Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update helm charts for performance, mark it to use podPriority and other attributes; do this by first creating a sample helm-charts-hardened yaml and then comparing it with what we have. #808

Closed
v0lkan opened this issue Apr 4, 2024 · 2 comments
Closed

update helm charts for performance, mark it to use podPriority and other attributes; do this by first creating a sample helm-charts-hardened yaml and then comparing it with what we have. #808

v0lkan opened this issue Apr 4, 2024 · 2 comments
Assignees
@v0lkan
Labels
feature:stability v0.25.0-candidate vmw:ric

Comments

@v0lkan
Copy link
Contributor

v0lkan commented Apr 4, 2024

quote:
https://github.com/spiffe/helm-charts-hardened/tree/main/charts/spire#production

quote from Kevin (Fox) (wrt helm-charts-hardened)
"I think the helm chart has a rather large featureset above the from scratch manifests at this point. Lots and lots more testing. we should consider not recommending folks use the static manifests soon I think because of it. There are a lot of features such as k8s priorityClass's and pod security standards that a lot of folks don't know even exists that we support/test and enables a better experience out of the box."

More braindump from our Slack:

"""
Best to share this in an n-way chat.
I’m discussing why we might be having the SPIFFE driver issue with the SPIRE experts, and
1.
As far as I can tell, the csi driver doesn't actually do anything but make the directory available, so it shouldn't matter what state the socket is in?
2.
Kevin Fox
3 minutes ago
I've seen weird things like that when resource contained.
long story short, it looks like a resource contention issue. It’s likely not related to SPIRE version.
Also (referring to the SPIRE helm-charts-hardened project);
are you using the chart? We tried to set things up so that it would still function properly when resource constrained. not sure the static manifests do.

it should mark the most important pods with appropriate higher priority flags to keep them alive and on the node during contention.
also from charts:

@param global.spire.recommendations.priorityClassName Set to true to use recommended values for Pod Priority Class Names
I think the best course forward is to create a SPIRE yaml with helm-charts-hardened ; compare with what we have, and adjust accordingly.
I’m pretty sure we are not setting "any" priorityclass for example 🙂 .

2:23
ref: https://github.com/spiffe/helm-charts-hardened/blob/fafed66866533549c319713f3897a6b08875e9c8/charts/spire/values.yaml#L39

values.yaml
@param global.spire.recommendations.priorityClassName Set to true to use recommended values for Pod Priority Class Names
https://github.com/spiffe/helm-charts-hardened|spiffe/helm-charts-hardenedspiffe/helm-charts-hardened | Added by https://vmware.slack.com/services/B01UWS06EEM

kind of having that conversation over here too: spiffe/spiffe.io#283 (comment)

4 minutes ago
spiffe/spiffe.io#290 is looking pretty close to merging too.

"""
@v0lkan v0lkan self-assigned this Apr 5, 2024
@v0lkan
Copy link
Contributor Author

v0lkan commented Apr 18, 2024

Try it with openshift support too

global.openshift  and restrictedScc.enabled .

it may create a separate list of values that we might want to templetize.

@v0lkan
Copy link
Contributor Author

v0lkan commented Apr 24, 2024

Done.

@v0lkan v0lkan closed this as completed Apr 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v0lkan v0lkan

Labels
feature:stability v0.25.0-candidate vmw:ric
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@v0lkan