github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 21:47:07 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #54175 from tallclair/fluentd

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 54336, 54470, 54334, 54175). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Update fluentd-gcp DaemonSet

- Use a dedicated service account to run the fluentd-gcp DS
- Use the certificates in the prometheus-to-sd image rather than mounting the host certs

This PR lets us create a more targeted PodSecurityPolicy for fluentd. (See https://github.com/kubernetes/kubernetes/pull/52367#discussion_r145433354)

```release-note
- fluentd-gcp runs with a dedicated fluentd-gcp service account
- Stop mounting the host certificates into fluentd's prometheus-to-sd container
```
This commit is contained in:
Kubernetes Submit Queue 2017-10-25 15:16:15 -07:00 committed by GitHub
commit 54295026bf
1 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
cluster/addons/fluentd-gcp/fluentd-gcp-ds.yaml
View File

@ -1,3 +1,12 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: fluentd-gcp
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: DaemonSet kind: DaemonSet
metadata: metadata:
@ -23,6 +32,7 @@ spec:
annotations: annotations:
scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/critical-pod: ''
spec: spec:
serviceAccountName: fluentd-gcp
dnsPolicy: Default dnsPolicy: Default
hostNetwork: true hostNetwork: true
containers: containers:
@ -90,9 +100,6 @@ spec:
- --stackdriver-prefix={{ prometheus_to_sd_prefix }}/addons - --stackdriver-prefix={{ prometheus_to_sd_prefix }}/addons
- --api-override={{ prometheus_to_sd_endpoint }} - --api-override={{ prometheus_to_sd_endpoint }}
- --whitelisted-metrics=stackdriver_successful_requests_count,stackdriver_failed_requests_count,stackdriver_ingested_entries_count,stackdriver_dropped_entries_count - --whitelisted-metrics=stackdriver_successful_requests_count,stackdriver_failed_requests_count,stackdriver_ingested_entries_count,stackdriver_dropped_entries_count
volumeMounts:
- name: ssl-certs
mountPath: /etc/ssl/certs
# END_PROMETHEUS_TO_SD # END_PROMETHEUS_TO_SD
nodeSelector: nodeSelector:
beta.kubernetes.io/fluentd-ds-ready: "true" beta.kubernetes.io/fluentd-ds-ready: "true"
@ -118,6 +125,3 @@ spec:
- name: config-volume - name: config-volume
configMap: configMap:
name: fluentd-gcp-config-v1.2.2 name: fluentd-gcp-config-v1.2.2
- name: ssl-certs
hostPath:
path: /etc/ssl/certs