Deploying a "Canary" Pod to an Existing Kubernetes Cluster

Question

Deploying a "Canary" Pod to an Existing Kubernetes Cluster

Harry Whitehouse 65

I have 3 PODs running an address verification process. The PODs accept JSON requests on port 8356. As you can see, I'm encountering restarts and I don't know why.

avmscpp-897c6f4cb-4lt78 1/1 Running 1 (25d ago) 27d

avmscpp-897c6f4cb-7sgcb 1/1 Running 4 (4d3h ago) 27d

avmscpp-897c6f4cb-9ztkw 1/1 Running 0 27d

The requests come from other containers in the same cluster. Those containers control communication to and from the outside world and then communicate "internally" to other containers like avmscpp. Here are the pods that field external requests:

rbapi-649fb78844-296m2 1/1 Running 0 155m

rbapi-649fb78844-544h5 1/1 Running 0 158m

rbapi-649fb78844-58mgl 1/1 Running 0 158m

I have created an updated, "instrumented" version of the avmscpp application which I'd like to deploy as a single pod and join the existing avmscpp pods servicing address verification requests. I've also created a deployment (with Copilot's help) YAML file like this:

apiVersion: apps/v1

kind: Deployment

metadata:

spec:

replicas: 1

selector:

matchLabels:

  app: avmscpp-canary

template:

metadata:

  labels:

    app: avmscpp-canary

spec:

  containers:

  - name: avmscpp

    image: intlbridge.azurecr.io/avmscpp-0.5.7

    ports:

    - containerPort: 8356

apiVersion: v1

kind: Service

metadata:

spec:

selector:

app: avmscpp-canary

ports:

protocol: TCP port: 8356 targetPort: 8356

type: ClusterIP

My question: Is this the right approach? Once deployed, I'd like the cluster to send 1 out of every 4 requests to my Canary pod. Will this happen automatically given the deployment script? Or do I need something else so that the new pod will share in the processing? Should I be using the name "avmscpp-canary" in my script or simply "avmscpp"?

Accepted answer

0 additional answers

Your answer

Answer 1

Prrudram-MSFT 28,201 Moderator

Hello @Harry Whitehouse

Your approach is mostly correct, but there are a few additional steps and considerations to ensure that your new pod will share in the processing as intended.

First, let's address your deployment script. The deployment YAML file you provided is correctly set up to deploy a single canary pod. However, to achieve the desired traffic distribution (1 out of every 4 requests to the canary pod), you will need to configure a load balancer or an ingress controller that supports traffic splitting.

Here are some key points to consider:

Service Configuration: Ensure that your service is correctly configured to route traffic to both the stable and canary pods. You might need to update your service definition to include both sets of pods.

Traffic Splitting: To achieve the 1:4 traffic split, you can use an ingress controller like NGINX or Istio, which supports traffic splitting. You will need to define an ingress rule that specifies the traffic distribution between the stable and canary pods.

Label Selector: Ensure that your service selector matches the labels of both the stable and canary pods. This will allow the service to route traffic to both sets of pods.

Monitoring and Rollback: Monitor the performance and behavior of the canary pod closely. If any issues arise, be prepared to roll back to the stable version.

Here's an example of how you might configure an ingress rule for traffic splitting using NGINX:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: avmscpp-ingress
spec:
  rules:
  - host: avmscpp.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: avmscpp-service
            port:
              number: 8356
  - host: avmscpp-canary.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: avmscpp-canary-service
            port:
              number: 8356

In this example, traffic is split between the stable and canary services based on the host header. You can adjust the configuration to achieve the desired traffic distribution.

For more detailed guidance on canary deployments in Kubernetes, you can refer to the Azure Pipelines tutorial on canary deployments

If you have any further questions or need additional assistance, feel free to ask!

If I have answered your question, please accept this as answer as a token of appreciation and don't forget to thumbs up for "Was it helpful"!

Harry Whitehouse 65 Reputation points

2024-12-12T15:56:16.82+00:00

Prrudram -- thanks for your input!! I removed my canary pod as it wasn't working, but now my sandbox system no longer works at all! Let's first talk about routing requests. We have nginx on the front end, and that handles load balancing of outside requests to another primary service called RBAPI. RBAPI in turn calls the AVMSCPP service in the same cluster. The way I think things are supposed to work, is that RBAPI calls the cluster IP of AVMSCPP and the cluster then distributes those requests to the various endpoints. So if I added a new pod (like the canary) and updated the endpoint to include the IP:port of the new pod, the cluster IP would take care of dishing out the requests to the various AVMSCPP pods.

As I struggled to get back to my original working system. I tested to see that my original pods were working. I did so by bashing into one of the RBAPI pods and performing a GET operation directly to one of the AVMSCPP pod IP's. That worked! But when I tried to direct the call to the AVMSCPP cluster IP, I received a "connection refused".

Then I noticed that my AVMSCPP service has no endpoints! So I created a YAML file to update the endpoints with the pod IP's and port 8356. Things still didn't work.

Then I restarted one of the AVMSCPP pods and noticed that the IP address changed (I realize that's normal), but the endpoints of AVMSCPP didn't seem to pick up this change. My understanding is that has something to do with the selectors.

Here's how my AVMSCPP service is described:

➜ dev k describe service avmscpp

Name: avmscpp

Namespace: default

Labels: app.kubernetes.io/instance=avmscpp

   app.kubernetes.io/managed-by=Helm

   app.kubernetes.io/name=avmscpp

   app.kubernetes.io/version=0.5.8

   helm.sh/chart=avmscpp-0.5.8

Annotations: <none>

Selector: app.kubernetes.io/instance=avmscpp,app.kubernetes.io/name=avmscpp,app=avmscpp

Type: ClusterIP

IP Family Policy: SingleStack

IP Families: IPv4

IP: 10.0.140.137

IPs: 10.0.140.137

Port: http 8356/TCP

TargetPort: http/TCP

Endpoints: 10.244.1.41:8356,10.244.1.42:8356,10.244.2.166:8356 + 3 more...

Session Affinity: None

Events: <none>

My production system (which is working fine) has a nearly identical description although it does have an annotation section which my sandbox version doesn't have.

Name: avmscpp

Namespace: default

Labels: app.kubernetes.io/instance=avmscpp

   app.kubernetes.io/managed-by=Helm

   app.kubernetes.io/name=avmscpp

   app.kubernetes.io/version=0.5.3

   helm.sh/chart=avmscpp-0.5.3

Annotations: meta.helm.sh/release-name: avmscpp

   meta.helm.sh/release-namespace: default

Selector: app.kubernetes.io/instance=avmscpp,app.kubernetes.io/name=avmscpp

Type: ClusterIP

IP Family Policy: SingleStack

IP Families: IPv4

IP: 10.0.94.68

IPs: 10.0.94.68

Port: http 8356/TCP

TargetPort: http/TCP

Endpoints: 10.244.36.80:8356,10.244.40.183:8356,10.244.40.184:8356 + 9 more...

Session Affinity: None

Events: <none>

I was tempted to apply a network policy YAML, but so far haven't done that.

If you have any ideas based on my message today, I'd greatly appreciate hearing them. I'm also wondering if I can get an Azure specialist to work with me on this via screen share.

Regards, Harry
Prrudram-MSFT 28,201 Reputation points Moderator

2024-12-13T07:23:55.7766667+00:00
Hi Harry,

You're dealing with a complex issue here, let's break it down further and see if we can get your sandbox system back on track.

Routing Requests and Load Balancing:

Your understanding is correct: NGINX handles the load balancing of external requests to RBAPI, which then calls the AVMSCPP service within the same cluster. The ClusterIP service should distribute requests to the various AVMSCPP pods.

Connection Refused Issue

The "connection refused" error when calling the AVMSCPP ClusterIP suggests that the service might not be correctly configured or that the endpoints are not properly registered. Here are a few steps to troubleshoot and resolve this issue:

Check Service Selectors: Ensure that the selectors in your AVMSCPP service match the labels on your AVMSCPP pods. This is crucial for the service to correctly identify and route traffic to the pods.

Endpoints: If your AVMSCPP service has no endpoints, it means the service is not able to find any pods that match its selectors. You mentioned manually updating the endpoints, but this should be handled automatically by Kubernetes. Double-check the labels on your pods and the selectors in your service definition.

Pod IP Changes: When a pod restarts, its IP address changes, which is normal. Kubernetes should automatically update the endpoints for the service. If this isn't happening, there might be an issue with the service or the pod labels.

Example Service Configuration

Here's an example of how your AVMSCPP service should be configured:

apiVersion: v1 kind: Service metadata: name: avmscpp labels: app.kubernetes.io/instance: avmscpp app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: avmscpp app.kubernetes.io/version: 0.5.8 helm.sh/chart: avmscpp-0.5.8 spec: selector: app.kubernetes.io/instance: avmscpp app.kubernetes.io/name: avmscpp ports: - protocol: TCP port: 8356 targetPort: 8356 type: ClusterIP

Network Policies

Applying a network policy YAML might help if there are network restrictions causing the issue. However, ensure that your basic service and pod configurations are correct first.

Getting Help from an Azure Specialist

If you need more hands-on assistance, you can reach out to an Azure tech support. You can do this through the Azure portal by creating a support request. They can provide more detailed guidance and even assist via screen share if necessary. If you don't have a technical support plan, let me know.

Next Steps

Verify that the selectors in your AVMSCPP service match the labels on your AVMSCPP pods.

Ensure that your pods are correctly labeled and that the service is automatically updating its endpoints.

Consider applying a network policy if there are network restrictions.

Reach out to an Azure specialist for further assistance if needed.

I hope this helps! Let me know if you have any more questions or need further clarification.
Harry Whitehouse 65 Reputation points

2024-12-13T18:26:23.5533333+00:00
Prrudram -- Thanks again for your detailed analysis and clarifications!! Our sandbox is back in operation because one of my colleagues noted an out-of-place entry in the service's selector (compared to Production. The first entry was "app: avmscpp". Removing this entry solved our problem. That left "app.kubernetes.io/instance: avmscpp" and "app.kubernetes.io/name: avmscpp". The improper selector must have been inserted when I tried to add my Canary pod using this YAML:

apiVersion: apps/v1

kind: Deployment

metadata:

name: avmscpp-canary

spec:

replicas: 1

selector:

*matchLabels:* *app: avmscpp-canary*

template:

*metadata:* *labels:* *app: avmscpp-canary* *spec:* *containers:* *- name: avmscpp* *image: intlbridge.azurecr.io/avmscpp:0.5.7* *ports:* *- containerPort: 8356*

---

apiVersion: v1

kind: Service

metadata:

name: avmscpp-canary-service

spec:

selector:

***app: avmscpp-canary***

ports:

- protocol: TCP

*port: 8356* *targetPort: 8356*

type: ClusterIP

When I eventually removed this new POD, the fragment "app: avmscpp" somehow remained.

And yes, I recall looking for endpoints in the service and finding none. As you said, there were no pods with a selector "app: avmscpp" and that's the reason. Furthermore, that's for confirming and explaining the load balancing done by the avmscpp service. As painful as this event has been time-wise, I did come out with a much better understanding of how Kubernetes works.

Once again, I offer many thanks for the detailed support you have provided! A+++ effort!

Regards,

Harry
Harry Whitehouse 65 Reputation points

2024-12-13T23:41:27.2+00:00
Prrudram -- I was writing up a document recounting everything I've learned in the past few days, when I realized I had some lingering questions. First, I still don't know if there is a way to add a new pod to an existing service without creating a brand new deployment.

The new pod would have the same characteristics as the others -- save for a more recent image version. In my first failed attempt, I had a deployment "kind" and a service "kind" -- all with the label "avmscpp_canary" or "avmscpp_canary_service" in a single YAML file. Now I'm thinking I didn't need any service definition -- I already have one.

So here's my current thought to deploy this new pod to the existing service. The important update is the selector:matchLabels: section. And I also have specified my latest canary build image 0.5.7 (the rest of the cluster is running 0.5.3).

apiVersion: apps/v1

kind: Deployment

metadata:

name: avmscpp

spec:

replicas: 1

selector:

matchLabels: **app.kubernetes.io/instance: avmscpp** **app.kubernetes.io/name: avmscpp**

template:

metadata: labels: app: avmscpp spec: containers: - name: avmscpp image: intlbridge.azurecr.io/avmscpp:0.5.7 ports: - containerPort: 8356

Do you think this would do the job?

On a related front, I have become aware of the ReplicaSet object - which evidently encapsulates the characteristics of all the pods in the service. The ReplicaSet is where the match is made between the pods' selector and the service's selector. The pods themselves do not have a selector, but rather each pod points a single ReplicaSet. Given that understanding, when I deploy the new pod definition, what happens next? Does the avmscpp service recognize the new pod or is it the ReplicaSet that senses the new pod? This question might be more general -- like how and when is the ReplicaSet created for a given service.

Best regards,

Harry

Harry Whitehouse 65

I fed my most recent question into Grok2 and that suggested the following deployment:

apiVersion: apps/v1

kind: Deployment

metadata:

spec:

replicas: 1

selector:

matchLabels:

  app.kubernetes.io/instance: avmscpp

  app.kubernetes.io/name: avmscpp

template:

metadata:

  labels:

    app.kubernetes.io/instance: avmscpp

    app.kubernetes.io/name: avmscpp

spec:

  containers:

  - name: avmscpp

    image: intlbridge.azurecr.io/avmscpp:0.5.7

    ports:

    - containerPort: 8356

Prrudram-MSFT 28,201 Reputation points Moderator

2024-12-15T20:28:07.4533333+00:00
Hi Harry Whitehouse
You're very welcome! I'm glad to hear that your sandbox is back in operation and that you were able to identify and resolve the issue with the service selector. It's great that this experience has given you a deeper understanding of Kubernetes, even though it was time-consuming.

For the follow up queries, firstly great questions! Let's break down your queries and address them step-by-step.

Adding a New Pod to an Existing Service

To add a new pod with a more recent image version to an existing service without creating a new deployment, you can update the existing deployment to use the new image. Here’s how you can do it:

Update the Deployment:

You can update the image of the existing deployment using the kubectl set image command. This command updates the image for the specified container in the deployment.

kubectl set image deployment/avmscpp avmscpp=intlbridge.azurecr.io/avmscpp:0.5.7

This command updates the avmscpp container in the avmscpp deployment to use the 0.5.7 image.

Apply the Updated YAML:

Alternatively, you can update the deployment YAML file with the new image and apply it as suggested by Grok2

apiVersion: apps/v1 kind: Deployment metadata: name: avmscpp spec: replicas: 1 selector: matchLabels: app.kubernetes.io/instance: avmscpp app.kubernetes.io/name: avmscpp template: metadata: labels: app: avmscpp spec: containers: - name: avmscpp image: intlbridge.azurecr.io/avmscpp:0.5.7 ports: - containerPort: 8356

Apply the updated YAML file:

kubectl apply -f updated-deployment.yaml

Understanding ReplicaSets and Services

ReplicaSet and Pod Management:

A ReplicaSet ensures that a specified number of pod replicas are running at any given time. When you update a deployment, the ReplicaSet manages the creation and deletion of pods to match the desired state.

Service Recognition:

The service uses selectors to match labels on the pods. When you update the deployment, the ReplicaSet creates new pods with the updated image. As long as the new pods have labels that match the service's selector, the service will automatically recognize and route traffic to the new pods.

Deployment and ReplicaSet Relationship:

When you create or update a deployment, Kubernetes automatically creates or updates the associated ReplicaSet. The ReplicaSet then manages the pods based on the deployment's specifications.

Summary:

Updating the Deployment: Use kubectl set image or update the deployment YAML to change the image version.

ReplicaSet Management: The ReplicaSet ensures the desired number of pods are running and updates them as specified by the deployment.

Service Recognition: The service will automatically recognize new pods created by the ReplicaSet if they match the service's selector.

By following these steps, you should be able to update your deployment with the new image and have the service recognize the new pods without creating a new deployment.

Kubernetes ReplicaSet Documentation

If you have any more questions or need further assistance in the future, feel free to reach out. I'm here to help! 😊

Best regards,
Priyanka R

Share via

Deploying a "Canary" Pod to an Existing Kubernetes Cluster

0 additional answers

Your answer