Compare commits
2 commits
010c47b03b
...
0389eb5d20
| Author | SHA1 | Date | |
|---|---|---|---|
|
0389eb5d20 | ||
|
|
33c52be1c5 |
|
|
@ -9,7 +9,7 @@ kind: Namespace
|
|||
metadata:
|
||||
name: #@ ns
|
||||
labels:
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
pod-security.kubernetes.io/enforce: restricted
|
||||
|
||||
#@overlay/match by=overlay.all, expects="1+"
|
||||
---
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ kind: Namespace
|
|||
metadata:
|
||||
name: #@ ns
|
||||
labels:
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
pod-security.kubernetes.io/enforce: restricted
|
||||
|
||||
#@overlay/match by=overlay.all, expects="1+"
|
||||
---
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ kind: Namespace
|
|||
metadata:
|
||||
name: #@ ns
|
||||
labels:
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
pod-security.kubernetes.io/enforce: restricted
|
||||
|
||||
#@overlay/match by=overlay.all, expects="1+"
|
||||
---
|
||||
|
|
|
|||
|
|
@ -62,3 +62,81 @@ dashboards:
|
|||
gnetId: 15757
|
||||
revision: 37
|
||||
datasource: VictoriaMetrics
|
||||
ocis:
|
||||
datasource: VictoriaMetrics
|
||||
json: |-
|
||||
{
|
||||
"annotations": {"list": []},
|
||||
"editable": true,
|
||||
"graphTooltip": 1,
|
||||
"links": [],
|
||||
"panels": [
|
||||
{"collapsed": false, "gridPos": {"h": 1, "w": 24, "x": 0, "y": 0}, "id": 100, "panels": [], "title": "User experience (proxy)", "type": "row"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}, "unit": "reqps"}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 0, "y": 1}, "id": 1, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum(rate(ocis_proxy_requests_total[5m]))", "refId": "A"}], "title": "Proxy req/s", "type": "stat"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}, {"color": "yellow", "value": 1}, {"color": "red", "value": 5}]}, "unit": "percent", "min": 0, "max": 100}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 6, "y": 1}, "id": 2, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "100 * sum(rate(ocis_proxy_errors_total[5m])) / clamp_min(sum(rate(ocis_proxy_requests_total[5m])), 0.001)", "refId": "A"}], "title": "Proxy error %", "type": "stat"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 10, "lineWidth": 1, "showPoints": "never"}, "unit": "s"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 12, "y": 1}, "id": 3, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull"]}, "tooltip": {"mode": "multi"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "histogram_quantile(0.50, sum by (method, le) (rate(ocis_proxy_duration_seconds_bucket[5m])))", "legendFormat": "p50 {{method}}", "refId": "A"}, {"datasource": "VictoriaMetrics", "expr": "histogram_quantile(0.95, sum by (method, le) (rate(ocis_proxy_duration_seconds_bucket[5m])))", "legendFormat": "p95 {{method}}", "refId": "B"}, {"datasource": "VictoriaMetrics", "expr": "histogram_quantile(0.99, sum by (method, le) (rate(ocis_proxy_duration_seconds_bucket[5m])))", "legendFormat": "p99 {{method}}", "refId": "C"}], "title": "Proxy latency by method", "type": "timeseries"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 20, "lineWidth": 1, "stacking": {"mode": "normal"}}, "unit": "reqps"}, "overrides": []}, "gridPos": {"h": 4, "w": 12, "x": 0, "y": 5}, "id": 4, "options": {"legend": {"displayMode": "list", "placement": "bottom", "showLegend": true}, "tooltip": {"mode": "multi"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum by (method) (rate(ocis_proxy_requests_total[5m]))", "legendFormat": "{{method}}", "refId": "A"}], "title": "Proxy requests by method", "type": "timeseries"},
|
||||
|
||||
{"collapsed": false, "gridPos": {"h": 1, "w": 24, "x": 0, "y": 9}, "id": 101, "panels": [], "title": "Service health", "type": "row"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "custom": {"fillOpacity": 80, "lineWidth": 0}, "mappings": [{"type": "value", "options": {"0": {"text": "DOWN", "color": "red"}, "1": {"text": "UP", "color": "green"}}}], "thresholds": {"mode": "absolute", "steps": [{"color": "red", "value": null}, {"color": "green", "value": 1}]}}, "overrides": []}, "gridPos": {"h": 8, "w": 18, "x": 0, "y": 10}, "id": 5, "options": {"alignValue": "left", "legend": {"displayMode": "list", "placement": "bottom", "showLegend": false}, "mergeValues": true, "rowHeight": 0.9, "showValue": "never", "tooltip": {"mode": "single"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "up{job=\"ocis\"}", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "ocis services up/down", "type": "state-timeline"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "red", "value": null}, {"color": "yellow", "value": 95}, {"color": "green", "value": 100}]}, "unit": "percent", "min": 0, "max": 100}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 18, "y": 10}, "id": 6, "options": {"colorMode": "value", "graphMode": "none", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "100 * count(up{job=\"ocis\"} == 1) / count(up{job=\"ocis\"})", "refId": "A"}], "title": "Services up", "type": "stat"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}, {"color": "yellow", "value": 1}, {"color": "red", "value": 5}]}}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 18, "y": 14}, "id": 7, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum(changes(process_start_time_seconds{job=\"ocis\"}[1h]))", "refId": "A"}], "title": "Restarts (last 1h)", "type": "stat"},
