diff --git a/VARIABLES.md b/VARIABLES.md index 3b705e0..b21aa88 100644 --- a/VARIABLES.md +++ b/VARIABLES.md @@ -122,7 +122,7 @@ | datadog_key_secret_name | Name of the secret containing the DataDog API key. This needs to be created manually in AWS secrets manager. This is only applicable to ECS deployments. | string | null | no | | datadog_agent_version | Version of the Datadog Agent running in the ECS cluster. This is only applicable to ECS deployments. | string | 7.50.3-jmx | no | | datadog_agent_enabled | Whether to include the datadog-agent container. This is only applicable to ECS deployments. | string | false | no | -| enable_tcp_keepalive_podsecurity_policy | Enable Podsecurity Policy for using setting tcp_keepalive settings on HMS pods. To use this you need to enable sysctl configuration on your kubernetes cluster. For EKS you need to allow this on your cluster (https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ check EKS version for details). Also see tcp_keepalive_* variables." You only need to use this setting up to kubernetes 1.24 as from 1.25 onwards podsecurity policies are deprecated as per https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/#pod-security-changes | bool | false | no | +| enable_tcp_keepalive | tcp_keepalive settings on HMS pods. To use this you need to enable the ability to cahnge sysctl settings on your kubernetes cluster. For EKS you need to allow this on your cluster (https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ check EKS version for details). If your EKS version is below 1.24 you need to create a PodSecurityPolicy allowing the following sysctls "net.ipv4.tcp_keepalive_time", "net.ipv4.tcp_keepalive_intvl","net.ipv4.tcp_keepalive_probes" and a ClusterRole + Rolebinding for the service account running the HMS pods or all services accounts in the namespace where Apiary is running so that kubernetes can apply the tcp)keepalive configuration. For EKS 1.25 and above check this https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/#pod-security-changes. Also see tcp_keepalive_* variables. | bool | false | no | | tcp_keepalive_time | Sets net.ipv4.tcp_keepalive_time (seconds). | number | `200` | no | | tcp_keepalive_intvl | Sets net.ipv4.tcp_keepalive_intvl (seconds) | number | `30` | no | | tcp_keepalive_probes | Sets net.ipv4.tcp_keepalive_probes (seconds) | number | `2` | no | diff --git a/k8s-readonly.tf b/k8s-readonly.tf index d28ca7f..ce02997 100644 --- a/k8s-readonly.tf +++ b/k8s-readonly.tf @@ -46,16 +46,16 @@ resource "kubernetes_deployment_v1" "apiary_hms_readonly" { for_each = var.enable_tcp_keepalive ? ["enabled"] : [] content { sysctl { - name="net.ipv4.tcp_keepalive_time" - value= var.tcp_keepalive_time + name = "net.ipv4.tcp_keepalive_time" + value = var.tcp_keepalive_time } sysctl { - name="net.ipv4.tcp_keepalive_intvl" - value= var.tcp_keepalive_intvl + name = "net.ipv4.tcp_keepalive_intvl" + value = var.tcp_keepalive_intvl } sysctl { - name="net.ipv4.tcp_keepalive_probes" - value= var.tcp_keepalive_probes + name = "net.ipv4.tcp_keepalive_probes" + value = var.tcp_keepalive_probes } } } diff --git a/k8s-readwrite.tf b/k8s-readwrite.tf index 5941ef4..3cb965c 100644 --- a/k8s-readwrite.tf +++ b/k8s-readwrite.tf @@ -46,16 +46,16 @@ resource "kubernetes_deployment_v1" "apiary_hms_readwrite" { for_each = var.enable_tcp_keepalive ? ["enabled"] : [] content { sysctl { - name="net.ipv4.tcp_keepalive_time" - value= var.tcp_keepalive_time + name = "net.ipv4.tcp_keepalive_time" + value = var.tcp_keepalive_time } sysctl { - name="net.ipv4.tcp_keepalive_intvl" - value= var.tcp_keepalive_intvl + name = "net.ipv4.tcp_keepalive_intvl" + value = var.tcp_keepalive_intvl } sysctl { - name="net.ipv4.tcp_keepalive_probes" - value= var.tcp_keepalive_probes + name = "net.ipv4.tcp_keepalive_probes" + value = var.tcp_keepalive_probes } } } diff --git a/k8s-tcp-keepalive.tf b/k8s-tcp-keepalive.tf deleted file mode 100644 index 59759ff..0000000 --- a/k8s-tcp-keepalive.tf +++ /dev/null @@ -1,66 +0,0 @@ -resource "kubernetes_pod_security_policy" "tcp_keepalive" { - count = var.hms_instance_type == "k8s" && var.enable_tcp_keepalive_podsecurity_policy ? 1 : 0 - metadata { - name = "${local.hms_alias}-tcp-keepalive" - } - spec { - privileged = false - allow_privilege_escalation = false - - allowed_unsafe_sysctls = [ - "net.ipv4.tcp_keepalive_time", - "net.ipv4.tcp_keepalive_intvl", - "net.ipv4.tcp_keepalive_probes" - ] - - volumes = ["*"] - - run_as_user { - rule = "RunAsAny" - } - - se_linux { - rule = "RunAsAny" - } - - supplemental_groups { - rule = "RunAsAny" - } - - fs_group { - rule = "RunAsAny" - } - } -} - -resource "kubernetes_cluster_role" "tcp_keepalive" { - count = var.hms_instance_type == "k8s" && var.enable_tcp_keepalive_podsecurity_policy ? 1 : 0 - metadata { - name = "${local.hms_alias}-tcp-keepalive" - } - - rule { - api_groups = ["policy"] - resources = ["podsecuritypolicies"] - resource_names = ["${local.hms_alias}-tcp-keepalive"] - verbs = ["use"] - } -} - -resource "kubernetes_role_binding" "tcp_keepalive" { - count = var.hms_instance_type == "k8s" && var.enable_tcp_keepalive_podsecurity_policy ? 1 : 0 - metadata { - name = "${local.hms_alias}-tcp-keepalive" - namespace = var.metastore_namespace - } - role_ref { - api_group = "rbac.authorization.k8s.io" - kind = "ClusterRole" - name = "${local.hms_alias}-tcp-keepalive" - } - subject { - api_group = "rbac.authorization.k8s.io" - kind = "Group" - name = "system:serviceaccounts:${var.metastore_namespace}" - } -} \ No newline at end of file diff --git a/variables.tf b/variables.tf index a025400..1ec9a04 100644 --- a/variables.tf +++ b/variables.tf @@ -788,20 +788,6 @@ variable "hms_rw_datanucleus_connection_pool_config" { default = {} } -variable "enable_tcp_keepalive_podsecurity_policy" { - description = <