Allow kubectl caching to work
For some utility containers that run kubectl, provide a writable home directory for the runAsUser. This allows kubectl to perform caching, using the default location of $HOME/.kube/cache. The following charts are updated: - etcdctl-utility - mysqlclient-utility - postgresql-utility This improves performance and avoids excessive messages from request.go about 'Throttling request took 1.XXXs'. Change-Id: I9dec52e163edacb0933a20f247463e9fce9105dc
This commit is contained in:
parent
e73b0edb6e
commit
5f151ab264
@ -175,6 +175,9 @@ cat >> $TMP_FILE << EOF
|
||||
- name: host-etcd
|
||||
mountPath: /var/lib/etcd
|
||||
subPath: .
|
||||
{{- if .Values.pod.mounts.etcd_ondemand.container.etcd_ondemand.volumeMounts }}
|
||||
{{ .Values.pod.mounts.etcd_ondemand.container.etcd_ondemand.volumeMounts | toYaml | indent 12 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
@ -196,6 +199,9 @@ cat >> $TMP_FILE << EOF
|
||||
- name: host-etcd
|
||||
hostPath:
|
||||
path: /var/lib/etcd
|
||||
{{- if .Values.pod.mounts.etcd_ondemand.container.etcd_ondemand.volumes }}
|
||||
{{ .Values.pod.mounts.etcd_ondemand.container.etcd_ondemand.volumes | toYaml | indent 8 }}
|
||||
{{- end }}
|
||||
EOF
|
||||
|
||||
kubectl create -n $ETCD_POD_NAMESPACE -f $TMP_FILE
|
||||
|
@ -183,6 +183,9 @@ spec:
|
||||
mountPath: /etc/etcd/etcdctl.cfg
|
||||
subPath: etcdctl.cfg
|
||||
readOnly: true
|
||||
{{- if .Values.pod.mounts.etcd.container.etcdctl_utility.volumeMounts }}
|
||||
{{ .Values.pod.mounts.etcd.container.etcdctl_utility.volumeMounts | toYaml | indent 12 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: etcdctl-utility-sudoers
|
||||
configMap:
|
||||
@ -204,4 +207,7 @@ spec:
|
||||
secret:
|
||||
secretName: etcdctl-etcd-secrets
|
||||
defaultMode: 0444
|
||||
{{- if .Values.pod.mounts.etcd.container.etcdctl_utility.volumes }}
|
||||
{{ .Values.pod.mounts.etcd.container.etcdctl_utility.volumes | toYaml | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -53,6 +53,25 @@ pod:
|
||||
etcd_ondemand:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
mounts:
|
||||
etcd:
|
||||
container:
|
||||
etcdctl_utility:
|
||||
volumes:
|
||||
- name: runasuser-home
|
||||
emptyDir: {}
|
||||
volumeMounts:
|
||||
- name: runasuser-home
|
||||
mountPath: /nonexistent
|
||||
etcd_ondemand:
|
||||
container:
|
||||
etcd_ondemand:
|
||||
volumes:
|
||||
- name: runasuser-home
|
||||
emptyDir: {}
|
||||
volumeMounts:
|
||||
- name: runasuser-home
|
||||
mountPath: /root
|
||||
mandatory_access_control:
|
||||
type: apparmor
|
||||
etcdctl-utility:
|
||||
|
@ -198,6 +198,9 @@ if $TLS_ENABLED; then
|
||||
mountPath: /etc/mysql/certs/ca.crt
|
||||
subPath: ca.crt
|
||||
readOnly: true
|
||||
{{- if .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumeMounts }}
|
||||
{{ .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumeMounts | toYaml | indent 12 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
@ -216,6 +219,9 @@ if $TLS_ENABLED; then
|
||||
secret:
|
||||
secretName: ${TLS_SECRET}
|
||||
defaultMode: 292
|
||||
{{- if .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumes }}
|
||||
{{ .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumes | toYaml | indent 8 }}
|
||||
{{- end }}
|
||||
EOF
|
||||
else
|
||||
cat >> $TMP_FILE << EOF
|
||||
@ -244,6 +250,9 @@ else
|
||||
mountPath: /etc/mysql/admin_user.cnf
|
||||
subPath: admin_user.cnf
|
||||
readOnly: true
|
||||
{{- if .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumeMounts }}
|
||||
{{ .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumeMounts | toYaml | indent 12 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
@ -258,6 +267,9 @@ else
|
||||
- name: mariadb-backup-dir
|
||||
persistentVolumeClaim:
|
||||
claimName: mariadb-backup-data
|
||||
{{- if .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumes }}
|
||||
{{ .Values.pod.mounts.mariadb_ondemand.container.mariadb_ondemand.volumes | toYaml | indent 8 }}
|
||||
{{- end }}
|
||||
EOF
|
||||
fi
|
||||
|
||||
|
@ -182,6 +182,9 @@ spec:
|
||||
mountPath: /etc/mysqlclient-utility/rootwrap.conf
|
||||
subPath: rootwrap.conf
|
||||
readOnly: true
|
||||
{{- if .Values.pod.mounts.mysqlclient.container.mysqlclient_utility.volumeMounts }}
|
||||
{{ .Values.pod.mounts.mysqlclient.container.mysqlclient_utility.volumeMounts | toYaml | indent 12 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: mysqlclient-utility-sudoers
|
||||
configMap:
|
||||
@ -199,4 +202,7 @@ spec:
|
||||
configMap:
|
||||
name: {{ printf "%s-%s" $envAll.Release.Name "bin-utilscli" }}
|
||||
defaultMode: 0755
|
||||
{{- if .Values.pod.mounts.mysqlclient.container.mysqlclient_utility.volumes }}
|
||||
{{ .Values.pod.mounts.mysqlclient.container.mysqlclient_utility.volumes | toYaml | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -53,6 +53,25 @@ pod:
|
||||
runAsUser: 65534
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
mounts:
|
||||
mysqlclient:
|
||||
container:
|
||||
mysqlclient_utility:
|
||||
volumes:
|
||||
- name: runasuser-home
|
||||
emptyDir: {}
|
||||
volumeMounts:
|
||||
- name: runasuser-home
|
||||
mountPath: /nonexistent
|
||||
mariadb_ondemand:
|
||||
container:
|
||||
mariadb_ondemand:
|
||||
volumes:
|
||||
- name: runasuser-home
|
||||
emptyDir: {}
|
||||
volumeMounts:
|
||||
- name: runasuser-home
|
||||
mountPath: /nonexistent
|
||||
dns_policy: "ClusterFirstWithHostNet"
|
||||
replicas:
|
||||
utility: 1
|
||||
|
@ -184,6 +184,9 @@ cat >> $TMP_FILE << EOF
|
||||
mountPath: /etc/postgresql/admin_user.conf
|
||||
subPath: admin_user.conf
|
||||
readOnly: true
|
||||
{{- if .Values.pod.mounts.postgresql_ondemand.container.postgresql_ondemand.volumeMounts }}
|
||||
{{ .Values.pod.mounts.postgresql_ondemand.container.postgresql_ondemand.volumeMounts | toYaml | indent 12 }}
|
||||
{{- end }}
|
||||
restartPolicy: OnFailure
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
@ -199,6 +202,9 @@ cat >> $TMP_FILE << EOF
|
||||
- name: postgresql-backup-dir
|
||||
persistentVolumeClaim:
|
||||
claimName: postgresql-backup-data
|
||||
{{- if .Values.pod.mounts.postgresql_ondemand.container.postgresql_ondemand.volumes }}
|
||||
{{ .Values.pod.mounts.postgresql_ondemand.container.postgresql_ondemand.volumes | toYaml | indent 8 }}
|
||||
{{- end }}
|
||||
EOF
|
||||
|
||||
kubectl create -n $POSTGRESQL_POD_NAMESPACE -f $TMP_FILE
|
||||
|
@ -185,6 +185,9 @@ spec:
|
||||
mountPath: /etc/postgresql/rootwrap.conf
|
||||
subPath: rootwrap.conf
|
||||
readOnly: true
|
||||
{{- if .Values.pod.mounts.postgresql.container.postgresql_utility.volumeMounts }}
|
||||
{{ .Values.pod.mounts.postgresql.container.postgresql_utility.volumeMounts | toYaml | indent 12 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: postgresql-utility-sudoers
|
||||
configMap:
|
||||
@ -206,4 +209,7 @@ spec:
|
||||
secret:
|
||||
secretName: {{ .Values.secrets.postgresql.admin | quote }}
|
||||
defaultMode: 0444
|
||||
{{- if .Values.pod.mounts.postgresql.container.postgresql_utility.volumes }}
|
||||
{{ .Values.pod.mounts.postgresql.container.postgresql_utility.volumes | toYaml | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -53,6 +53,25 @@ pod:
|
||||
runAsUser: 65534
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
mounts:
|
||||
postgresql:
|
||||
container:
|
||||
postgresql_utility:
|
||||
volumes:
|
||||
- name: runasuser-home
|
||||
emptyDir: {}
|
||||
volumeMounts:
|
||||
- name: runasuser-home
|
||||
mountPath: /nonexistent
|
||||
postgresql_ondemand:
|
||||
container:
|
||||
postgresql_ondemand:
|
||||
volumes:
|
||||
- name: runasuser-home
|
||||
emptyDir: {}
|
||||
volumeMounts:
|
||||
- name: runasuser-home
|
||||
mountPath: /nonexistent
|
||||
dns_policy: "ClusterFirstWithHostNet"
|
||||
replicas:
|
||||
utility: 1
|
||||
|
Loading…
x
Reference in New Issue
Block a user