|
||||
|
||||
{"collapsed": false, "gridPos": {"h": 1, "w": 24, "x": 0, "y": 18}, "id": 102, "panels": [], "title": "Storage activity (uploads/downloads)", "type": "row"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 0, "y": 19}, "id": 8, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum(reva_upload_active{ocis_service=\"storageusers\"})", "refId": "A"}], "title": "Active uploads", "type": "stat"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 6, "y": 19}, "id": 9, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum(reva_download_active{ocis_service=\"storageusers\"})", "refId": "A"}], "title": "Active downloads", "type": "stat"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 10, "lineWidth": 1}, "unit": "ops"}, "overrides": [{"matcher": {"id": "byName", "options": "aborted"}, "properties": [{"id": "color", "value": {"mode": "fixed", "fixedColor": "red"}}]}, {"matcher": {"id": "byName", "options": "finalized"}, "properties": [{"id": "color", "value": {"mode": "fixed", "fixedColor": "green"}}]}]}, "gridPos": {"h": 8, "w": 12, "x": 12, "y": 19}, "id": 10, "options": {"legend": {"displayMode": "table", "placement": "bottom", "showLegend": true, "calcs": ["lastNotNull", "sum"]}, "tooltip": {"mode": "multi"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_initiated{ocis_service=\"storageusers\"}[5m])", "legendFormat": "initiated", "refId": "A"}, {"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_finalized{ocis_service=\"storageusers\"}[5m])", "legendFormat": "finalized", "refId": "B"}, {"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_aborted{ocis_service=\"storageusers\"}[5m])", "legendFormat": "aborted", "refId": "C"}, {"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_restarted{ocis_service=\"storageusers\"}[5m])", "legendFormat": "restarted", "refId": "D"}], "title": "Upload sessions/s", "type": "timeseries"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 20, "lineWidth": 1}, "unit": "Bps"}, "overrides": []}, "gridPos": {"h": 4, "w": 12, "x": 0, "y": 23}, "id": 11, "options": {"legend": {"displayMode": "list", "placement": "bottom", "showLegend": true}, "tooltip": {"mode": "single"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_bytes_received{ocis_service=\"storageusers\"}[5m])", "legendFormat": "bytes received", "refId": "A"}], "title": "Upload throughput", "type": "timeseries"},
|
||||
|
||||
{"collapsed": false, "gridPos": {"h": 1, "w": 24, "x": 0, "y": 27}, "id": 103, "panels": [], "title": "Resources (filtered by $ocis_service)", "type": "row"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 5, "lineWidth": 1, "showPoints": "never"}, "unit": "bytes"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 0, "y": 28}, "id": 12, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull", "max"]}, "tooltip": {"mode": "multi", "sort": "desc"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "go_memstats_heap_inuse_bytes{job=\"ocis\", ocis_service=~\"$ocis_service\"}", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "Heap in use by service", "type": "timeseries"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 5, "lineWidth": 1, "showPoints": "never"}, "unit": "short"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 12, "y": 28}, "id": 13, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull", "max"]}, "tooltip": {"mode": "multi", "sort": "desc"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "go_goroutines{job=\"ocis\", ocis_service=~\"$ocis_service\"}", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "Goroutines by service (leak detector)", "type": "timeseries"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 5, "lineWidth": 1}, "unit": "percentunit"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 0, "y": 36}, "id": 14, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull", "max"]}, "tooltip": {"mode": "multi", "sort": "desc"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "rate(process_cpu_seconds_total{job=\"ocis\", ocis_service=~\"$ocis_service\"}[5m])", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "CPU by service (cores)", "type": "timeseries"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 5, "lineWidth": 1}, "unit": "bytes"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 12, "y": 36}, "id": 15, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull", "max"]}, "tooltip": {"mode": "multi", "sort": "desc"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "process_resident_memory_bytes{job=\"ocis\", ocis_service=~\"$ocis_service\"}", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "Resident memory by service", "type": "timeseries"}
|
||||
],
|
||||
"refresh": "30s",
|
||||
"schemaVersion": 39,
|
||||
"tags": ["ocis"],
|
||||
"templating": {
|
||||
"list": [
|
||||
{
|
||||
"current": {"selected": false, "text": "All", "value": "$__all"},
|
||||
"datasource": "VictoriaMetrics",
|
||||
"hide": 0,
|
||||
"includeAll": true,
|
||||
"label": "Service",
|
||||
"multi": true,
|
||||
"name": "ocis_service",
|
||||
"options": [],
|
||||
"query": {"query": "label_values(up{job=\"ocis\"}, ocis_service)", "refId": "StandardVariableQuery"},
|
||||
"refresh": 2,
|
||||
"regex": "",
|
||||
"skipUrlSync": false,
|
||||
"sort": 1,
|
||||
"type": "query"
|
||||
}
|
||||
]
|
||||
},
|
||||
"time": {"from": "now-3h", "to": "now"},
|
||||
"timepicker": {},
|
||||
"timezone": "browser",
|
||||
"title": "ocis Overview",
|
||||
"uid": "ocis-overview",
|
||||
"version": 1,
|
||||
"weekStart": ""
|
||||
}
|
||||
|
|
|
|||
|
|
@ -60,6 +60,12 @@ spec:
|
|||
spec:
|
||||
serviceAccountName: ocis-external-secret-precheck
|
||||
restartPolicy: OnFailure
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65532
|
||||
runAsGroup: 65532
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: precheck
|
||||
image: alpine/k8s:1.32.3
|
||||
|
|
@ -80,3 +86,9 @@ spec:
|
|||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ kind: Namespace
|
|||
metadata:
|
||||
name: #@ ns
|
||||
labels:
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
pod-security.kubernetes.io/enforce: restricted
|
||||
|
||||
#@overlay/match by=overlay.all, expects="1+"
|
||||
---
|
||||
|
|
|
|||
62
prototypes/ocis/ytt/pss-restricted.ytt.yaml
Normal file
62
prototypes/ocis/ytt/pss-restricted.ytt.yaml
Normal file
|
|
@ -0,0 +1,62 @@
|
|||
#@ load("@ytt:overlay", "overlay")
|
||||
|
||||
#@ helm_match = overlay.subset({"metadata": {"labels": {"app.kubernetes.io/managed-by": "Helm"}}})
|
||||
|
||||
#@overlay/match by=overlay.and_op(overlay.subset({"kind": "Deployment"}), helm_match), expects="1+"
|
||||
---
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
securityContext:
|
||||
#@overlay/match missing_ok=True
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
#@overlay/match by=overlay.all, expects="1+"
|
||||
-
|
||||
securityContext:
|
||||
#@overlay/match missing_ok=True
|
||||
allowPrivilegeEscalation: false
|
||||
#@overlay/match missing_ok=True
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
||||
#! idm is the only chart Deployment with initContainers
|
||||
#@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "idm"}})
|
||||
---
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
initContainers:
|
||||
#@overlay/match by=overlay.all, expects="1+"
|
||||
-
|
||||
securityContext:
|
||||
#@overlay/match missing_ok=True
|
||||
allowPrivilegeEscalation: false
|
||||
#@overlay/match missing_ok=True
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
||||
#@overlay/match by=overlay.and_op(overlay.subset({"kind": "CronJob"}), helm_match), expects="1+"
|
||||
---
|
||||
spec:
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
securityContext:
|
||||
#@overlay/match missing_ok=True
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
#@overlay/match by=overlay.all, expects="1+"
|
||||
-
|
||||
securityContext:
|
||||
#@overlay/match missing_ok=True
|
||||
allowPrivilegeEscalation: false
|
||||
#@overlay/match missing_ok=True
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -27,74 +27,76 @@ spec:
|
|||
spec:
|
||||
restartPolicy: OnFailure
|
||||
serviceAccountName: ocis-s3-backup
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1009
|
||||
runAsGroup: 1009
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: backup
|
||||
image: alpine:3.20
|
||||
image: rclone/rclone:1.69.0
|
||||
args:
|
||||
- sync
|
||||
- "s3:ocis-tr1ceracop"
|
||||
- "backup:"
|
||||
- --transfers=4
|
||||
- -v
|
||||
resources:
|
||||
requests:
|
||||
memory: 128Mi
|
||||
cpu: 50m
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
set -e
|
||||
apk add --no-cache rclone >/dev/null 2>&1
|
||||
|
||||
mkdir -p /tmp/rclone
|
||||
cat > /tmp/rclone/rclone.conf <<CONF
|
||||
[s3]
|
||||
type = s3
|
||||
provider = Other
|
||||
access_key_id = ${S3_ACCESS_KEY}
|
||||
secret_access_key = ${S3_SECRET_KEY}
|
||||
endpoint = https://nbg1.your-objectstorage.com
|
||||
acl = private
|
||||
|
||||
[storagebox]
|
||||
type = sftp
|
||||
host = ${STORAGEBOX_HOST}
|
||||
port = 23
|
||||
user = ${STORAGEBOX_USER}
|
||||
key_file = /etc/storagebox/ssh-key
|
||||
shell_type = none
|
||||
md5sum_command = none
|
||||
sha1sum_command = none
|
||||
|
||||
[backup]
|
||||
type = compress
|
||||
remote = storagebox:ocis-backup
|
||||
CONF
|
||||
|
||||
echo "Syncing S3 bucket to Storage Box (compressed)..."
|
||||
rclone sync s3:ocis-tr1ceracop backup: \
|
||||
--config /tmp/rclone/rclone.conf \
|
||||
--transfers 4 \
|
||||
-v
|
||||
|
||||
rm -rf /tmp/rclone
|
||||
echo "Backup complete."
