-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support DaemonSet deployment from helm #1640
Labels
Comments
tcolgate
added a commit
to tcolgate/cerbos
that referenced
this issue
Jun 21, 2023
tcolgate
added a commit
to tcolgate/cerbos
that referenced
this issue
Jun 21, 2023
Fixes cerbos#1640 Signed-off-by: Tristan Colgate-McFarlane <tristan@cerbos.dev>
3 tasks
tcolgate
added a commit
to tcolgate/cerbos
that referenced
this issue
Jul 4, 2023
Fixes cerbos#1640 Signed-off-by: Tristan Colgate-McFarlane <tristan@cerbos.dev>
tcolgate
added a commit
to tcolgate/cerbos
that referenced
this issue
Jun 3, 2024
Fixes cerbos#1640 Signed-off-by: Tristan Colgate-McFarlane <tristan@cerbos.dev>
tcolgate
added a commit
that referenced
this issue
Jun 3, 2024
#### Description This adds support to the chart for deploying as a DaemonSet, and adds additional options that are common in that scenario. The new settings are - `type`: defaults to deployment, but can be set to daemonset - `priorityClassName`: allows setting the pod priorityClassName - `service.internalTrafficPolicy`: allows forcing traffic to this service to the local pod instance. TODO: - Not tested at all - should add schema validation of the fields Fixes #1640 - [ ] The PR title has the correct prefix - [ ] PR is linked to the corresponding issue - [ ] All commits are signed-off (`git commit -s ...`) to provide the [DCO](https://developercertificate.org/) --------- Signed-off-by: Tristan Colgate-McFarlane <tristan@cerbos.dev> Signed-off-by: Tristan Colgate-McFarlane <tcolgate@gmail.com> Co-authored-by: Charith Ellawala <charithe@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there an existing issue for this?
Feature description
The current deployment strategies discussed are:
There a couple of downsides to these:
As an alternative, the cerbos PDP can be deployed as a DaemonSet, running one pod per node, and exposing this pod as a NodePort service. Applications are then told the address of the PDP server instance to use by an environment variable set using the K8s Downward API:
The potential advantages are:
What would the ideal solution look like to you?
Anything else?
A 100% best practice deploy would
system-node-critical
priority class. K8s treats this class specially and integrates the readiness with the full node lifecycle. Unfortunately (last time I checked), this also requires running the pods in thekube-system
namespace.The text was updated successfully, but these errors were encountered: