Cluster terminal access is an essential feature that enables DevOps Engineers to manage clusters and troubleshoot applications on the go. The engineers at Devtron understand the need for such a component and have incorporated it into the latest open-source release of Devtron for the community to use. This capability will now allow the users of Devtron to troubleshoot your cluster right from the Devtron dashboard without direct access into the Kubernetes cluster as a standard security best practice.

How to launch a cluster-wide terminal?

Step 1: Go to the clusters sections by clicking on the Clusters icon from the left menu as highlighted in the image below.  You’ll be able to see all your clusters on this page.

devtron-clusters-overview

Step 2: Click on the terminal icon at the right side of each cluster. This should open up a cluster-wide terminal access.  In case you don't have the permissions, it can be enabled from the fine-grained access management provided by Devtron.

Click-on the clusters you want to get into, you will able to see a list of nodes present on that cluster. To open the terminal and access the cluster, hover into any node and click on the terminal icon as shown below.  

devtron-kubernetes-nodes

Here you will also see all the node related metrics, including status, taints, no of pods, etc. You can also customize the appearance from the drop-down menu available on the right depending upon the requirements.

Step 3: Currently Devtron comes with four default images packed  with utilities like kubectl, netshoot, helm, etc. We have used Ubuntu:Kubernetes utilities as you can see in the below image.

Devtron-pod-manifest

How to use a custom image with other tools?

Apart from the default images, it also gives you the flexibility to use your own custom images with your favorite tools to start debugging the cluster.

For example, in this blog we took the k9s image publicly available at dockerhub. As you can see in the below image, we spin-up the cluster terminal for debugging with our own custom image i.e, k9s.

devtron-k9s-pod
devtron-k9s

Please note that here you’ll need to install kubectl from the package manager, as this image doesn’t ship with kubectl installed. You can download kubectl by following the instructions present at Kubernetes docs.

To harden the security process, the terminal access of the cluster is limited to one hour of inactivity, after which the service account token will expire, and you will no longer be able to communicate with the API server.

devtron-terminal-access-expiry

Use-Case 1: Troubleshoot Network

Before Devtron, it had been a long and laborious process involving security risks to check if a pod is connected to the internet and properly configured for networking.

Now you can spin up a new pod and figure out with all the net-tools command utilities you get. Additional tasks like verifying if the pod can resolve the DNS and checking pod communications across namespaces have become a breeze.

If you want to troubleshoot the network you should choose the netshoot image while creating the pod for debugging. It ships with all the network debugging tools like nmap, tcpdump, iptables, tshark etc.

If you’re unsure about debugging then refer to this task from Kubernetes documentation.

Let us run a check and see if the pod can resolve google.com or not.  We can execute a curl command from inside the terminal of the pod. This will ensure that we are connected to the wider internet.

devtron-terminal-DNS-resolution

The above picture shows that you have internet access and your DNS is working fine.

Use-Case 2: How to fix an entry in DNS ConfigMap?

To triage issues related to DNS configmaps, you can edit the file using kubectl command right from the terminal.

kubectl -n kube-system edit configmap coredns
devtron-editing-configmap

The terminal gives you access to the whole cluster, and the flexibility to exercise a lot control for troubleshooting and fixing issues. This allows the team to limit super admin access to only authorized personnel and you don't have to navigate to bastion for debugging.

devtron

Use-Case 3: Authentication to the API server

If you’re interested in knowing more about how we are authenticating with api-server you can execute the following command.

kubectl get pods -v 7
devtron authentication

Conclusion

In this blog, we learned about how Cluster Terminal Access can make the debugging experience a lot easier and faster for DevOps professionals and all through the single pane dashboard by Devtron. Cluster access is one of the many features that Devtron comes with and its Kubernetes Dashboard provides the end to end solution for all your Kubernetes operations.

Feel free to explore Devtron. Star us if you liked the project. Star