K
Q

enabling PodSharingNamespace for kubelets / Perf Setup on kubernetes

3/3/2022

I was going through a tutorial that said

Ensure you are using Kubernetes 1.10+ and the following settings are enabled: Feature-gate PodShareProcessNamespace=true is turned on for both apiserver and kubelet

I have searched online but am unable to find any way to turn on feature-gates for a kubelet. Some sites have suggested editing /etc/kuberenetes/kubelet.env but I don't seem to have that file on my cluster.

So what is the right way to enable feature gates for a kubelet?

Edit: (Adding more details as per comment)

My goal is to run perf on a cluster through sidecar injection. For the same I need to enable kubelet and kube-apiserver feature-gate "PodShareProcessNamespace=true". This is the tutorial I tried following

I am working on a digitalocean unmanaged 3 worker - 1 master cluster.

I have never used kuberenetes outside minikube before and so I may be asking a very dumb or obvious question. In addition I am not very clear on what exactly a feature-gate is so that may be the reason my question isn't making much sense

-- ARandomDeveloper
kubelet
kubernetes

Similar Questions

How to install helm chart prometheus-operator on GKE with prometheusOperator.admissionWebhooks.enabled=false?
OpenShift: change ConfigMap in java runtime
How do I execute dynamic code in a container?
Java-client: Best way to check operation delete operation completion?
KubernetesPodOperator privileged security_context in Airflow

1 Answer

3/10/2022

I have found the answer somewhere else but I will post it here so that other people with similar question may find it helpful.

Unless you want to enable feature-gates in a running cluster without restarting there was no need for all those complicated gymnastics. You simply need to edit the yaml file and redeploy the pod.

In the yaml file for the pod you want to profile with perf you need to add ShareProcessNamespace: true under the container section. For pods like perf which need privileged system calls you also need to set privileged: true. This is an example yaml for profiling a pod 

apiVersion: v1
kind: Pod
metadata:
  name: test-pod
spec:
  shareProcessNamespace: true
  containers:
  - name: mongo
    image: mongo
  - name: perf
    image: <some dockerhubrepo>/perf
    securityContext:
      privileged: true
      capabilities:
        add:
        - SYS_PTRACE
    tty: true
    stdin: true

note that the perf repo I used is just a simple pod with perf installed on it which has a python script with infinite sleep loop running just to prevent it from being terminated. to profile you could either

  • write the perf commands in the python(or a shell) file and make it run perf and write data to a perf.data file continously

OR

  • exec into the container and run the perf commands as you want which is better if you are conscious about running out of disk space from all the perf.data
-- ARandomDeveloper
Source: StackOverflow