Can I run the cloudsql-proxy as a Daemon Set in Kubernetes?

Question

I have a question similar to this github issue.

But instead of using a service, can I use a daemon set instead of service? The idea is to share the same socket with all the pods on the same node. Will it run into the same security issue as mentioned in the answer of the same issue. I ask because the sidecar-container approach stops me spawning more pods. In fact, I have different kinds of services that use the same DB on Cloud SQL. Each pods have to reserve some CPU and memory for the proxy and it sounds redundant to me.

Answer 1

Yes you can do this. However, the pod for the daemonset will no longer listen on localhost. So you must configure both the cloud_sql_proxy and database connection to use the hostIP of the Node.

You must set your cloud_sql_proxy to listen on 0.0.0.0

  - command:
    - /cloud_sql_proxy
    - -instances=project:region:db=tcp:0.0.0.0:5432
    - -credential_file=/secrets/cloudsql/credentials.json

You must also change your database connection to use the hostIP

    env:
    - name: DB_HOST
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: status.hostIP

Answer 2

Using @Doug's answer, I successfully transitioned from running the cloud sql proxy as a sidecar to a daemonset. My daemonset definition is below. I added an affinity for nodes that have certain pods on them because I only needed the proxy available for the core app and not the peripheral systems, like redis.

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: cloudsql-proxy
  labels:
    app: cloudsql-proxy
spec:
  template:
    metadata:
      labels:
        app: cloudsql-proxy
    spec:
      affinity:
        podAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchExpressions:
              - key: app
                operator: In
                values:
                - sentry-web-internal
                - sentry-web-external
                - sentry-worker
                - sentry-base
                - sentry-cron
                - data-scrubber
            topologyKey: "kubernetes.io/hostname"
      containers:
      - name: cloudsql-proxy
        image: 'gcr.io/cloudsql-docker/gce-proxy:1.13'
        command:
        - /cloud_sql_proxy
        args:
        - --dir=/cloudsql
        - -instances=project:region:db=tcp:0.0.0.0:5432
        - -credential_file=/secrets/cloudsql/credentials.json
        ports:
        - name: cloudsql-port
          containerPort: 5432
          hostPort: 5432
        livenessProbe:
          tcpSocket:
            port: cloudsql-port
          initialDelaySeconds: 30
          timeoutSeconds: 5
        readinessProbe:
          tcpSocket:
            port: cloudsql-port
          initialDelaySeconds: 5
          timeoutSeconds: 1
        resources:
          limits:
            cpu: 150m
            memory: 150Mi
          requests:
            cpu: 100m
            memory: 100Mi
        volumeMounts:
        - name: cloudsql-instance-credentials
          mountPath: /secrets/cloudsql
          readOnly: true
      volumes:
      - name: cloudsql-instance-credentials
        secret:
          secretName: cloudsql-instance-credentials