mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-07 00:48:01 +01:00
39 lines
1.1 KiB
Plaintext
39 lines
1.1 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/security_profiles_operator/spo-advanced.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="spo-memory-optimization_{context}"]
|
|
= Enabling memory optimization in the spod daemon
|
|
|
|
The controller running inside of `spod` daemon process watches all pods available in the cluster when profile recording is enabled. This can lead to very high memory usage in large clusters, resulting in the `spod` daemon running out of memory or crashing.
|
|
|
|
To prevent crashes, the `spod` daemon can be configured to only load the pods labeled for profile recording into the cache memory.
|
|
|
|
[NOTE]
|
|
====
|
|
SPO memory optimization is not enabled by default.
|
|
====
|
|
|
|
.Procedure
|
|
|
|
. Enable memory optimization by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc -n openshift-security-profiles patch spod spod --type=merge -p '{"spec":{"enableMemoryOptimization":true}}'
|
|
----
|
|
|
|
. To record a security profile for a pod, the pod must be labeled with `spo.x-k8s.io/enable-recording: "true"`:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: my-recording-pod
|
|
labels:
|
|
spo.x-k8s.io/enable-recording: "true"
|
|
# ...
|
|
----
|