Share process namespaces with exec probes

This avoids leaving zombies in cases where the processes don't reap
children.

Also fixes a certificate issue with the resiliency gate.

Change-Id: I8a795557b0d60338c40b360c947b81a20fd48877
This commit is contained in:
Mark Burnett 2018-11-02 12:31:00 -05:00
parent 6133b489d4
commit 6638b47cb9
7 changed files with 6 additions and 27 deletions

View File

@ -24,6 +24,7 @@ metadata:
{{ tuple $envAll "kubernetes" "apiserver" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
hostNetwork: true
shareProcessNamespace: true
containers:
- name: apiserver
image: {{ .Values.images.tags.apiserver }}

View File

@ -42,6 +42,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: coredns
shareProcessNamespace: true
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"

View File

@ -32,6 +32,7 @@ spec:
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
hostNetwork: true
shareProcessNamespace: true
dnsPolicy: Default
tolerations:
- key: node-role.kubernetes.io/master

View File

@ -17,6 +17,7 @@ data:
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
- --service-cluster-ip-range=10.96.0.0/16
- --endpoint-reconciler-type=lease
- --feature-gates=PodShareProcessNamespace=true
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
- --repair-malformed-updates=false
armada:

View File

@ -16,6 +16,7 @@ data:
- --node-status-update-frequency=5s
- --serialize-image-pulls=false
- --anonymous-auth=false
- --feature-gates=PodShareProcessNamespace=true
- --v=3
images:
pause: gcr.io/google_containers/pause-amd64:3.0

View File

@ -63,11 +63,6 @@ data:
common_name: armada
groups:
- system:masters
kubelet:
description: CA for Kubernetes node interactions
certificates:
- document_name: apiserver-kubelet-client
common_name: apiserver-kubelet-client
kubernetes-etcd:
description: Certificates for Kubernetes's etcd servers
certificates:

View File

@ -679,28 +679,6 @@ metadata:
dest:
path: .values.secrets.tls.key
-
src:
schema: deckhand/CertificateAuthority/v1
name: kubelet
path: .
dest:
path: .values.secrets.kubelet.tls.ca
-
src:
schema: deckhand/Certificate/v1
name: apiserver-kubelet-client
path: .
dest:
path: .values.secrets.kubelet.tls.cert
-
src:
schema: deckhand/CertificateKey/v1
name: apiserver-kubelet-client
path: .
dest:
path: .values.secrets.kubelet.tls.key
-
src:
schema: deckhand/CertificateAuthority/v1
@ -746,6 +724,7 @@ data:
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
- --service-cluster-ip-range=10.96.0.0/16
- --endpoint-reconciler-type=lease
- --feature-gates=PodShareProcessNamespace=true
# NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
- --repair-malformed-updates=false
apiserver: