Skip to content

Instantly share code, notes, and snippets.

@chrischdi

chrischdi/memory.md

Created December 7, 2018 12:57
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save chrischdi/944c6316dc514df8cf404e217c3a54c1 to your computer and use it in GitHub Desktop.
Save chrischdi/944c6316dc514df8cf404e217c3a54c1 to your computer and use it in GitHub Desktop.
Download ZIP
kubernetes-policy-agent memory
Raw
memory.md

Here is how I start the policy-controller (args from container-spec snippet of a k8s pod):

    args:
      - --addr=https://127.0.0.1:7925
      - --tls-cert-file=/etc/kubernetes/ssl/policy-controller/policy-controller-cert.pem
      - --tls-private-key-file=/etc/kubernetes/ssl/policy-controller/policy-controller-key.key
      - --opa-url=https://localhost:8181/v1
      - --opa-ca-file=/etc/kubernetes/ssl/policy-controller/opa-ca.ca
      - --opa-auth-token-file=/etc/kubernetes/ssl/policy-controller/policy-controller.authorization.token
      - --log-level=info

And here how I start opa (args from container-spec snippet of a k8s pod):

    args:
    - run
    - --server
    - --addr=https://127.0.0.1:8181
    - --tls-cert-file=/etc/kubernetes/ssl/policy-controller/opa-cert.pem
    - --tls-private-key-file=/etc/kubernetes/ssl/policy-controller/opa-key.key
    - /policy
    - /etc/kubernetes/ssl/policy-controller/policy-controller.authorization.rego
    - -l=info
    - -w

And the resulting memory usage when executing x.go: opa-and-policy-controller-tls

When I drop the https configuration between opa and policy agent I'm not able to get this behaviour.

Raw
x.go
package main
import (
"bytes"
"crypto/tls"
"fmt"
"log"
"net/http"
)
var url = "https://127.0.0.1:7925/v1/authorize"
var query = `{"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"verb":"list","group":"extensions","version":"v1beta1","resource":"replicasets"},"user":"system:kube-scheduler","group":["system:authenticated"]},"status":{"allowed":false}}`
func postQuery() error {
var buf bytes.Buffer
buf.WriteString(query)
req, err := http.NewRequest("POST", url, &buf)
req.Header.Set("Content-Type", "application/json")
if err != nil {
return fmt.Errorf("http.NewRequest: %v", err)
}
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
client := &http.Client{Transport: tr}
resp, err := client.Do(req)
if err != nil {
return fmt.Errorf("client.Do: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return fmt.Errorf("resp.StatusCode != http.StatusOK: %v", resp)
}
// var x interface{}
// if err := json.NewDecoder(resp.Body).Decode(&x); err != nil {
// return fmt.Errorf("json.Decode: %v", err)
// }
// fmt.Println(x)
return nil
}
func main() {
log.Printf("query: %s", query)
log.Printf("url: %s", url)
for {
postQuery()
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment