New base cluster#4213

beyang · 2022-12-12T04:43:58Z

New base k8s cluster, bootstrapped from our existing non-privileged-create cluster.

Desired artifacts

a new k8s base cluster with minimal permissions requirements (no root users, no RBAC)
an easy, but flexible way to customize the cluster manifest to whatever the customer desires, while preserving a sane and tractable developer experience
a migration path from old world to new

We will keep the old legacy cluster, kustomize overlays, and Helm around for existing customers. All new customers should use the new base cluster with the new customization mechanism.

An intermediate milestone is probably to generate the existing (soon legacy) manifest using (2) from (1). That would be a good test of (2), as well. See notes section below for commentary on this.

To-do

Generate existing cluster from new
Create equivalent of existing kustomize overlays
Check with Security to see what modifications we should make to Docker containers
Odds and ends
- Set fsGroupChangePolicy to OnRootMismatch (performance)

Notes / outstanding questions

There is the question of how to customize.

Helm: templated YAML is brittle and yields a very poor dev experience
Kustomize now supports components, which makes it more composable. There are still 2 issues:
- You can't easily target multiple containers in a deployment (e.g., to add a securityContext). There is replacement: with create: true in theory, but it's a bit of a hack and I couldn't get it to work
- You can't dynamically change an env var like SRC_GIT_SERVERS, which we need to do to eliminate the need for service discovery and therefore elevated permissions to create RBAC objects.

Overview of current layout, as of `eb28273`

new/resources/sourcegraph - the proposed new base cluster. Still need to remove RBAC and convert some deployments (the ones referenced here) to statefulsets. Once RBAC is removed, we'll have to pass shard names through environment variables like SRC_GIT_SERVERS and our customization mechanism will need a way to do this automatically.
new/resources/monitoring - moved all the monitoring stuff into a separate directory
new/k8st - some customization code I copied over from the bl/better-customize branch. This isn't runnable yet, and we can remove this if we decide to move forward with Kustomize

Checklist

CHANGELOG.md updated
K8s Upgrade notes updated
Sister deploy-sourcegraph-docker change:
All images have a valid tag and SHA256 sum

Test plan

new/resources/monitoring/apps_v1_statefulset_grafana.yaml

new/resources/sourcegraph/apps_v1_statefulset_gitserver.yaml

new/resources/sourcegraph/apps_v1_statefulset_indexed-search.yaml

beyang added 2 commits December 11, 2022 20:42

k8st code

81e4fe6

new base cluster, modified from un-privileged cluster

eb28273

beyang marked this pull request as draft December 12, 2022 04:44

Add kustomize to new base cluster with minimal permissions (#4214)

23054ba

abeatrix reviewed Dec 16, 2022

View reviewed changes

new/resources/monitoring/apps_v1_statefulset_grafana.yaml Show resolved Hide resolved

abeatrix reviewed Dec 16, 2022

View reviewed changes

new/resources/sourcegraph/apps_v1_statefulset_gitserver.yaml Show resolved Hide resolved

abeatrix reviewed Dec 16, 2022

View reviewed changes

new/resources/sourcegraph/apps_v1_statefulset_indexed-search.yaml Show resolved Hide resolved

abeatrix mentioned this pull request Dec 16, 2022

feat: non-privileged base cluster with new kustomize #4215

Closed

6 tasks

abeatrix self-assigned this Dec 20, 2022

beyang closed this Jan 21, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

New base cluster#4213