public_git
/
postgres-operator
mirror of https://github.com/zalando/postgres-operator.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Config option to allow Spilo container to run non-privileged. (#525) 

* Config option to allow Spilo container to run non-privileged.

Runs non-privileged by default.

Fixes #395

* add spilo_privileged to manifests/configmap.yaml

* add spilo_privileged to helm chart's values.yaml
This commit is contained in:
Aaron Miller 2019-04-03 11:13:39 -04:00 committed by Felix Kunde
parent 313db7d10b
commit 15ec6a920d
8 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
charts/postgres-operator/values.yaml
View File

@ -25,6 +25,7 @@ config:
secret_name_template: '{username}.{cluster}.credentials' secret_name_template: '{username}.{cluster}.credentials'
super_username: postgres super_username: postgres
enable_teams_api: "false" enable_teams_api: "false"
spilo_privileged: "false"
# set_memory_request_to_limit: "true" # set_memory_request_to_limit: "true"
# postgres_superuser_teams: "postgres_superusers" # postgres_superuser_teams: "postgres_superusers"
# enable_team_superuser: "false" # enable_team_superuser: "false"

3
docs/reference/operator_parameters.md
View File

@ -213,6 +213,9 @@ configuration they are grouped under the `kubernetes` key.
that should be assigned to the Postgres pods. The priority class itself must be defined in advance. that should be assigned to the Postgres pods. The priority class itself must be defined in advance.
Default is empty (use the default priority class). Default is empty (use the default priority class).
* **spilo_privileged**
whether the Spilo container should run in privileged mode. Privileged mode is used for AWS volume resizing and not required if you don't need that capability. The default is `false`.
* **master_pod_move_timeout** * **master_pod_move_timeout**
The period of time to wait for the success of migration of master pods from an unschedulable node. The period of time to wait for the success of migration of master pods from an unschedulable node.
The migration includes Patroni switchovers to respective replicas on healthy nodes. The situation where master pods still exist on the old node after this timeout expires has to be fixed manually. The default is 20 minutes. The migration includes Patroni switchovers to respective replicas on healthy nodes. The situation where master pods still exist on the old node after this timeout expires has to be fixed manually. The default is 20 minutes.

1
manifests/configmap.yaml
View File

@ -15,6 +15,7 @@ data:
secret_name_template: '{username}.{cluster}.credentials' secret_name_template: '{username}.{cluster}.credentials'
super_username: postgres super_username: postgres
enable_teams_api: "false" enable_teams_api: "false"
spilo_privileged: "false"
# custom_service_annotations: # custom_service_annotations:
# "keyx:valuez,keya:valuea" # "keyx:valuez,keya:valuea"
# set_memory_request_to_limit: "true" # set_memory_request_to_limit: "true"

1
manifests/postgresql-operator-default-configuration.yaml
View File

@ -23,6 +23,7 @@ configuration:
secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}" secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
oauth_token_secret_name: postgresql-operator oauth_token_secret_name: postgresql-operator
pod_role_label: spilo-role pod_role_label: spilo-role
spilo_privileged: false
cluster_labels: cluster_labels:
application: spilo application: spilo
# inherited_labels: # inherited_labels:

1
pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
View File

@ -45,6 +45,7 @@ type KubernetesMetaConfiguration struct {
PodServiceAccountDefinition string `json:"pod_service_account_definition,omitempty"` PodServiceAccountDefinition string `json:"pod_service_account_definition,omitempty"`
PodServiceAccountRoleBindingDefinition string `json:"pod_service_account_role_binding_definition,omitempty"` PodServiceAccountRoleBindingDefinition string `json:"pod_service_account_role_binding_definition,omitempty"`
PodTerminateGracePeriod Duration `json:"pod_terminate_grace_period,omitempty"` PodTerminateGracePeriod Duration `json:"pod_terminate_grace_period,omitempty"`
SpiloPrivileged bool `json:"spilo_privileged,omitemty"`
WatchedNamespace string `json:"watched_namespace,omitempty"` WatchedNamespace string `json:"watched_namespace,omitempty"`
PDBNameFormat config.StringTemplate `json:"pdb_name_format,omitempty"` PDBNameFormat config.StringTemplate `json:"pdb_name_format,omitempty"`
SecretNameTemplate config.StringTemplate `json:"secret_name_template,omitempty"` SecretNameTemplate config.StringTemplate `json:"secret_name_template,omitempty"`

3
pkg/cluster/k8sres.go
View File

@ -358,8 +358,8 @@ func generateSpiloContainer(
resourceRequirements *v1.ResourceRequirements, resourceRequirements *v1.ResourceRequirements,
envVars []v1.EnvVar, envVars []v1.EnvVar,
volumeMounts []v1.VolumeMount, volumeMounts []v1.VolumeMount,
privilegedMode bool,
) *v1.Container { ) *v1.Container {
privilegedMode := true
return &v1.Container{ return &v1.Container{
Name: name, Name: name,
Image: *dockerImage, Image: *dockerImage,
@ -797,6 +797,7 @@ func (c *Cluster) generateStatefulSet(spec *acidv1.PostgresSpec) (*v1beta1.State
resourceRequirements, resourceRequirements,
spiloEnvVars, spiloEnvVars,
volumeMounts, volumeMounts,
c.OpConfig.Resources.SpiloPrivileged,
) )
// resolve conflicts between operator-global and per-cluster sidecars // resolve conflicts between operator-global and per-cluster sidecars

1
pkg/controller/operator_config.go
View File

@ -41,6 +41,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
result.PodServiceAccountRoleBindingDefinition = fromCRD.Kubernetes.PodServiceAccountRoleBindingDefinition result.PodServiceAccountRoleBindingDefinition = fromCRD.Kubernetes.PodServiceAccountRoleBindingDefinition
result.PodEnvironmentConfigMap = fromCRD.Kubernetes.PodEnvironmentConfigMap result.PodEnvironmentConfigMap = fromCRD.Kubernetes.PodEnvironmentConfigMap
result.PodTerminateGracePeriod = time.Duration(fromCRD.Kubernetes.PodTerminateGracePeriod) result.PodTerminateGracePeriod = time.Duration(fromCRD.Kubernetes.PodTerminateGracePeriod)
result.SpiloPrivileged = fromCRD.Kubernetes.SpiloPrivileged
result.WatchedNamespace = fromCRD.Kubernetes.WatchedNamespace result.WatchedNamespace = fromCRD.Kubernetes.WatchedNamespace
result.PDBNameFormat = fromCRD.Kubernetes.PDBNameFormat result.PDBNameFormat = fromCRD.Kubernetes.PDBNameFormat
result.SecretNameTemplate = fromCRD.Kubernetes.SecretNameTemplate result.SecretNameTemplate = fromCRD.Kubernetes.SecretNameTemplate

1
pkg/util/config/config.go
View File

@ -26,6 +26,7 @@ type Resources struct {
PodDeletionWaitTimeout time.Duration `name:"pod_deletion_wait_timeout" default:"10m"` PodDeletionWaitTimeout time.Duration `name:"pod_deletion_wait_timeout" default:"10m"`
PodTerminateGracePeriod time.Duration `name:"pod_terminate_grace_period" default:"5m"` PodTerminateGracePeriod time.Duration `name:"pod_terminate_grace_period" default:"5m"`
PodPriorityClassName string `name:"pod_priority_class_name"` PodPriorityClassName string `name:"pod_priority_class_name"`
SpiloPrivileged bool `name:"spilo_privileged" default:"false"`
ClusterLabels map[string]string `name:"cluster_labels" default:"application:spilo"` ClusterLabels map[string]string `name:"cluster_labels" default:"application:spilo"`
InheritedLabels []string `name:"inherited_labels" default:""` InheritedLabels []string `name:"inherited_labels" default:""`
ClusterNameLabel string `name:"cluster_name_label" default:"cluster-name"` ClusterNameLabel string `name:"cluster_name_label" default:"cluster-name"`