Cleaning Up Stale PKS Kubernetes LoadBalancer IP allocations in NSX-T

I was working in a proof of concept environment using NSX-T where we didn't have a lot of IPs in the Floating IP pool for k8s clusters provisioned by PKS. We had two clusters deployed and we were trying to start up a few pods with a LoadBalancer service. The problem we hit was that the pods wouldn't startup, and were failing in the "Init" status. We weren't seeing enough details via kubectl, so we found the node that was trying to start the Pod's containers, and checked the kubelet.log for more details. Interestingly, we noticed some messages about NSX-T right before the pods failed. This got us thinking that although these particular pods didn't have any special initialization, NSX-T was doing some work to try and allocate resources for the Pod to expose it via a LoadBalancer service.
On a hunch, I checked the NSX-T Manager, and went to Inventory -> Groups -> IP Pools section, and noticed that the Floating IP Pool had all the IPs allocated! Come to find out, someone had deployed another cluster without our knowledge, and we had run out of Floating IPs. We deleted this extra cluster, and that got us going again for the time being. However, I noticed that there were a bunch of IPs allocated from the pool for only two clusters. I could understand 1 IP for the masters (NSX-T gets a Load Balancer configured for the masters in the cluster), and each cluster had 1 additional LoadBalancer service provisioned, but that didn't account for all the extra IPs that had been allocated. We tried doing traceroutes to all those allocated IPs and found that many of them were unresponsive. We found out that also someone during testing had deleted some clusters with BOSH without using the PKS CLI. They had cleaned up all the objects they could find in NSX-T, but hadn't taken care of the IPs from the Floating IP Pool.
To clean those up, I simply called traceroute against each of the allocated addresses in the Floating IP Pool, and then called the NSX-T API to release the ones that weren't responding. The API call to remove IPs allocated to an IP Pool. This was the call I was able to make against NSX-T 2.3: 
curl -k -u <nsx-admin>:<nsx-admin-password> -X POST 'https://<nsx-manager-host-or-ip>/api/v1/pools/ip-pools/<uuid-of-ip-pool>?action=RELEASE' -H "X-Allow-Overwrite: true" -d '{"allocation_id":"<ip-to-release>"}' -H "Content-Type: application/json"
Replace the parts in angle brackets above with your info.

Comments

Post a Comment

Popular posts from this blog

Ghetto Cloud Foundry Home Lab

Image
Over the past few months, I've been cobbling together my own Lab to be able to gain experience with Cloud Foundry.  Sure, I could have gone the much simpler route of bosh-lite , but I wanted to get a broader set of experience with the underlying IaaS layer in conjunction with working with Cloud Foundry. My lab hardware was purchased from various places (eBay, Fry's, etc) when I could get deals on it. Rocking the Ghetto Lab At a high level, the hardware looks like this: Machine CPU Memory Storage Notes HP Proliant ML350 G5 2x Intel Xeon CPU E5420 @ 2.50GHz 32 GB (Came with some disks, but mostly unused) vSphere Host 1, Added a 4 port Intel 82571EB Network Adapter HP Proliant ML350 G5 2x Intel Xeon CPU E5420 @ 2.50GHz 32 GB (Came with some disks, but mostly unused) vSphere Host 2, Added a 4 port Intel 82571EB Network Adapter Whitebox FreeNAS server Intel Celeron CPU G1610 @ 2.60GHz 16 GB 3x 240GB MLC SSDs, in a ZFS stripe set, plus spinning d
Read more

Using Snapshot Isolation with SQL Server and Hibernate

In the course of working on some deadlock issues, I found that MS SQL Server exhibits some unexpected (to me, at least) locking behaviors that can affect performance and cause deadlocks. In the end, I found that SQL Server provides an isolation level called Snapshot isolation which removes the need for locks on rows and removes lock contention. To use this isolation level, you need to execute the following SQL on the database that you want to use the isolation level with (replacing MyDatabase with your database name, of course): ALTER DATABASE MyDatabase SET ALLOW_SNAPSHOT_ISOLATION ON ALTER DATABASE MyDatabase SET READ_COMMITTED_SNAPSHOT ON Next, you need to modify your hibernate.cfg.xml file to add a property to tell Hibernate to use the Snapshot Isolation level: <!-- The 4096 isolation level is the setting to use with the jTDS or Microsoft JDBC drivers --> < property name =”hibernate.connection.isolation”>4096</property> Snapshot isolation is not a panacea
Read more

Fedora, Ant, and Optional Tasks

I've tried to be good. I've tried a number of times to use the version of ant that Fedora packages up into an RPM from the JPackage repos rather than caving to the temptation to install it myself manually. I also like to use optional tasks like ReplaceRegExp in my scripts to do all sorts of cool things. Of course, I see most of the installation instructions that refer to ant via RPM mention that I need to yum install ant-apache-regexp to get my optional task jars installed for this very nice task. Every time I've tried this, ant yells at me saying that it can't find the taskdef class for ReplaceRegExp. Huh? But I installed the proper, RPMs...didn't I? Usually at this point, I fall back to what works and just install ant by hand. However, I've finally realized why I've had so much trouble with this. There is one additional RPM that should be installed to get the classes that define all the optional tasks for ant called ant-nodeps. Before getting int
Read more