Using Janitors

Kubed includes janitors for Elasticsearch and InfluxDB. These janitors can delete data older than a configured TTL. Kubernetes supports storing cluster logs in Elasticsearch and cluster metrics in InfluxDB. You use these janitors to clean up old data from Elasticsearch and InfluxDB before those fill up your node disks.

Please check your janitor configuration on test clusters before using in production. You have been forewarned! We welcome contribution to support dryRun options for janitors.

Before You Begin

At first, you need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using Minikube.

Deploy Kubed

To enable janitors, you need a cluster config like below.

$ cat ./docs/examples/janitors/config.yaml

- kind: Elasticsearch
  ttl: 2160h
    endpoint: http://elasticsearch-logging.kube-system:9200
    logIndexPrefix: logkubed-
- kind: InfluxDB
  ttl: 2160h
    endpoint: https://monitoring-influxdb.kube-system:8086
kindRequired. Set this to either Elasticseach or InfluxDB.
ttlRequired. Time-to-live for data (eg, 5h30m30s). Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.
elasticsearch.endpointRequired for kind Elasticsearch. URL of Elasticsearch cluster.
elasticsearch.logIndexPrefixRequired for kind Elasticsearch. Prefix of log index.
elasticsearch.secretNameOptional for kind Elasticsearch. Name of secret used to pass Elasticsearch authentication .
influxdb.endpointRequired for kind InfluxDB. URL of InfluxDB server.
influxdb.usernameOptional for kind InfluxDB. InfluxDB username (default: root)
influxdb.passwordOptional for kind InfluxDB. InfluxDB password (default: root)

Now, create a Secret with the Kubed cluster config under config.yaml key.

$ kubectl create secret generic kubed-config -n kube-system \
secret "kubed-config" created

# apply app=kubed label to easily cleanup later
$ kubectl label secret kubed-config app=kubed -n kube-system
secret "kubed-config" labeled

$ kubectl get secret kubed-config -n kube-system -o yaml
apiVersion: v1
  config.yaml: amFuaXRvcnM6Ci0gZWxhc3RpY3NlYXJjaDoKICAgIGVuZHBvaW50OiBodHRwOi8vZWxhc3RpY3NlYXJjaC1sb2dnaW5nLmt1YmUtc3lzdGVtOjkyMDAKICAgIGxvZ0luZGV4UHJlZml4OiBsb2dzdGFzaC0KICBraW5kOiBFbGFzdGljc2VhcmNoCiAgdHRsOiAyMTYwaAotIGluZmx1eGRiOgogICAgZW5kcG9pbnQ6IGh0dHBzOi8vbW9uaXRvcmluZy1pbmZsdXhkYi5rdWJlLXN5c3RlbTo4MDg2CiAga2luZDogSW5mbHV4REIKICB0dGw6IDIxNjBoCg==
kind: Secret
  creationTimestamp: 2017-07-27T07:43:32Z
    app: kubed
  name: kubed-config
  namespace: kube-system
  resourceVersion: "27760846"
  selfLink: /api/v1/namespaces/kube-system/secrets/kubed-config
  uid: 4a2eb872-729f-11e7-8b69-12f236046fba
type: Opaque

Now, deploy Kubed operator in your cluster following the steps here. Once the operator pod is running, janitor operations are applied within one hour.

Janitor Authentication

The following keys are supported for Secret passed via elasticsearch.secretName.

CA_CERT_DATAOptional PEM encoded CA certificate used to connect to Elasticsearch.
CLIENT_CERT_DATAOptional PEM encoded Client certificate used to connect to Elasticsearch.
CLIENT_KEY_DATAOptional PEM encoded Client private key used to connect to Elasticsearch.
INSECURE_SKIP_VERIFYOptional If set to true, skip certificate verification.

Disable Janitors

If you would like to disable this feature, remove the janitors portion of your Kubed cluster config. Then update the kubed-config Secret and restart Kubed operator pod(s).

Cleaning up

To cleanup the Kubernetes resources created by this tutorial, uninstall Kubed operator following the steps here.

