Can I run the cloudsql-proxy as a Daemon Set in Kubernetes?
Asked Answered
P

3

8

I have a question similar to this github issue.

But instead of using a service, can I use a daemon set instead of service? The idea is to share the same socket with all the pods on the same node. Will it run into the same security issue as mentioned in the answer of the same issue. I ask because the sidecar-container approach stops me spawning more pods. In fact, I have different kinds of services that use the same DB on Cloud SQL. Each pods have to reserve some CPU and memory for the proxy and it sounds redundant to me.

Pricecutting answered 11/4, 2017 at 7:59 Comment(0)
T
5

Yes you can do this. However, the pod for the daemonset will no longer listen on localhost. So you must configure both the cloud_sql_proxy and database connection to use the hostIP of the Node.

You must set your cloud_sql_proxy to listen on 0.0.0.0

  - command:
    - /cloud_sql_proxy
    - -instances=project:region:db=tcp:0.0.0.0:5432
    - -credential_file=/secrets/cloudsql/credentials.json

You must also change your database connection to use the hostIP

    env:
    - name: DB_HOST
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: status.hostIP
Traci answered 8/4, 2018 at 22:41 Comment(1)
Thx @Doug. I didn't use Cloud SQL + k8s for more than 1 year. So I can't verify the answer. I remember that the cloud sql proxy used the unix socket before. I am not sure it support tcp socket before. But my original approach is to share that unix socket. Looks like they are still supporting unix socket cloud.google.com/sql/docs/mysql/connect-compute-enginePricecutting
H
2

Using @Doug's answer, I successfully transitioned from running the cloud sql proxy as a sidecar to a daemonset. My daemonset definition is below. I added an affinity for nodes that have certain pods on them because I only needed the proxy available for the core app and not the peripheral systems, like redis.

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: cloudsql-proxy
  labels:
    app: cloudsql-proxy
spec:
  template:
    metadata:
      labels:
        app: cloudsql-proxy
    spec:
      affinity:
        podAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchExpressions:
              - key: app
                operator: In
                values:
                - sentry-web-internal
                - sentry-web-external
                - sentry-worker
                - sentry-base
                - sentry-cron
                - data-scrubber
            topologyKey: "kubernetes.io/hostname"
      containers:
      - name: cloudsql-proxy
        image: 'gcr.io/cloudsql-docker/gce-proxy:1.13'
        command:
        - /cloud_sql_proxy
        args:
        - --dir=/cloudsql
        - -instances=project:region:db=tcp:0.0.0.0:5432
        - -credential_file=/secrets/cloudsql/credentials.json
        ports:
        - name: cloudsql-port
          containerPort: 5432
          hostPort: 5432
        livenessProbe:
          tcpSocket:
            port: cloudsql-port
          initialDelaySeconds: 30
          timeoutSeconds: 5
        readinessProbe:
          tcpSocket:
            port: cloudsql-port
          initialDelaySeconds: 5
          timeoutSeconds: 1
        resources:
          limits:
            cpu: 150m
            memory: 150Mi
          requests:
            cpu: 100m
            memory: 100Mi
        volumeMounts:
        - name: cloudsql-instance-credentials
          mountPath: /secrets/cloudsql
          readOnly: true
      volumes:
      - name: cloudsql-instance-credentials
        secret:
          secretName: cloudsql-instance-credentials
Hatbox answered 14/3, 2019 at 19:2 Comment(0)
P
0

I asked the same question in the same repo. The answer from the team is positive. You can use the daemon set approach. However, I don't have any hand-on experience on the daemon set approach. So use it with caution.

Pricecutting answered 11/3, 2018 at 9:47 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.