baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(trino): set pod security standards and adjust resources

Browse Source
This commit is contained in:
Masaki Yatsu
2025-11-23 21:15:17 +09:00
parent 9155fcc697
commit 7fee9a2096
2 changed files with 43 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
trino/justfile
View File

@@ -8,12 +8,16 @@ export EXTERNAL_SECRETS_NAMESPACE := env("EXTERNAL_SECRETS_NAMESPACE", "external
export K8S_VAULT_NAMESPACE := env("K8S_VAULT_NAMESPACE", "vault") export K8S_VAULT_NAMESPACE := env("K8S_VAULT_NAMESPACE", "vault")
export KEYCLOAK_HOST := env("KEYCLOAK_HOST", "") export KEYCLOAK_HOST := env("KEYCLOAK_HOST", "")
export KEYCLOAK_REALM := env("KEYCLOAK_REALM", "buunstack") export KEYCLOAK_REALM := env("KEYCLOAK_REALM", "buunstack")
export TRINO_COORDINATOR_MEMORY := env("TRINO_COORDINATOR_MEMORY", "4Gi") export TRINO_COORDINATOR_MEMORY_REQUEST := env("TRINO_COORDINATOR_MEMORY_REQUEST", "2Gi")
export TRINO_COORDINATOR_CPU := env("TRINO_COORDINATOR_CPU", "2") export TRINO_COORDINATOR_MEMORY_LIMIT := env("TRINO_COORDINATOR_MEMORY_LIMIT", "8Gi")
export TRINO_COORDINATOR_JVM_HEAP := env("TRINO_COORDINATOR_JVM_HEAP", "4G") export TRINO_COORDINATOR_CPU_REQUEST := env("TRINO_COORDINATOR_CPU_REQUEST", "100m")
export TRINO_WORKER_MEMORY := env("TRINO_WORKER_MEMORY", "4Gi") export TRINO_COORDINATOR_CPU_LIMIT := env("TRINO_COORDINATOR_CPU_LIMIT", "4")
export TRINO_WORKER_CPU := env("TRINO_WORKER_CPU", "2") export TRINO_COORDINATOR_JVM_HEAP := env("TRINO_COORDINATOR_JVM_HEAP", "6G")
export TRINO_WORKER_JVM_HEAP := env("TRINO_WORKER_JVM_HEAP", "4G") export TRINO_WORKER_MEMORY_REQUEST := env("TRINO_WORKER_MEMORY_REQUEST", "2Gi")
export TRINO_WORKER_MEMORY_LIMIT := env("TRINO_WORKER_MEMORY_LIMIT", "8Gi")
export TRINO_WORKER_CPU_REQUEST := env("TRINO_WORKER_CPU_REQUEST", "100m")
export TRINO_WORKER_CPU_LIMIT := env("TRINO_WORKER_CPU_LIMIT", "4")
export TRINO_WORKER_JVM_HEAP := env("TRINO_WORKER_JVM_HEAP", "6G")
export TRINO_WORKER_COUNT := env("TRINO_WORKER_COUNT", "2") export TRINO_WORKER_COUNT := env("TRINO_WORKER_COUNT", "2")
export TRINO_POSTGRES_ENABLED := env("TRINO_POSTGRES_ENABLED", "true") export TRINO_POSTGRES_ENABLED := env("TRINO_POSTGRES_ENABLED", "true")
export TRINO_ICEBERG_ENABLED := env("TRINO_ICEBERG_ENABLED", "") export TRINO_ICEBERG_ENABLED := env("TRINO_ICEBERG_ENABLED", "")
@@ -239,6 +243,10 @@ install:
done done
echo "Installing Trino..." echo "Installing Trino..."
just create-namespace just create-namespace
kubectl label namespace ${TRINO_NAMESPACE} \
pod-security.kubernetes.io/enforce=restricted --overwrite
just create-oauth-client just create-oauth-client
just create-password-secret just create-password-secret

40
trino/trino-values.gomplate.yaml
View File

@@ -80,7 +80,7 @@ accessControl:
resourceGroups: {} resourceGroups: {}
{{- if .Env.TRINO_POSTGRES_ENABLED }} {{- if eq .Env.TRINO_POSTGRES_ENABLED "true" }}
catalogs: catalogs:
postgresql: | postgresql: |
connector.name=postgresql connector.name=postgresql
@@ -92,7 +92,7 @@ catalogs:
connector.name=tpch connector.name=tpch
tpch.splits-per-node=4 tpch.splits-per-node=4
{{- if .Env.TRINO_ICEBERG_ENABLED }} {{- if eq .Env.TRINO_ICEBERG_ENABLED "true" }}
iceberg: | iceberg: |
connector.name=iceberg connector.name=iceberg
iceberg.catalog.type=rest iceberg.catalog.type=rest
@@ -164,11 +164,11 @@ coordinator:
resources: resources:
requests: requests:
memory: "{{ .Env.TRINO_COORDINATOR_MEMORY }}" memory: "{{ .Env.TRINO_COORDINATOR_MEMORY_REQUEST }}"
cpu: "{{ .Env.TRINO_COORDINATOR_CPU }}" cpu: "{{ .Env.TRINO_COORDINATOR_CPU_REQUEST }}"
limits: limits:
memory: "{{ .Env.TRINO_COORDINATOR_MEMORY }}" memory: "{{ .Env.TRINO_COORDINATOR_MEMORY_LIMIT }}"
cpu: "{{ .Env.TRINO_COORDINATOR_CPU }}" cpu: "{{ .Env.TRINO_COORDINATOR_CPU_LIMIT }}"
livenessProbe: livenessProbe:
initialDelaySeconds: 30 initialDelaySeconds: 30
@@ -228,11 +228,11 @@ worker:
resources: resources:
requests: requests:
memory: "{{ .Env.TRINO_WORKER_MEMORY }}" memory: "{{ .Env.TRINO_WORKER_MEMORY_REQUEST }}"
cpu: "{{ .Env.TRINO_WORKER_CPU }}" cpu: "{{ .Env.TRINO_WORKER_CPU_REQUEST }}"
limits: limits:
memory: "{{ .Env.TRINO_WORKER_MEMORY }}" memory: "{{ .Env.TRINO_WORKER_MEMORY_LIMIT }}"
cpu: "{{ .Env.TRINO_WORKER_CPU }}" cpu: "{{ .Env.TRINO_WORKER_CPU_LIMIT }}"
livenessProbe: livenessProbe:
initialDelaySeconds: 30 initialDelaySeconds: 30
@@ -276,9 +276,27 @@ initContainers: {}
sidecarContainers: {} sidecarContainers: {}
# Security context for Pod Security Standards (restricted)
securityContext: securityContext:
runAsNonRoot: true
runAsUser: 1000 runAsUser: 1000
runAsGroup: 1000 runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
containerSecurityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
shareProcessNamespace: shareProcessNamespace:
coordinator: false coordinator: false
@@ -298,7 +316,7 @@ env:
secretKeyRef: secretKeyRef:
name: trino-oauth-secret name: trino-oauth-secret
key: client_secret key: client_secret
{{- if .Env.TRINO_POSTGRES_ENABLED }} {{- if eq .Env.TRINO_POSTGRES_ENABLED "true" }}
- name: POSTGRES_USER - name: POSTGRES_USER
valueFrom: valueFrom:
secretKeyRef: secretKeyRef: