Share process namespaces with exec probes

This avoids leaving zombies in cases where the processes don't reap children. Also fixes a certificate issue with the resiliency gate. Change-Id: I8a795557b0d60338c40b360c947b81a20fd48877
2018-11-02 12:31:00 -05:00 · 2018-11-02 12:31:00 -05:00 · 6638b47cb9
commit 6638b47cb9
parent 6133b489d4
7 changed files with 6 additions and 27 deletions
--- a/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
+++ b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
@ -24,6 +24,7 @@ metadata:
 {{ tuple $envAll "kubernetes" "apiserver" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
 spec:
  hostNetwork: true
+  shareProcessNamespace: true
  containers:
    - name: apiserver
      image: {{ .Values.images.tags.apiserver }}
--- a/charts/coredns/templates/deployment.yaml
+++ b/charts/coredns/templates/deployment.yaml
@ -42,6 +42,7 @@ spec:
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
      serviceAccountName: coredns
+      shareProcessNamespace: true
      tolerations:
        - key: "CriticalAddonsOnly"
          operator: "Exists"
--- a/charts/proxy/templates/daemonset.yaml
+++ b/charts/proxy/templates/daemonset.yaml
@ -32,6 +32,7 @@ spec:
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
      hostNetwork: true
+      shareProcessNamespace: true
      dnsPolicy: Default
      tolerations:
        - key: node-role.kubernetes.io/master
--- a/examples/basic/Genesis.yaml
+++ b/examples/basic/Genesis.yaml
@ -17,6 +17,7 @@ data:
      - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
      - --service-cluster-ip-range=10.96.0.0/16
      - --endpoint-reconciler-type=lease
+      - --feature-gates=PodShareProcessNamespace=true
      # NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
      - --repair-malformed-updates=false
  armada:
--- a/examples/basic/Kubelet.yaml
+++ b/examples/basic/Kubelet.yaml
@ -16,6 +16,7 @@ data:
    - --node-status-update-frequency=5s
    - --serialize-image-pulls=false
    - --anonymous-auth=false
+    - --feature-gates=PodShareProcessNamespace=true
    - --v=3
  images:
    pause: gcr.io/google_containers/pause-amd64:3.0
--- a/examples/basic/PKICatalog.yaml
+++ b/examples/basic/PKICatalog.yaml
@ -63,11 +63,6 @@ data:
          common_name: armada
          groups:
            - system:masters
-    kubelet:
-      description: CA for Kubernetes node interactions
-      certificates:
-        - document_name: apiserver-kubelet-client
-          common_name: apiserver-kubelet-client
    kubernetes-etcd:
      description: Certificates for Kubernetes's etcd servers
      certificates:
--- a/examples/basic/armada-resources.yaml
+++ b/examples/basic/armada-resources.yaml
@ -679,28 +679,6 @@ metadata:
      dest:
        path: .values.secrets.tls.key

-    -
-      src:
-        schema: deckhand/CertificateAuthority/v1
-        name: kubelet
-        path: .
-      dest:
-        path: .values.secrets.kubelet.tls.ca
-    -
-      src:
-        schema: deckhand/Certificate/v1
-        name: apiserver-kubelet-client
-        path: .
-      dest:
-        path: .values.secrets.kubelet.tls.cert
-    -
-      src:
-        schema: deckhand/CertificateKey/v1
-        name: apiserver-kubelet-client
-        path: .
-      dest:
-        path: .values.secrets.kubelet.tls.key
-
    -
      src:
        schema: deckhand/CertificateAuthority/v1
@ -746,6 +724,7 @@ data:
      - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
      - --service-cluster-ip-range=10.96.0.0/16
      - --endpoint-reconciler-type=lease
+      - --feature-gates=PodShareProcessNamespace=true
      # NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
      - --repair-malformed-updates=false
    apiserver: