문제 설명
SPIFFE/SPIRE 서버를 GKE의 모든 노드에 설치할 수 있나요? (Can SPIFFE/SPIRE Server be installed on GKE's any node?)
SPIFFE/SPIRE 서버를 GKE의 모든 노드에 설치할 수 있나요? 그렇다면 클러스터의 다른 노드 중 하나의 노드에 서버와 에이전트가 모두 설치됩니다. SPIRE 서버를 실행하는 노드에서도 에이전트를 실행해야 합니까?
설명하십시오.
참조 솔루션
방법 1:
As per the comment received on SPIRE Slack
On GKE (and other hosted k8s) you only get worker nodes, so there's no way to deploy to the master anyway. But, In the end, there's pluses (potential security) and minuses (scalability) to running SPIRE server on the master. In practice it's probably less likely than likely, but it's a fair debate. Typically, you would deploy SPIRE server as a StatefulSet to some number of nodes consistent with scalability and availability goals, and deploy SPIRE agent as a DaemonSet where it's going to run on every node in the cluster. Unless you are doing some very specific targeted deployments via the k8s scheduler, such as separate node pools or subsets of nodes scheduled via label selectors for very specific use‑cases (where you won't run any SPIFFE workloads), that's the way I'd approach it ‑ put SPIRE agent on all nodes so it's available for all workloads.
(by Mahendra Bagul、Mahendra Bagul)