|
||||
env:
|
||||
- name: S3_ACCESS_KEY
|
||||
- name: RCLONE_CONFIG_S3_TYPE
|
||||
value: s3
|
||||
- name: RCLONE_CONFIG_S3_PROVIDER
|
||||
value: Other
|
||||
- name: RCLONE_CONFIG_S3_ENDPOINT
|
||||
value: https://nbg1.your-objectstorage.com
|
||||
- name: RCLONE_CONFIG_S3_ACL
|
||||
value: private
|
||||
- name: RCLONE_CONFIG_S3_ACCESS_KEY_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ocis-s3-credentials
|
||||
key: accessKey
|
||||
- name: S3_SECRET_KEY
|
||||
- name: RCLONE_CONFIG_S3_SECRET_ACCESS_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ocis-s3-credentials
|
||||
key: secretKey
|
||||
- name: STORAGEBOX_HOST
|
||||
- name: RCLONE_CONFIG_STORAGEBOX_TYPE
|
||||
value: sftp
|
||||
- name: RCLONE_CONFIG_STORAGEBOX_PORT
|
||||
value: "23"
|
||||
- name: RCLONE_CONFIG_STORAGEBOX_KEY_FILE
|
||||
value: /etc/storagebox/ssh-key
|
||||
- name: RCLONE_CONFIG_STORAGEBOX_SHELL_TYPE
|
||||
value: none
|
||||
- name: RCLONE_CONFIG_STORAGEBOX_MD5SUM_COMMAND
|
||||
value: none
|
||||
- name: RCLONE_CONFIG_STORAGEBOX_SHA1SUM_COMMAND
|
||||
value: none
|
||||
- name: RCLONE_CONFIG_STORAGEBOX_HOST
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ocis-storagebox-credentials
|
||||
key: host
|
||||
- name: STORAGEBOX_USER
|
||||
- name: RCLONE_CONFIG_STORAGEBOX_USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ocis-storagebox-credentials
|
||||
key: user
|
||||
- name: RCLONE_CONFIG_BACKUP_TYPE
|
||||
value: compress
|
||||
- name: RCLONE_CONFIG_BACKUP_REMOTE
|
||||
value: storagebox:ocis-backup
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
volumeMounts:
|
||||
- name: storagebox-ssh
|
||||
mountPath: /etc/storagebox
|
||||
|
|
|
|||
|
|
@ -80,3 +80,16 @@ server:
|
|||
- source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
|
||||
action: keep
|
||||
regex: cert-manager;cert-manager;tcp-prometheus-servicemonitor
|
||||
- job_name: ocis
|
||||
kubernetes_sd_configs:
|
||||
- role: endpoints
|
||||
namespaces:
|
||||
names: [ocis]
|
||||
relabel_configs:
|
||||
- source_labels: [__meta_kubernetes_service_label_ocis_metrics, __meta_kubernetes_endpoint_port_name]
|
||||
action: keep
|
||||
regex: enabled;metrics-debug
|
||||
- source_labels: [__meta_kubernetes_service_name]
|
||||
target_label: ocis_service
|
||||
- source_labels: [__meta_kubernetes_pod_name]
|
||||
target_label: pod
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ kind: Namespace
|
|||
metadata:
|
||||
name: #@ ns
|
||||
labels:
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
pod-security.kubernetes.io/enforce: restricted
|
||||
|
||||
#@overlay/match by=overlay.all, expects="1+"
|
||||
---
|
||||
|
|
|
|||
|
|
@ -0,0 +1,25 @@
|
|||
#@ load("@ytt:overlay", "overlay")
|
||||
|
||||
#@overlay/match by=overlay.subset({"kind": "StatefulSet", "metadata": {"name": "victoria-metrics-single-server"}})
|
||||
---
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
#@overlay/replace
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
#@overlay/match by=overlay.subset({"name": "vmsingle"})
|
||||
-
|
||||
#@overlay/replace
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -4,6 +4,6 @@ metadata:
|
|||
annotations:
|
||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||
labels:
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
pod-security.kubernetes.io/enforce: restricted
|
||||
name: argocd
|
||||
namespace: argocd
|
||||
|
|
|
|||
|
|
@ -4,6 +4,6 @@ metadata:
|
|||
annotations:
|
||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||
labels:
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
pod-security.kubernetes.io/enforce: restricted
|
||||
name: cert-manager
|
||||
namespace: cert-manager
|
||||
|
|
|
|||
|
|
@ -4,6 +4,6 @@ metadata:
|
|||
annotations:
|
||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||
labels:
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
pod-security.kubernetes.io/enforce: restricted
|
||||
name: cnpg-system
|
||||
namespace: cnpg-system
|
||||
|
|
|
|||
|
|
@ -1,5 +1,81 @@
|
|||
apiVersion: v1
|
||||
data: {}
|
||||
data:
|
||||
ocis.json: |-
|
||||
{
|
||||
"annotations": {"list": []},
|
||||
"editable": true,
|
||||
"graphTooltip": 1,
|
||||
"links": [],
|
||||
"panels": [
|
||||
{"collapsed": false, "gridPos": {"h": 1, "w": 24, "x": 0, "y": 0}, "id": 100, "panels": [], "title": "User experience (proxy)", "type": "row"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}, "unit": "reqps"}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 0, "y": 1}, "id": 1, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum(rate(ocis_proxy_requests_total[5m]))", "refId": "A"}], "title": "Proxy req/s", "type": "stat"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}, {"color": "yellow", "value": 1}, {"color": "red", "value": 5}]}, "unit": "percent", "min": 0, "max": 100}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 6, "y": 1}, "id": 2, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "100 * sum(rate(ocis_proxy_errors_total[5m])) / clamp_min(sum(rate(ocis_proxy_requests_total[5m])), 0.001)", "refId": "A"}], "title": "Proxy error %", "type": "stat"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 10, "lineWidth": 1, "showPoints": "never"}, "unit": "s"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 12, "y": 1}, "id": 3, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull"]}, "tooltip": {"mode": "multi"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "histogram_quantile(0.50, sum by (method, le) (rate(ocis_proxy_duration_seconds_bucket[5m])))", "legendFormat": "p50 {{method}}", "refId": "A"}, {"datasource": "VictoriaMetrics", "expr": "histogram_quantile(0.95, sum by (method, le) (rate(ocis_proxy_duration_seconds_bucket[5m])))", "legendFormat": "p95 {{method}}", "refId": "B"}, {"datasource": "VictoriaMetrics", "expr": "histogram_quantile(0.99, sum by (method, le) (rate(ocis_proxy_duration_seconds_bucket[5m])))", "legendFormat": "p99 {{method}}", "refId": "C"}], "title": "Proxy latency by method", "type": "timeseries"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 20, "lineWidth": 1, "stacking": {"mode": "normal"}}, "unit": "reqps"}, "overrides": []}, "gridPos": {"h": 4, "w": 12, "x": 0, "y": 5}, "id": 4, "options": {"legend": {"displayMode": "list", "placement": "bottom", "showLegend": true}, "tooltip": {"mode": "multi"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum by (method) (rate(ocis_proxy_requests_total[5m]))", "legendFormat": "{{method}}", "refId": "A"}], "title": "Proxy requests by method", "type": "timeseries"},
|
||||
|
||||
{"collapsed": false, "gridPos": {"h": 1, "w": 24, "x": 0, "y": 9}, "id": 101, "panels": [], "title": "Service health", "type": "row"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "custom": {"fillOpacity": 80, "lineWidth": 0}, "mappings": [{"type": "value", "options": {"0": {"text": "DOWN", "color": "red"}, "1": {"text": "UP", "color": "green"}}}], "thresholds": {"mode": "absolute", "steps": [{"color": "red", "value": null}, {"color": "green", "value": 1}]}}, "overrides": []}, "gridPos": {"h": 8, "w": 18, "x": 0, "y": 10}, "id": 5, "options": {"alignValue": "left", "legend": {"displayMode": "list", "placement": "bottom", "showLegend": false}, "mergeValues": true, "rowHeight": 0.9, "showValue": "never", "tooltip": {"mode": "single"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "up{job=\"ocis\"}", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "ocis services up/down", "type": "state-timeline"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "red", "value": null}, {"color": "yellow", "value": 95}, {"color": "green", "value": 100}]}, "unit": "percent", "min": 0, "max": 100}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 18, "y": 10}, "id": 6, "options": {"colorMode": "value", "graphMode": "none", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "100 * count(up{job=\"ocis\"} == 1) / count(up{job=\"ocis\"})", "refId": "A"}], "title": "Services up", "type": "stat"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}, {"color": "yellow", "value": 1}, {"color": "red", "value": 5}]}}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 18, "y": 14}, "id": 7, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum(changes(process_start_time_seconds{job=\"ocis\"}[1h]))", "refId": "A"}], "title": "Restarts (last 1h)", "type": "stat"},
|
||||
|
||||
{"collapsed": false, "gridPos": {"h": 1, "w": 24, "x": 0, "y": 18}, "id": 102, "panels": [], "title": "Storage activity (uploads/downloads)", "type": "row"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 0, "y": 19}, "id": 8, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum(reva_upload_active{ocis_service=\"storageusers\"})", "refId": "A"}], "title": "Active uploads", "type": "stat"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 6, "y": 19}, "id": 9, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum(reva_download_active{ocis_service=\"storageusers\"})", "refId": "A"}], "title": "Active downloads", "type": "stat"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 10, "lineWidth": 1}, "unit": "ops"}, "overrides": [{"matcher": {"id": "byName", "options": "aborted"}, "properties": [{"id": "color", "value": {"mode": "fixed", "fixedColor": "red"}}]}, {"matcher": {"id": "byName", "options": "finalized"}, "properties": [{"id": "color", "value": {"mode": "fixed", "fixedColor": "green"}}]}]}, "gridPos": {"h": 8, "w": 12, "x": 12, "y": 19}, "id": 10, "options": {"legend": {"displayMode": "table", "placement": "bottom", "showLegend": true, "calcs": ["lastNotNull", "sum"]}, "tooltip": {"mode": "multi"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_initiated{ocis_service=\"storageusers\"}[5m])", "legendFormat": "initiated", "refId": "A"}, {"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_finalized{ocis_service=\"storageusers\"}[5m])", "legendFormat": "finalized", "refId": "B"}, {"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_aborted{ocis_service=\"storageusers\"}[5m])", "legendFormat": "aborted", "refId": "C"}, {"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_restarted{ocis_service=\"storageusers\"}[5m])", "legendFormat": "restarted", "refId": "D"}], "title": "Upload sessions/s", "type": "timeseries"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 20, "lineWidth": 1}, "unit": "Bps"}, "overrides": []}, "gridPos": {"h": 4, "w": 12, "x": 0, "y": 23}, "id": 11, "options": {"legend": {"displayMode": "list", "placement": "bottom", "showLegend": true}, "tooltip": {"mode": "single"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_bytes_received{ocis_service=\"storageusers\"}[5m])", "legendFormat": "bytes received", "refId": "A"}], "title": "Upload throughput", "type": "timeseries"},
|
||||
|
||||
{"collapsed": false, "gridPos": {"h": 1, "w": 24, "x": 0, "y": 27}, "id": 103, "panels": [], "title": "Resources (filtered by $ocis_service)", "type": "row"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 5, "lineWidth": 1, "showPoints": "never"}, "unit": "bytes"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 0, "y": 28}, "id": 12, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull", "max"]}, "tooltip": {"mode": "multi", "sort": "desc"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "go_memstats_heap_inuse_bytes{job=\"ocis\", ocis_service=~\"$ocis_service\"}", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "Heap in use by service", "type": "timeseries"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 5, "lineWidth": 1, "showPoints": "never"}, "unit": "short"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 12, "y": 28}, "id": 13, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull", "max"]}, "tooltip": {"mode": "multi", "sort": "desc"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "go_goroutines{job=\"ocis\", ocis_service=~\"$ocis_service\"}", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "Goroutines by service (leak detector)", "type": "timeseries"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 5, "lineWidth": 1}, "unit": "percentunit"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 0, "y": 36}, "id": 14, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull", "max"]}, "tooltip": {"mode": "multi", "sort": "desc"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "rate(process_cpu_seconds_total{job=\"ocis\", ocis_service=~\"$ocis_service\"}[5m])", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "CPU by service (cores)", "type": "timeseries"},
|
||||
|
||||
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 5, "lineWidth": 1}, "unit": "bytes"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 12, "y": 36}, "id": 15, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull", "max"]}, "tooltip": {"mode": "multi", "sort": "desc"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "process_resident_memory_bytes{job=\"ocis\", ocis_service=~\"$ocis_service\"}", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "Resident memory by service", "type": "timeseries"}
|
||||
],
|
||||
"refresh": "30s",
|
||||
"schemaVersion": 39,
|
||||
"tags": ["ocis"],
|
||||
"templating": {
|
||||
"list": [
|
||||
{
|
||||
"current": {"selected": false, "text": "All", "value": "$__all"},
|
||||
"datasource": "VictoriaMetrics",
|
||||
"hide": 0,
|
||||
"includeAll": true,
|
||||
"label": "Service",
|
||||
"multi": true,
|
||||
"name": "ocis_service",
|
||||
"options": [],
|
||||
"query": {"query": "label_values(up{job=\"ocis\"}, ocis_service)", "refId": "StandardVariableQuery"},
|
||||
"refresh": 2,
|
||||
"regex": "",
|
||||
"skipUrlSync": false,
|
||||
"sort": 1,
|
||||
"type": "query"
|
||||
}
|
||||
]
|
||||
},
|
||||
"time": {"from": "now-3h", "to": "now"},
|
||||
"timepicker": {},
|
||||
"timezone": "browser",
|
||||
"title": "ocis Overview",
|
||||
"uid": "ocis-overview",
|
||||
"version": 1,
|
||||
"weekStart": ""
|
||||
}
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
annotations:
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ spec:
|
|||
metadata:
|
||||
annotations:
|
||||
checksum/config: de8d6f16e9721409f5848bcc101e6aa9815e6455bd4fb9b59306159e705ac1cb
|
||||
checksum/dashboards-json-config: 63ff5f7bd5ab0b6c241c689c0aa4d78be9bef984e63c1089dc988905fbb61f74
|
||||
checksum/dashboards-json-config: a919cbb2747e3cee36a843a96cf75d3761b8fe53f7731cdcf106689db20d44fd
|
||||
checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
|
||||
kubectl.kubernetes.io/default-container: grafana
|
||||
labels:
|
||||
|
|
@ -113,6 +113,9 @@ spec:
|
|||
name: storage
|
||||
- mountPath: /var/lib/grafana-search
|
||||
name: search
|
||||
- mountPath: /var/lib/grafana/dashboards/default/ocis.json
|
||||
name: dashboards-default
|
||||
subPath: ocis.json
|
||||
- mountPath: /etc/grafana/provisioning/datasources/datasources.yaml
|
||||
name: config
|
||||
subPath: datasources.yaml
|
||||
|
|
|
|||
|
|
@ -13,78 +13,80 @@ spec:
|
|||
template:
|
||||
spec:
|
||||
containers:
|
||||
- command:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
set -e
|
||||
apk add --no-cache rclone >/dev/null 2>&1
|
||||
|
||||
mkdir -p /tmp/rclone
|
||||
cat > /tmp/rclone/rclone.conf <<CONF
|
||||
[s3]
|
||||
type = s3
|
||||
provider = Other
|
||||
access_key_id = ${S3_ACCESS_KEY}
|
||||
secret_access_key = ${S3_SECRET_KEY}
|
||||
endpoint = https://nbg1.your-objectstorage.com
|
||||
acl = private
|
||||
|
||||
[storagebox]
|
||||
type = sftp
|
||||
host = ${STORAGEBOX_HOST}
|
||||
port = 23
|
||||
user = ${STORAGEBOX_USER}
|
||||
key_file = /etc/storagebox/ssh-key
|
||||
shell_type = none
|
||||
md5sum_command = none
|
||||
sha1sum_command = none
|
||||
|
||||
[backup]
|
||||
type = compress
|
||||
remote = storagebox:ocis-backup
|
||||
CONF
|
||||
|
||||
echo "Syncing S3 bucket to Storage Box (compressed)..."
