Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Helm Chart: Move vulnerability processing to be a cronjob by default #25488

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Helm Chart: Move vulnerability processing to be a cronjob by default #25488

wants to merge 6 commits into from
+252 −1

Conversation

pboushy
Copy link
Contributor

@pboushy pboushy commented Jan 16, 2025

The existing helm chart is designed to run vulnerability processing on every container, which requires 4Gi/container.
However, the default for the helm chart is for each container to have a maximum of 1Gi.

This change switches the default so that vulnerability processing is disabled in the deployment, and moves vulnerability processing to a dedicated cronjob that runs 1/day at 1am. (I didn't make that configurable...)

A few items I think are important to call out:

  1. I have commented out alot of environment variables in the cronjob that existed in the migration and deployment because I don't think they're required, but I wanted one of you to review and actually say that they're not necessary.
  2. I did not include anything related to osquery or exposing the server to clients in this since it's not meant to handle clients, just vulnerability processing.
  3. I believe I did everything to make sure cloudSQL will work, but it should be tested.

Checklist for submitter

  • Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
    See Changes files for more information.
  • Added/updated automated tests
  • A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it)
  • Manual QA for all new/changed functionality

@pboushy
Move vulnerability processing into cronjob
862722d 
- vuln processing requires 4Gi RAM. Fleet can run fine with less for
  most items
- Add "dedicated" flag and default to true
- Allow user to customize vulnProcessing resources independently from
  main resources var
- ensure that FLEET_VULNERABILITIES_DISABLE_SCHEDULE=true when using
  dedicated
@pboushy
Fix boolean quoting of environment variable
7183fe0
@pboushy
Fix read-only FS issue
c6df27c
@pboushy
Add additional env vars and annotations
9f6e4a8
@pboushy
Add env var for vuln DB path and license key
cda967e
@pboushy pboushy force-pushed the make-vuln-processing-a-cron branch from 7aa3ccf to 3b535d8 Compare January 16, 2025 01:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rfairburn rfairburn Awaiting requested review from rfairburn rfairburn is a code owner

@ksatter ksatter Awaiting requested review from ksatter ksatter is a code owner

@lukeheath lukeheath Awaiting requested review from lukeheath lukeheath is a code owner

@edwardsb edwardsb Awaiting requested review from edwardsb edwardsb is a code owner

@georgekarrv georgekarrv Awaiting requested review from georgekarrv georgekarrv is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@pboushy