Share process namespaces with exec probes
This avoids leaving zombies in cases where the processes don't reap children. Also fixes a certificate issue with the resiliency gate. Change-Id: I8a795557b0d60338c40b360c947b81a20fd48877
This commit is contained in:
Mark Burnett
parent
6133b489d4
commit
6638b47cb9
@ -24,6 +24,7 @@ metadata:
|
|||||||
{{ tuple $envAll "kubernetes" "apiserver" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
{{ tuple $envAll "kubernetes" "apiserver" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
spec:
|
spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
|
shareProcessNamespace: true
|
||||||
containers:
|
containers:
|
||||||
- name: apiserver
|
- name: apiserver
|
||||||
image: {{ .Values.images.tags.apiserver }}
|
image: {{ .Values.images.tags.apiserver }}
|
||||||
|
|||||||
@ -42,6 +42,7 @@ spec:
|
|||||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
spec:
|
spec:
|
||||||
serviceAccountName: coredns
|
serviceAccountName: coredns
|
||||||
|
shareProcessNamespace: true
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: "CriticalAddonsOnly"
|
- key: "CriticalAddonsOnly"
|
||||||
operator: "Exists"
|
operator: "Exists"
|
||||||
|
|||||||
@ -32,6 +32,7 @@ spec:
|
|||||||
scheduler.alpha.kubernetes.io/critical-pod: ''
|
scheduler.alpha.kubernetes.io/critical-pod: ''
|
||||||
spec:
|
spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
|
shareProcessNamespace: true
|
||||||
dnsPolicy: Default
|
dnsPolicy: Default
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
- key: node-role.kubernetes.io/master
|
||||||
|
|||||||
@ -17,6 +17,7 @@ data:
|
|||||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
|
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
|
||||||
- --service-cluster-ip-range=10.96.0.0/16
|
- --service-cluster-ip-range=10.96.0.0/16
|
||||||
- --endpoint-reconciler-type=lease
|
- --endpoint-reconciler-type=lease
|
||||||
|
- --feature-gates=PodShareProcessNamespace=true
|
||||||
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
|
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
|
||||||
- --repair-malformed-updates=false
|
- --repair-malformed-updates=false
|
||||||
armada:
|
armada:
|
||||||
|
|||||||
@ -16,6 +16,7 @@ data:
|
|||||||
- --node-status-update-frequency=5s
|
- --node-status-update-frequency=5s
|
||||||
- --serialize-image-pulls=false
|
- --serialize-image-pulls=false
|
||||||
- --anonymous-auth=false
|
- --anonymous-auth=false
|
||||||
|
- --feature-gates=PodShareProcessNamespace=true
|
||||||
- --v=3
|
- --v=3
|
||||||
images:
|
images:
|
||||||
pause: gcr.io/google_containers/pause-amd64:3.0
|
pause: gcr.io/google_containers/pause-amd64:3.0
|
||||||
|
|||||||
@ -63,11 +63,6 @@ data:
|
|||||||
common_name: armada
|
common_name: armada
|
||||||
groups:
|
groups:
|
||||||
- system:masters
|
- system:masters
|
||||||
kubelet:
|
|
||||||
description: CA for Kubernetes node interactions
|
|
||||||
certificates:
|
|
||||||
- document_name: apiserver-kubelet-client
|
|
||||||
common_name: apiserver-kubelet-client
|
|
||||||
kubernetes-etcd:
|
kubernetes-etcd:
|
||||||
description: Certificates for Kubernetes's etcd servers
|
description: Certificates for Kubernetes's etcd servers
|
||||||
certificates:
|
certificates:
|
||||||
|
|||||||
@ -679,28 +679,6 @@ metadata:
|
|||||||
dest:
|
dest:
|
||||||
path: .values.secrets.tls.key
|
path: .values.secrets.tls.key
|
||||||
|
|
||||||
-
|
|
||||||
src:
|
|
||||||
schema: deckhand/CertificateAuthority/v1
|
|
||||||
name: kubelet
|
|
||||||
path: .
|
|
||||||
dest:
|
|
||||||
path: .values.secrets.kubelet.tls.ca
|
|
||||||
-
|
|
||||||
src:
|
|
||||||
schema: deckhand/Certificate/v1
|
|
||||||
name: apiserver-kubelet-client
|
|
||||||
path: .
|
|
||||||
dest:
|
|
||||||
path: .values.secrets.kubelet.tls.cert
|
|
||||||
-
|
|
||||||
src:
|
|
||||||
schema: deckhand/CertificateKey/v1
|
|
||||||
name: apiserver-kubelet-client
|
|
||||||
path: .
|
|
||||||
dest:
|
|
||||||
path: .values.secrets.kubelet.tls.key
|
|
||||||
|
|
||||||
-
|
-
|
||||||
src:
|
src:
|
||||||
schema: deckhand/CertificateAuthority/v1
|
schema: deckhand/CertificateAuthority/v1
|
||||||
@ -746,6 +724,7 @@ data:
|
|||||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
|
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
|
||||||
- --service-cluster-ip-range=10.96.0.0/16
|
- --service-cluster-ip-range=10.96.0.0/16
|
||||||
- --endpoint-reconciler-type=lease
|
- --endpoint-reconciler-type=lease
|
||||||
|
- --feature-gates=PodShareProcessNamespace=true
|
||||||
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
|
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
|
||||||
- --repair-malformed-updates=false
|
- --repair-malformed-updates=false
|
||||||
apiserver:
|
apiserver:
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user