Avi :)

Adding a (scientifically-useful?) workload to k3s

I’ve got a k8s cluster in my cupboard, and the plan here is to work on some debugging and monitoring posts and tools, so I need a workload.

The first workload will be folding@home, because it’s easy :) And in a break from helming, I’m going to apply the manifest here.

kubectl apply -f https://raw.githubusercontent.com/richstokes/k8s-fah/master/folding-cpu.yaml

We have a couple of things to fix, though.

Scale down to 1 replica

By default this runs two replicas, using podAntiAffinityRules to keep them separate. I only have one node, so the second replica will never start:

kubectl scale deploy -n folding --replicas=1 --all

Set runAsUser in the securityContext

Now, we have a single-replica that is failing to start:

$ kubectl get pod -n folding
NAME                      READY   STATUS                            RESTARTS   AGE
fah-cpu-75c8bd456-dpssd   0/1     Init:CreateContainerConfigError   0          3m51s

The CreateContainerConfigError tells us that something is wrong about the container config. We can quickly see things that have failed recently:

$ kubectl describe pod -n folding | grep Failed
  Warning  Failed     4m14s (x8 over 5m40s)  kubelet            Error: container has runAsNonRoot and image will run as root (pod: "fah-cpu-75c8bd456-dpssd_folding(3b5149ca-6a93-47d8-b18f-0becef0f2c2d)", container: copy-config)

This probably means the container is missing a runAsUser (see this SO post for an explanation), because of the new podSecurity things. We’ll quickly edit the deployment (pods are read only):

kubectl edit deploy -n folding fah-cpu

And find the securityContext which looks like this:

    securityContext:                                                                                                                             
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      runAsNonRoot: true

So we just need to add a runAsUser, the number can be any valid unix uid, I tend to pick a randomish one between 1000 and 9999:

        securityContext:    
          runAsUser: 9989                                                                                                                         
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true

remember there’s two, though, one for each container!

Finished

And now it’s running and we’re hopefully helping some science

kubectl get pod -n folding
NAME                      READY   STATUS    RESTARTS   AGE
fah-cpu-bb8998bc6-74v4s   1/1     Running   0          5m11s

And now we’ve got a Grafana, we can see that, useful or not, it’s doing something with the CPU!

Posted

in

by

avi

Tags:

,