-
Notifications
You must be signed in to change notification settings - Fork 498
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
en, zh: add docs of topology spread constraints and security context (#…
- Loading branch information
1 parent
37597d7
commit 185d28f
Showing
12 changed files
with
290 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
--- | ||
title: Run TiDB Operator and TiDB Clusters as a Non-root User | ||
summary: Make TiDB Operator related containers run as a non-root user | ||
--- | ||
|
||
# Run TiDB Operator and TiDB Clusters as a Non-root User | ||
|
||
In some Kubernetes environments, containers cannot be run as the root user. In this case, you can set [`securityContext`](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) to run containers as a non-root user. | ||
|
||
## Configure TiDB Operator containers | ||
|
||
For TiDB Operator containers, you can configure security context in the helm `values.yaml` file. All TiDB Operator components (at `<controllerManager/scheduler/advancedStatefulset/admissionWebhook>.securityContext`) support this configuration. | ||
|
||
The following is an example configuration: | ||
|
||
```yaml | ||
controllerManager: | ||
securityContext: | ||
runAsUser: 1000 | ||
runAsGroup: 2000 | ||
fsGroup: 2000 | ||
``` | ||
## Configure containers controlled by CR | ||
For the containers controlled by CR, you can configure security context in any CRs (TidbCluster/DMCluster/TiInitializer/TiMonitor/Backup/BackupSchedule/Restore) to make the containers run as a non-root user. | ||
You can either configure `podSecurityContext` at a cluster level (`spec.podSecurityContext`) for all components or at a component level (such as `spec.tidb.podSecurityContext` for TidbCluster and `spec.master.podSecurityContext` for DMCluster) for a specific component. | ||
|
||
The following is an example configuration at a cluster level: | ||
|
||
```yaml | ||
spec: | ||
podSecurityContext: | ||
runAsUser: 1000 | ||
runAsGroup: 2000 | ||
fsGroup: 2000 | ||
``` | ||
|
||
The following is an example configuration at a component level: | ||
|
||
```yaml | ||
spec: | ||
pd: | ||
podSecurityContext: | ||
runAsUser: 1000 | ||
runAsGroup: 2000 | ||
fsGroup: 2000 | ||
tidb: | ||
podSecurityContext: | ||
runAsUser: 1000 | ||
runAsGroup: 2000 | ||
fsGroup: 2000 | ||
``` | ||
|
||
For a component, if both the cluster level and the component level are configured, only the configuration of the component level takes effect. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
--- | ||
title: 以非 root 用户运行 TiDB Operator 和 TiDB 集群 | ||
summary: 以非 root 用户运行所有 TiDB Operator 相关的容器 | ||
--- | ||
|
||
# 以非 root 用户运行 TiDB Operator 和 TiDB 集群 | ||
|
||
在某些 Kubernetes 环境中,无法用 root 用户运行容器。你可以通过配置 [`securityContext`](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) 来以非 root 用户运行容器。 | ||
|
||
## 配置 TiDB Operator 相关的容器 | ||
|
||
对于 TiDB Operator 相关的容器,你可以在 helm 的 `values.yaml` 文件中配置安全上下文 (security context) 。所有 operator 的相关组件都支持该配置 (`<controllerManager/scheduler/advancedStatefulset/admissionWebhook>.securityContext`)。 | ||
|
||
以下是一个配置示例: | ||
|
||
```yaml | ||
controllerManager: | ||
securityContext: | ||
runAsUser: 1000 | ||
runAsGroup: 2000 | ||
fsGroup: 2000 | ||
``` | ||
## 配置按照 CR 生成的容器 | ||
对于按照 CR 生成的容器,你同样可以在任意一种 CR (TidbCluster/DMCluster/TiInitializer/TiMonitor/Backup/BackupSchedule/Restore) 中配置安全上下文 (security context) 。 | ||
`podSecurityContext` 可以配置在集群级别 (`spec.podSecurityContext`) 对所有组件生效或者配置在组件级别 (例如,配置 TidbCluster 的 `spec.tidb.podSecurityContext`,配置 DMCluster 的 `spec.master.podSecurityContext`) 仅对该组件生效。 | ||
|
||
以下是一个集群级别的配置示例: | ||
|
||
```yaml | ||
spec: | ||
podSecurityContext: | ||
runAsUser: 1000 | ||
runAsGroup: 2000 | ||
fsGroup: 2000 | ||
``` | ||
|
||
以下是一个组件级别的配置示例: | ||
|
||
```yaml | ||
spec: | ||
pd: | ||
podSecurityContext: | ||
runAsUser: 1000 | ||
runAsGroup: 2000 | ||
fsGroup: 2000 | ||
tidb: | ||
podSecurityContext: | ||
runAsUser: 1000 | ||
runAsGroup: 2000 | ||
fsGroup: 2000 | ||
``` | ||
|
||
如果同时配置了集群级别和组件级别,则该组件以组件级别的配置为准。 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters