I’ve got a k8s cluster in my cupboard, and the plan here is to work on some debugging and monitoring posts and tools, so I need a workload.
The first workload will be folding@home, because it’s easy :) And in a break from helming, I’m going to apply the manifest here.
kubectl apply -f https://raw.githubusercontent.com/richstokes/k8s-fah/master/folding-cpu.yaml
We have a couple of things to fix, though.
Scale down to 1 replica
By default this runs two replicas, using podAntiAffinityRules to keep them separate. I only have one node, so the second replica will never start:
kubectl scale deploy -n folding --replicas=1 --all
Set runAsUser in the securityContext
Now, we have a single-replica that is failing to start:
$ kubectl get pod -n folding NAME READY STATUS RESTARTS AGE fah-cpu-75c8bd456-dpssd 0/1 Init:CreateContainerConfigError 0 3m51s
CreateContainerConfigError tells us that something is wrong about the container config. We can quickly see things that have failed recently:
$ kubectl describe pod -n folding | grep Failed Warning Failed 4m14s (x8 over 5m40s) kubelet Error: container has runAsNonRoot and image will run as root (pod: "fah-cpu-75c8bd456-dpssd_folding(3b5149ca-6a93-47d8-b18f-0becef0f2c2d)", container: copy-config)
This probably means the container is missing a runAsUser (see this SO post for an explanation), because of the new podSecurity things. We’ll quickly edit the deployment (pods are read only):
kubectl edit deploy -n folding fah-cpu
And find the
securityContext which looks like this:
securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true
So we just need to add a runAsUser, the number can be any valid unix uid, I tend to pick a randomish one between 1000 and 9999:
securityContext: runAsUser: 9989 allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true
remember there’s two, though, one for each container!
And now it’s running and we’re hopefully helping some science
kubectl get pod -n folding NAME READY STATUS RESTARTS AGE fah-cpu-bb8998bc6-74v4s 1/1 Running 0 5m11s
And now we’ve got a Grafana, we can see that, useful or not, it’s doing something with the CPU!