-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A way to create 1 instance for every n pods #482
Comments
Typically we recommend customers run the Proxy on the same pod as their workload. Otherwise, there's a risk of cross VM traffic that isn't encrypted by the Proxy. What if we added support for configuring resource limits instead? 2GB is really just a ballpark starting point and not necessarily the right value for every workload. |
You can already configure the resource limits on the proxy container. This is a snippet from docs/examples/deployment-postgres-tcp.yaml showing how to reduce the resource limits on the proxy container pod.
Alternatively, you could run the proxy as a deployment with a service. This is described in the k8s service example in the cloud-sql-proxy repo. This would allow you to scale the proxy pods independently from the application pods. Here's how you would adapt that example to let the operator apply the proxy pod to the PGBouncer deployment.
|
from my observations, it's barely using 1% of the memory and CPU allocated, but each container in the pod is connecting once to the proxy, so it's pretty light in that sense, mostly write queries |
In that case, I'd definitely try tuning the resource limits down as @hessjcg suggested. |
but for an operator point-of-view, you should be able to ask it to set it up for you and load balance between the |
We could explore adding another resource that is a proxy-as-a-service where multiple pods could all connect, provided we have proper security in place. Is that what you're suggesting here? Otherwise, we think of the Operator as an opinionated deployment of the Proxy where best practices are built-in: e.g., Proxy always as a sidecar. |
@enocom yes, exactly a |
Got it. Thanks. One of the biggest reasons we don't already do this is that it encourages an anti-pattern of having multiple applications all go through one Proxy. So we encourage people who explore this option to ensure they're using only one application (with N replicas) per Proxy service. Also, the Proxy doesn't support incoming encryption, so we instead suggest people put it behind a connection pooler (e.g., pgbouncer) and then configure some sort of authentication such that only authorized workloads can connect. Maybe we should be showing people how to use the Operator with a pgbouncer deployment for maximum extensibility. |
We are currently scaling up and down using spot instances (1000's) and the overhead of 2GB is really showing, almost defeating the purpose of using spot instances.
Ideally the operator should see how many pods are currently there and create a rule for 1 proxy pod for every n pods (that you can set), say, 40 connections per pod and distribute accordingly.
The text was updated successfully, but these errors were encountered: