Process ID Limiting for Stability Improvements in Kubernetes 1.14

General Discussions
,
1

Hi,

How can i set the PID limit in a pod/container? According to the link below the feature seems to be there.

But nowhere could i find on how to implement it. There is an option to use it with the docker run command but i am not using docker run. Instead i have deployment files in the format :

My kubernetes yaml file starts like this:

apiVersion: apps/v1
kind: Deployment
metadata:
namespace: {{ stack }}
name: {{ service_name }}
labels: … .


Could you please advise on what is the syntax to apply pid limits in the deployment file?

Thank you!

2

This is a kubelet setting and not something you can control on a pod by pod basis. You can adjust it with the --pod-max-pids cli flag or using the PodPidsLimit in the Kubelet ComponentConfig.

3

Thank you for getting back. I may know how to do this manually. BUt i prefer doing through yaml files, as the change might not be there if the cluster redeploys. Just need to dig out how the metadata of kubletconfig is populated to the cluster.

4

This is specifically with kubeadm, but here is the link to the docs: Configuring each kubelet in your cluster using kubeadm.

apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
podPidsLimit: 10

The default config is something similar to this:

    apiVersion: kubelet.config.k8s.io/v1beta1
    kind: KubeletConfiguration
    address: 0.0.0.0
    authentication:
      anonymous:
        enabled: false
      webhook:
        cacheTTL: 2m0s
        enabled: true
      x509:
        clientCAFile: /etc/kubernetes/pki/ca.crt
    authorization:
      mode: Webhook
      webhook:
        cacheAuthorizedTTL: 5m0s
        cacheUnauthorizedTTL: 30s
    cgroupDriver: cgroupfs
    cgroupsPerQOS: true
    clusterDNS:
    - 10.255.1.10
    clusterDomain: cluster.local
    configMapAndSecretChangeDetectionStrategy: Watch
    containerLogMaxFiles: 5
    containerLogMaxSize: 10Mi
    contentType: application/vnd.kubernetes.protobuf
    cpuCFSQuota: true
    cpuCFSQuotaPeriod: 100ms
    cpuManagerPolicy: none
    cpuManagerReconcilePeriod: 10s
    enableControllerAttachDetach: true
    enableDebuggingHandlers: true
    enforceNodeAllocatable:
    - pods
    eventBurst: 10
    eventRecordQPS: 5
    evictionHard:
      imagefs.available: 15%
      memory.available: 100Mi
      nodefs.available: 10%
      nodefs.inodesFree: 5%
    evictionPressureTransitionPeriod: 5m0s
    failSwapOn: true
    fileCheckFrequency: 20s
    hairpinMode: promiscuous-bridge
    healthzBindAddress: 127.0.0.1
    healthzPort: 10248
    httpCheckFrequency: 20s
    imageGCHighThresholdPercent: 85
    imageGCLowThresholdPercent: 80
    imageMinimumGCAge: 2m0s
    iptablesDropBit: 15
    iptablesMasqueradeBit: 14
    kubeAPIBurst: 10
    kubeAPIQPS: 5
    makeIPTablesUtilChains: true
    maxOpenFiles: 1000000
    maxPods: 110
    nodeLeaseDurationSeconds: 40
    nodeStatusReportFrequency: 10s
    nodeStatusUpdateFrequency: 10s
    oomScoreAdj: -999
    podPidsLimit: -1
    port: 10250
    registryBurst: 10
    registryPullQPS: 5
    resolvConf: /etc/resolv.conf
    rotateCertificates: true
    runtimeRequestTimeout: 2m0s
    serializeImagePulls: true
    staticPodPath: /etc/kubernetes/manifests
    streamingConnectionIdleTimeout: 4h0m0s
    syncFrequency: 1m0s
    topologyManagerPolicy: none
    volumeStatsAggPeriod: 1m0s