|
||||
rclone sync s3:ocis-tr1ceracop backup: \
|
||||
--config /tmp/rclone/rclone.conf \
|
||||
--transfers 4 \
|
||||
-v
|
||||
|
||||
rm -rf /tmp/rclone
|
||||
echo "Backup complete."
|
||||
- args:
|
||||
- sync
|
||||
- s3:ocis-tr1ceracop
|
||||
- 'backup:'
|
||||
- --transfers=4
|
||||
- -v
|
||||
env:
|
||||
- name: S3_ACCESS_KEY
|
||||
- name: RCLONE_CONFIG_S3_TYPE
|
||||
value: s3
|
||||
- name: RCLONE_CONFIG_S3_PROVIDER
|
||||
value: Other
|
||||
- name: RCLONE_CONFIG_S3_ENDPOINT
|
||||
value: https://nbg1.your-objectstorage.com
|
||||
- name: RCLONE_CONFIG_S3_ACL
|
||||
value: private
|
||||
- name: RCLONE_CONFIG_S3_ACCESS_KEY_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: accessKey
|
||||
name: ocis-s3-credentials
|
||||
- name: S3_SECRET_KEY
|
||||
- name: RCLONE_CONFIG_S3_SECRET_ACCESS_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: secretKey
|
||||
name: ocis-s3-credentials
|
||||
- name: STORAGEBOX_HOST
|
||||
- name: RCLONE_CONFIG_STORAGEBOX_TYPE
|
||||
value: sftp
|
||||
- name: RCLONE_CONFIG_STORAGEBOX_PORT
|
||||
value: "23"
|
||||
- name: RCLONE_CONFIG_STORAGEBOX_KEY_FILE
|
||||
value: /etc/storagebox/ssh-key
|
||||
- name: RCLONE_CONFIG_STORAGEBOX_SHELL_TYPE
|
||||
value: none
|
||||
- name: RCLONE_CONFIG_STORAGEBOX_MD5SUM_COMMAND
|
||||
value: none
|
||||
- name: RCLONE_CONFIG_STORAGEBOX_SHA1SUM_COMMAND
|
||||
value: none
|
||||
- name: RCLONE_CONFIG_STORAGEBOX_HOST
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: host
|
||||
name: ocis-storagebox-credentials
|
||||
- name: STORAGEBOX_USER
|
||||
- name: RCLONE_CONFIG_STORAGEBOX_USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: user
|
||||
name: ocis-storagebox-credentials
|
||||
image: alpine:3.20
|
||||
- name: RCLONE_CONFIG_BACKUP_TYPE
|
||||
value: compress
|
||||
- name: RCLONE_CONFIG_BACKUP_REMOTE
|
||||
value: storagebox:ocis-backup
|
||||
image: rclone/rclone:1.69.0
|
||||
name: backup
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 128Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
volumeMounts:
|
||||
- mountPath: /etc/storagebox
|
||||
name: storagebox-ssh
|
||||
readOnly: true
|
||||
restartPolicy: OnFailure
|
||||
securityContext:
|
||||
runAsGroup: 1009
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1009
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: ocis-s3-backup
|
||||
volumes:
|
||||
- name: storagebox-ssh
|
||||
|
|
|
|||
|
|
@ -96,6 +96,10 @@ spec:
|
|||
name: storage-users-clean-expired-uploads
|
||||
resources: {}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -110,6 +114,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: tmp-volume
|
||||
|
|
|
|||
|
|
@ -77,6 +77,10 @@ spec:
|
|||
name: storage-users-purge-expired-trash-bin-items
|
||||
resources: {}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -91,6 +95,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: tmp-volume
|
||||
|
|
|
|||
|
|
@ -79,6 +79,10 @@ spec:
|
|||
name: storage-users-restart-postprocessing
|
||||
resources: {}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -93,6 +97,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: tmp-volume
|
||||
|
|
|
|||
|
|
@ -37,6 +37,10 @@ spec:
|
|||
name: thumbnails-cleanup
|
||||
resources: {}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -51,6 +55,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- name: thumbnails-data
|
||||
persistentVolumeClaim:
|
||||
|
|
|
|||
|
|
@ -106,6 +106,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -118,6 +122,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: messaging-system-ca
|
||||
|
|
|
|||
|
|
@ -90,6 +90,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -103,6 +107,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: tmp-volume
|
||||
|
|
|
|||
|
|
@ -75,6 +75,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -87,6 +91,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: messaging-system-ca
|
||||
|
|
|
|||
|
|
@ -93,6 +93,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -104,6 +108,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: tmp-volume
|
||||
|
|
|
|||
|
|
@ -98,6 +98,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -109,6 +113,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: tmp-volume
|
||||
|
|
|
|||
|
|
@ -96,6 +96,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -108,6 +112,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: messaging-system-ca
|
||||
|
|
|
|||
|
|
@ -81,6 +81,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -93,6 +97,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: messaging-system-ca
|
||||
|
|
|
|||
|
|
@ -158,6 +158,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -171,6 +175,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: tmp-volume
|
||||
|
|
|
|||
|
|
@ -106,6 +106,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -117,6 +121,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: tmp-volume
|
||||
|
|
|
|||
|
|
@ -132,6 +132,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -147,6 +151,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: messaging-system-ca
|
||||
|
|
|
|||
|
|
@ -99,6 +99,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -113,6 +117,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: tmp-volume
|
||||
|
|
|
|||
|
|
@ -113,6 +113,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 256Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -136,6 +140,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 256Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -147,6 +155,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- name: ldap-cert
|
||||
secret:
|
||||
|
|
|
|||
|
|
@ -96,6 +96,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -113,6 +117,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: ocis-data-tmp
|
||||
|
|
|
|||
|
|
@ -70,6 +70,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 192Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -81,6 +85,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- name: nats-data
|
||||
persistentVolumeClaim:
|
||||
|
|
|
|||
|
|
@ -101,6 +101,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -110,4 +114,6 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes: null
|
||||
|
|
|
|||
|
|
@ -98,6 +98,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -107,4 +111,6 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes: null
|
||||
|
|
|
|||
|
|
@ -79,6 +79,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -91,6 +95,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: messaging-system-ca
|
||||
|
|
|
|||
|
|
@ -123,6 +123,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 96Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -134,6 +138,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- configMap:
|
||||
name: proxy-config
|
||||
|
|
|
|||
|
|
@ -103,6 +103,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -117,6 +121,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: messaging-system-ca
|
||||
|
|
|
|||
|
|
@ -124,6 +124,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -133,4 +137,6 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes: null
|
||||
|
|
|
|||
|
|
@ -132,6 +132,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -148,6 +152,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: tmp-volume
|
||||
|
|
|
|||
|
|
@ -94,6 +94,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -106,6 +110,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: messaging-system-ca
|
||||
|
|
|
|||
|
|
@ -92,6 +92,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -103,6 +107,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: tmp-volume
|
||||
|
|
|
|||
|
|
@ -88,6 +88,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -99,6 +103,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: tmp-volume
|
||||
|
|
|
|||
|
|
@ -112,6 +112,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -125,6 +129,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: tmp-volume
|
||||
|
|
|
|||
|
|
@ -186,6 +186,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 512Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -202,6 +206,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: tmp-volume
|
||||
|
|
|
|||
|
|
@ -108,6 +108,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 96Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -119,6 +123,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- name: thumbnails-data
|
||||
persistentVolumeClaim:
|
||||
|
|
|
|||
|
|
@ -102,6 +102,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -114,6 +118,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: messaging-system-ca
|
||||
|
|
|
|||
|
|
@ -99,6 +99,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -113,6 +117,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: tmp-volume
|
||||
|
|
|
|||
|
|
@ -110,6 +110,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -125,6 +129,8 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- configMap:
|
||||
name: web-config
|
||||
|
|
|
|||
|
|
@ -87,6 +87,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -96,4 +100,6 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes: null
|
||||
|
|
|
|||
|
|
@ -91,6 +91,10 @@ spec:
|
|||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
|
@ -100,4 +104,6 @@ spec:
|
|||
securityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes: null
|
||||
|
|
|
|||
|
|
@ -31,6 +31,18 @@ spec:
|
|||
fieldPath: metadata.namespace
|
||||
image: alpine/k8s:1.32.3
|
||||
name: precheck
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
restartPolicy: OnFailure
|
||||
securityContext:
|
||||
runAsGroup: 65532
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65532
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: ocis-external-secret-precheck
|
||||
ttlSecondsAfterFinished: 300
|
||||
|
|
|
|||
|
|
@ -4,6 +4,6 @@ metadata:
|
|||
annotations:
|
||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||
labels:
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
pod-security.kubernetes.io/enforce: restricted
|
||||
name: ocis
|
||||
namespace: ocis
|
||||
|
|
|
|||
|
|
@ -83,6 +83,24 @@ data:
|
|||
- __meta_kubernetes_namespace
|
||||
- __meta_kubernetes_service_name
|
||||
- __meta_kubernetes_endpoint_port_name
|
||||
- job_name: ocis
|
||||
kubernetes_sd_configs:
|
||||
- namespaces:
|
||||
names:
|
||||
- ocis
|
||||
role: endpoints
|
||||
relabel_configs:
|
||||
- action: keep
|
||||
regex: enabled;metrics-debug
|
||||
source_labels:
|
||||
- __meta_kubernetes_service_label_ocis_metrics
|
||||
- __meta_kubernetes_endpoint_port_name
|
||||
- source_labels:
|
||||
- __meta_kubernetes_service_name
|
||||
target_label: ocis_service
|
||||
- source_labels:
|
||||
- __meta_kubernetes_pod_name
|
||||
target_label: pod
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
annotations:
|
||||
|
|
|
|||
|
|
@ -4,6 +4,6 @@ metadata:
|
|||
annotations:
|
||||
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
||||
labels:
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
pod-security.kubernetes.io/enforce: restricted
|
||||
name: monitoring
|
||||
namespace: monitoring
|
||||
|
|
|
|||
|
|
@ -69,13 +69,24 @@ spec:
|
|||
requests:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
securityContext: {}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
volumeMounts:
|
||||
- mountPath: /storage
|
||||
name: server-volume
|
||||
- mountPath: /scrapeconfig
|
||||
name: scrapeconfig
|
||||
securityContext: {}
|
||||
securityContext:
|
||||
fsGroup: 1000
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: victoria-metrics-single-server
|
||||
terminationGracePeriodSeconds: 60
|
||||
volumes:
|
||||
|
|
|
|||
Loading…
Reference in a new issue