool)



What is KubePug?


KubePug (Kubernetes PreUpGrade Checker) is an open-source kubectl plugin and CLI tool designed to identify deprecated or deleted APIs in your Kubernetes cluster or manifest files before you perform an upgrade. 

Key Features


  • Deprecation Detection: Scans your live cluster or static YAML manifests to find resources using APIs that are slated for removal in future Kubernetes versions.
  • Replacement Guidance: Not only flags outdated APIs but also suggests the recommended replacement API and specifies the exact version where the deprecation or deletion occurs.
  • Version Targeting: Allows you to specify a target Kubernetes version (e.g., v1.31) to validate your current resources against that specific future release.
  • Flexible Data Source: It automatically downloads a frequently updated API definition file (every 30 minutes) to stay current with the latest Kubernetes releases. 

Why Use It?


As Kubernetes evolves, APIs are moved from alpha/beta to stable (GA), and older versions are eventually removed. If you upgrade your cluster without updating your manifests, those resources will fail to deploy or operate. KubePug provides a "pre-flight" check to prevent these breaking changes from reaching production.


Installation & Usage


You can install KubePug via Krew (where it is listed under the name deprecations) or as a standalone binary. 

Method                  Command
---------                    -------------
Install via Krew kubectl krew install deprecations
Scan Live Cluster kubectl deprecations --k8s-version=v1.30
Scan Manifest File kubepug --input-file=./my-manifest.yaml

Installation via Krew


% kubectl krew install deprecations
Updated the local copy of plugin index.
Installing plugin: deprecations
Installed plugin: deprecations
\
 | Use this plugin:
 | kubectl deprecations
 | Documentation:
 | https://github.com/rikatz/kubepug
 | Caveats:
 | \
 |  | * By default, deprecations finds deprecated object relative to the current kubernetes
 |  | master branch. To target a different kubernetes release, use the --k8s-version
 |  | argument.
 |  | 
 |  | * Deprecations needs permission to GET all objects in the Cluster
 | /
/
WARNING: You installed plugin "deprecations" from the krew-index plugin repository.
   These plugins are not audited for security by the Krew maintainers.
   Run them at your own risk.


Execution



Once installed, the plugin is invoked using kubectl deprecations.

Scan Current Cluster


Check your live cluster for deprecated APIs against a specific target Kubernetes version:

kubectl deprecations --k8s-version=v1.33
                    
Error: failed to get apiservices: apiservices.apiregistration.k8s.io is forbidden: User "sso:user" cannot list resource "apiservices" in API group "apiregistration.k8s.io" at the cluster scope
time="2026-02-26T14:20:19Z" level=error msg="An error has occurred: failed to get apiservices: apiservices.apiregistration.k8s.io is forbidden: User \"sso:user\" cannot list resource \"apiservices\" in API group \"apiregistration.k8s.io\" at the cluster scope"


KubePug requires running user to have "list" permissions on resource "apiservices" in API group "apiregistration.k8s.io" at the cluster scope as otherwise the above error will appear.

If required permissions are in place:

% kubectl deprecations --k8s-version=v1.33

No deprecated or deleted APIs found

Kubepug validates the APIs using Kubernetes markers. To know what are the deprecated and deleted APIS it checks, please go to https://kubepug.xyz/status/


Scan Local Manifest Files


Validate static YAML files before applying them to a cluster:

kubectl deprecations --input-file=./my-manifests/


View Results in Different Formats


Output the findings in json or yaml for automated processing:

kubectl deprecations --format=json


Check for Help and Flags


See all available configuration options, such as using a custom database file or setting error codes:

kubectl deprecations --help


Key Parameters


--k8s-version: The Kubernetes release you intend to upgrade to (defaults to the latest stable).
--error-on-deprecated: Forces the command to exit with an error code if deprecated APIs are found, which is useful for CI/CD pipelines. 


---

Posted by at No comments:
Labels: , , ,
Subscribe to: Comments (Atom)