baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(clickhouse): set pod security standards and k8s resources

Browse Source
This commit is contained in:
Masaki Yatsu
2025-12-01 16:45:37 +09:00
parent ea328fe517
commit 05f8489d3d
7 changed files with 161 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
clickhouse/README.md
View File

@@ -26,3 +26,21 @@ An optional web-based query interface for ClickHouse is available:
```bash
just ch-ui::install
```
## Pod Security Standards
The ClickHouse namespace is configured with **baseline** enforcement:
- `pod-security.kubernetes.io/enforce=baseline`
- `pod-security.kubernetes.io/warn=baseline`
### Optional Capabilities
ClickHouse can use the following Linux capabilities for enhanced performance, but they are **not required** for normal operation:
| Capability | Purpose | Impact if disabled |
|------------|--------------------------------------------------|-----------------------------------------------|
| `IPC_LOCK` | `mlock` to prevent binary from being paged out | Slightly slower startup under memory pressure |
| `SYS_NICE` | Thread priority control via `os_thread_priority` | Setting has no effect |
These capabilities are disabled by default to comply with baseline Pod Security Standards. To enable them, the namespace must allow privileged pods, and you need to uncomment the `add` line in `clickhouse-installation-template.yaml`.