Super Charging Persistence #769
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This MR is based on the my experience of running Aqua scanners in an OpenShift environment. This is back porting the fixes we have implemented in our clusters including production clusters.
Issues addressed
OpenShift security context doesn't allow for PVC for Aqua Scanner.
Due to having a separate PVC associated with the Statefulset with a fixed name, the current charts limits to only one scanner with persistence if your storage is only capable of ReadWriteOnce.
It isn't possible to add volumes and mount points potentially necessary for other tools to cooperate for the scanners.
Solutions
For the first problem, adding
persistentVolumeClaimto theSecurityContextConstraints.For the last problem, 2 additional variables have been created and mapped appropriately to both
volumesandvolumeMounts, calledadditionalVolumesandaddtionalVolumeMountsrespectively, e.g. #691For the main problem, reverted change that resulted in the removal of the
volumeMountTemplatein the case whereaccessModeisReadWriteOnceandreplicaCountis greater than 1. UsingvolumeMountTemplatein this way creates a unique pvc per scanner, getting around the limitation of storage that can only have one pod at a time have write access.