baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(clickhouse): set pod security standards and k8s resources

Browse Source
This commit is contained in:
Masaki Yatsu
2025-12-01 16:45:37 +09:00
parent ea328fe517
commit 05f8489d3d
7 changed files with 161 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
clickhouse/clickhouse-installation-template.gomplate.yaml Normal file
View File

@@ -0,0 +1,60 @@
apiVersion: clickhouse.altinity.com/v1
kind: ClickHouseInstallationTemplate
metadata:
name: clickhouse-security-template
spec:
defaults:
templates:
podTemplate: clickhouse-secure-pod
configuration:
settings:
max_server_memory_usage: {{ .Env.CLICKHOUSE_MAX_SERVER_MEMORY }}
templates:
podTemplates:
- name: clickhouse-secure-pod
spec:
securityContext:
runAsUser: 101
runAsGroup: 101
fsGroup: 101
containers:
- name: clickhouse
image: {{ .Env.CLICKHOUSE_IMAGE }}
resources:
requests:
cpu: {{ .Env.CLICKHOUSE_CPU_REQUEST }}
memory: {{ .Env.CLICKHOUSE_MEMORY_REQUEST }}
limits:
cpu: "{{ .Env.CLICKHOUSE_CPU_LIMIT }}"
memory: {{ .Env.CLICKHOUSE_MEMORY_LIMIT }}
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop: [ALL]
# IPC_LOCK: mlock to prevent binary from being paged out (optional, for stability under high I/O)
# SYS_NICE: os_thread_priority setting (optional, for thread priority control)
# Uncomment below if namespace allows privileged pods:
# add: [IPC_LOCK, SYS_NICE]
seccompProfile:
type: RuntimeDefault
command:
- clickhouse-server
- --config-file=/etc/clickhouse-server/config.xml
- name: clickhouse-log
image: registry.access.redhat.com/ubi8/ubi-minimal:latest
resources:
requests:
cpu: {{ .Env.CLICKHOUSE_LOG_CPU_REQUEST }}
memory: {{ .Env.CLICKHOUSE_LOG_MEMORY_REQUEST }}
limits:
cpu: {{ .Env.CLICKHOUSE_LOG_CPU_LIMIT }}
memory: {{ .Env.CLICKHOUSE_LOG_MEMORY_LIMIT }}
command:
- /bin/sh
- -c
- --
args:
- while true; do sleep 30; done;
templating:
policy: auto