From 6638b47cb9d0958786b2783618857ef86ab81d9e Mon Sep 17 00:00:00 2001
From: Mark Burnett <mark.m.burnett@gmail.com>
Date: Fri, 2 Nov 2018 12:31:00 -0500
Subject: [PATCH] Share process namespaces with exec probes

This avoids leaving zombies in cases where the processes don't reap
children.

Also fixes a certificate issue with the resiliency gate.

Change-Id: I8a795557b0d60338c40b360c947b81a20fd48877
---
 .../etc/_kubernetes-apiserver.yaml.tpl        |  1 +
 charts/coredns/templates/deployment.yaml      |  1 +
 charts/proxy/templates/daemonset.yaml         |  1 +
 examples/basic/Genesis.yaml                   |  1 +
 examples/basic/Kubelet.yaml                   |  1 +
 examples/basic/PKICatalog.yaml                |  5 ----
 examples/basic/armada-resources.yaml          | 23 +------------------
 7 files changed, 6 insertions(+), 27 deletions(-)

diff --git a/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
index 0d2f36da..1d43331a 100644
--- a/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
+++ b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
@@ -24,6 +24,7 @@ metadata:
 {{ tuple $envAll "kubernetes" "apiserver" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
 spec:
   hostNetwork: true
+  shareProcessNamespace: true
   containers:
     - name: apiserver
       image: {{ .Values.images.tags.apiserver }}
diff --git a/charts/coredns/templates/deployment.yaml b/charts/coredns/templates/deployment.yaml
index e83f7611..c87d1a2f 100644
--- a/charts/coredns/templates/deployment.yaml
+++ b/charts/coredns/templates/deployment.yaml
@@ -42,6 +42,7 @@ spec:
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
       serviceAccountName: coredns
+      shareProcessNamespace: true
       tolerations:
         - key: "CriticalAddonsOnly"
           operator: "Exists"
diff --git a/charts/proxy/templates/daemonset.yaml b/charts/proxy/templates/daemonset.yaml
index 4c991f13..f1172b44 100644
--- a/charts/proxy/templates/daemonset.yaml
+++ b/charts/proxy/templates/daemonset.yaml
@@ -32,6 +32,7 @@ spec:
         scheduler.alpha.kubernetes.io/critical-pod: ''
     spec:
       hostNetwork: true
+      shareProcessNamespace: true
       dnsPolicy: Default
       tolerations:
         - key: node-role.kubernetes.io/master
diff --git a/examples/basic/Genesis.yaml b/examples/basic/Genesis.yaml
index 7bade7d2..9079fa9f 100644
--- a/examples/basic/Genesis.yaml
+++ b/examples/basic/Genesis.yaml
@@ -17,6 +17,7 @@ data:
       - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
       - --service-cluster-ip-range=10.96.0.0/16
       - --endpoint-reconciler-type=lease
+      - --feature-gates=PodShareProcessNamespace=true
       # NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
       - --repair-malformed-updates=false
   armada:
diff --git a/examples/basic/Kubelet.yaml b/examples/basic/Kubelet.yaml
index 6464a4ec..60074cd3 100644
--- a/examples/basic/Kubelet.yaml
+++ b/examples/basic/Kubelet.yaml
@@ -16,6 +16,7 @@ data:
     - --node-status-update-frequency=5s
     - --serialize-image-pulls=false
     - --anonymous-auth=false
+    - --feature-gates=PodShareProcessNamespace=true
     - --v=3
   images:
     pause: gcr.io/google_containers/pause-amd64:3.0
diff --git a/examples/basic/PKICatalog.yaml b/examples/basic/PKICatalog.yaml
index fda5234c..b1d0a134 100644
--- a/examples/basic/PKICatalog.yaml
+++ b/examples/basic/PKICatalog.yaml
@@ -63,11 +63,6 @@ data:
           common_name: armada
           groups:
             - system:masters
-    kubelet:
-      description: CA for Kubernetes node interactions
-      certificates:
-        - document_name: apiserver-kubelet-client
-          common_name: apiserver-kubelet-client
     kubernetes-etcd:
       description: Certificates for Kubernetes's etcd servers
       certificates:
diff --git a/examples/basic/armada-resources.yaml b/examples/basic/armada-resources.yaml
index 8b49feac..f39b7a8d 100644
--- a/examples/basic/armada-resources.yaml
+++ b/examples/basic/armada-resources.yaml
@@ -679,28 +679,6 @@ metadata:
       dest:
         path: .values.secrets.tls.key
 
-    -
-      src:
-        schema: deckhand/CertificateAuthority/v1
-        name: kubelet
-        path: .
-      dest:
-        path: .values.secrets.kubelet.tls.ca
-    -
-      src:
-        schema: deckhand/Certificate/v1
-        name: apiserver-kubelet-client
-        path: .
-      dest:
-        path: .values.secrets.kubelet.tls.cert
-    -
-      src:
-        schema: deckhand/CertificateKey/v1
-        name: apiserver-kubelet-client
-        path: .
-      dest:
-        path: .values.secrets.kubelet.tls.key
-
     -
       src:
         schema: deckhand/CertificateAuthority/v1
@@ -746,6 +724,7 @@ data:
       - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
       - --service-cluster-ip-range=10.96.0.0/16
       - --endpoint-reconciler-type=lease
+      - --feature-gates=PodShareProcessNamespace=true
       # NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
       - --repair-malformed-updates=false
     apiserver: