Browse Source

Merge "Share process namespaces with exec probes"

Zuul 5 months ago
parent
commit
2b2bb68ab6

+ 1
- 0
charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl View File

@@ -24,6 +24,7 @@ metadata:
24 24
 {{ tuple $envAll "kubernetes" "apiserver" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
25 25
 spec:
26 26
   hostNetwork: true
27
+  shareProcessNamespace: true
27 28
   containers:
28 29
     - name: apiserver
29 30
       image: {{ .Values.images.tags.apiserver }}

+ 1
- 0
charts/coredns/templates/deployment.yaml View File

@@ -42,6 +42,7 @@ spec:
42 42
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
43 43
     spec:
44 44
       serviceAccountName: coredns
45
+      shareProcessNamespace: true
45 46
       tolerations:
46 47
         - key: "CriticalAddonsOnly"
47 48
           operator: "Exists"

+ 1
- 0
charts/proxy/templates/daemonset.yaml View File

@@ -32,6 +32,7 @@ spec:
32 32
         scheduler.alpha.kubernetes.io/critical-pod: ''
33 33
     spec:
34 34
       hostNetwork: true
35
+      shareProcessNamespace: true
35 36
       dnsPolicy: Default
36 37
       tolerations:
37 38
         - key: node-role.kubernetes.io/master

+ 1
- 0
examples/basic/Genesis.yaml View File

@@ -17,6 +17,7 @@ data:
17 17
       - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
18 18
       - --service-cluster-ip-range=10.96.0.0/16
19 19
       - --endpoint-reconciler-type=lease
20
+      - --feature-gates=PodShareProcessNamespace=true
20 21
       # NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
21 22
       - --repair-malformed-updates=false
22 23
   armada:

+ 1
- 0
examples/basic/Kubelet.yaml View File

@@ -16,6 +16,7 @@ data:
16 16
     - --node-status-update-frequency=5s
17 17
     - --serialize-image-pulls=false
18 18
     - --anonymous-auth=false
19
+    - --feature-gates=PodShareProcessNamespace=true
19 20
     - --v=3
20 21
   images:
21 22
     pause: gcr.io/google_containers/pause-amd64:3.0

+ 0
- 5
examples/basic/PKICatalog.yaml View File

@@ -63,11 +63,6 @@ data:
63 63
           common_name: armada
64 64
           groups:
65 65
             - system:masters
66
-    kubelet:
67
-      description: CA for Kubernetes node interactions
68
-      certificates:
69
-        - document_name: apiserver-kubelet-client
70
-          common_name: apiserver-kubelet-client
71 66
     kubernetes-etcd:
72 67
       description: Certificates for Kubernetes's etcd servers
73 68
       certificates:

+ 1
- 22
examples/basic/armada-resources.yaml View File

@@ -679,28 +679,6 @@ metadata:
679 679
       dest:
680 680
         path: .values.secrets.tls.key
681 681
 
682
-    -
683
-      src:
684
-        schema: deckhand/CertificateAuthority/v1
685
-        name: kubelet
686
-        path: .
687
-      dest:
688
-        path: .values.secrets.kubelet.tls.ca
689
-    -
690
-      src:
691
-        schema: deckhand/Certificate/v1
692
-        name: apiserver-kubelet-client
693
-        path: .
694
-      dest:
695
-        path: .values.secrets.kubelet.tls.cert
696
-    -
697
-      src:
698
-        schema: deckhand/CertificateKey/v1
699
-        name: apiserver-kubelet-client
700
-        path: .
701
-      dest:
702
-        path: .values.secrets.kubelet.tls.key
703
-
704 682
     -
705 683
       src:
706 684
         schema: deckhand/CertificateAuthority/v1
@@ -746,6 +724,7 @@ data:
746 724
       - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
747 725
       - --service-cluster-ip-range=10.96.0.0/16
748 726
       - --endpoint-reconciler-type=lease
727
+      - --feature-gates=PodShareProcessNamespace=true
749 728
       # NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
750 729
       - --repair-malformed-updates=false
751 730
     apiserver:

Loading…
Cancel
Save