Skip to content

Instantly share code, notes, and snippets.

@flavio-fernandes
Last active March 24, 2023 20:22
Show Gist options
  • Save flavio-fernandes/316c4284cb039ffc32859c13ffeedc75 to your computer and use it in GitHub Desktop.
Save flavio-fernandes/316c4284cb039ffc32859c13ffeedc75 to your computer and use it in GitHub Desktop.
golang pod daemonset
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: pprof
spec:
selector:
matchLabels:
name: pprof
template:
metadata:
labels:
name: pprof
spec:
securityContext:
runAsUser: 0
tolerations:
- operator: Exists
containers:
- name: ovsdb-mon
image: quay.io/amorenoz/ovsdb-mon:latest
resources: {}
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /run/ovn/
name: run-ovn
- mountPath: /run/openvswitch/
name: run-ovs
readinessProbe:
exec:
command:
- ls
- /tmp/build_finished
initialDelaySeconds: 5
volumes:
- hostPath:
path: /run/ovn
type: ""
name: run-ovn
- hostPath:
path: /run/openvswitch
type: ""
name: run-ovs
hostNetwork: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: network.operator.openshift.io/dpu-host
operator: DoesNotExist
- key: network.operator.openshift.io/dpu
operator: DoesNotExist
@flavio-fernandes
Copy link
Author

I found it best to run this ds in its own k8 namespace. In other words:

cat gopodpprof.source

if [ "${BASH_SOURCE[0]}" -ef "$0" ]
then
    >&2 echo 'Please source this script, not execute it!'
    exit 1
fi

NS=pprof

kubectl create namespace $NS --dry-run=client -o yaml | kubectl apply -f - 2>&1 | \
    grep -v "kubectl.kubernetes.io/last-applied-configuration"
kubectl label namespace $NS --overwrite \
    pod-security.kubernetes.io/enforce=privileged \
    pod-security.kubernetes.io/audit=privileged \
    pod-security.kubernetes.io/warn=privileged \
    security.openshift.io/scc.podSecurityLabelSync=false
until [[ $(kubectl get sa default -n $NS -o=jsonpath='{.metadata.creationTimestamp}') ]]; do \
    echo "waiting for service account for $NS namespace to exist..."; sleep 3; done

# If oc scc resource exists, configure role that allows $NS to have priviledged access
ocbin=$(which oc 2>/dev/null)
[ -x "$ocbin" ] && scc=$($ocbin api-resources | grep securitycontextconstraints)
if [ -n "$scc" ] ; then
    $ocbin get rolebinding $NS --no-headers -n $NS 2>/dev/null || \
    { $ocbin create role $NS --verb=use --resource=scc --resource-name=privileged -n $NS ;
      $ocbin create rolebinding $NS --role=${NS} --group=system:serviceaccounts:${NS} -n $NS ; }
fi

kubectl apply -n $NS -f ./gopodpprof.yaml || { >&2 echo 'bad k8s?'; return; }

kubectl get ds -n $NS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment