search

neuvector / neuvector-helm

HELM chart to install NeuVector container cluster
Apache License 2.0
122 stars 117 forks source link

Why does the neuvector-controller run as a deployment rather than a statefulset? #457

Open HujinoKun opened 2 weeks ago

HujinoKun commented 2 weeks ago

Hello,

It's all in the title.

And why use ReadWriteMany by default on his pvc ?

lindhe commented 1 week ago

Why would it need to be a StatefulSet?

Regarding the PVC, it's pretty straight-forward: the rollingUpdate strategy used is configured to never have 0 replicas available:

https://github.com/neuvector/neuvector-helm/blob/94c474eb7dc7b917acdd8c21c1193bdd2d2722f2/charts/core/values.yaml#L82

In other words, it will always try to start a new replica first and then kill the old one. And if the PVC was RWO, it would not be able to spawn a new pod until the old pod was killed. Thus, it must have RWX if that strategy should work.

And additionally, clearly it must be RWX if users should be able to configure more than 1 replica for the deployment.

lindhe commented 1 week ago

BTW, for questions like this it's probably better to ask in the Slack channel #neuvector-security on Rancher Users.