You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: documentation/kubernetes.md
+87-4
Original file line number
Diff line number
Diff line change
@@ -7,6 +7,10 @@ In addition to its availability as a .NET CLI tool, the `dotnet monitor` tool is
7
7
8
8
For Dockerfiles and repository information, see [Running in Docker](./docker.md)
9
9
10
+
## Non-root considerations
11
+
12
+
Starting with .NET 8.0, both the sample ASP.NET application and dotnet-monitor run as non-root. If both the application and dotnet-monitor are 8+, no additional configuration is required. Otherwise, a [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) configuration may need to be added to the application, dotnet-monitor, or both.
13
+
10
14
## Example Deployment
11
15
12
16
The following examples demonstrate a deployment of the dotnet-monitor container image monitoring an application container within the same pod.
@@ -37,7 +41,7 @@ spec:
37
41
imagePullPolicy: Always
38
42
env:
39
43
- name: ASPNETCORE_URLS
40
-
value: http://+:80
44
+
value: http://+:8080
41
45
- name: DOTNET_DiagnosticPorts
42
46
value: /diag/dotnet-monitor.sock
43
47
volumeMounts:
@@ -49,6 +53,11 @@ spec:
49
53
memory: 512Mi
50
54
- name: monitor
51
55
image: mcr.microsoft.com/dotnet/monitor:6
56
+
securityContext:
57
+
# Default APP_UID for non-root dotnet application images
58
+
runAsUser: 1654
59
+
runAsGroup: 1654
60
+
runAsNonRoot: true
52
61
# DO NOT use the --no-auth argument for deployments in production; this argument is used for demonstration
53
62
# purposes only in this example. Please continue reading after this example for further details.
54
63
args: [ "--no-auth" ]
@@ -82,7 +91,7 @@ spec:
82
91
</details>
83
92
84
93
<details>
85
-
<summary>.NET Monitor 7+</summary>
94
+
<summary>.NET Monitor 7</summary>
86
95
87
96
```yaml
88
97
# Tell us about your experience using dotnet monitor: https://aka.ms/dotnet-monitor-survey
@@ -107,7 +116,7 @@ spec:
107
116
imagePullPolicy: Always
108
117
env:
109
118
- name: ASPNETCORE_URLS
110
-
value: http://+:80
119
+
value: http://+:8080
111
120
- name: DOTNET_DiagnosticPorts
112
121
value: /diag/dotnet-monitor.sock
113
122
volumeMounts:
@@ -118,7 +127,12 @@ spec:
118
127
cpu: 250m
119
128
memory: 512Mi
120
129
- name: monitor
121
-
image: mcr.microsoft.com/dotnet/monitor
130
+
image: mcr.microsoft.com/dotnet/monitor:7
131
+
securityContext:
132
+
# Default APP_UID for non-root dotnet application images
133
+
runAsUser: 1654
134
+
runAsGroup: 1654
135
+
runAsNonRoot: true
122
136
# DO NOT use the --no-auth argument for deployments in production; this argument is used for demonstration
123
137
# purposes only in this example. Please continue reading after this example for further details.
124
138
args: [ "collect", "--no-auth" ]
@@ -152,6 +166,75 @@ spec:
152
166
153
167
</details>
154
168
169
+
<details>
170
+
<summary>.NET Monitor 8+</summary>
171
+
172
+
```yaml
173
+
# Tell us about your experience using dotnet monitor: https://aka.ms/dotnet-monitor-survey
174
+
apiVersion: apps/v1
175
+
kind: Deployment
176
+
metadata:
177
+
name: deploy-exampleapp
178
+
spec:
179
+
replicas: 1
180
+
selector:
181
+
matchLabels:
182
+
app: exampleapp
183
+
template:
184
+
metadata:
185
+
labels:
186
+
app: exampleapp
187
+
spec:
188
+
restartPolicy: Always
189
+
containers:
190
+
- name: app
191
+
image: mcr.microsoft.com/dotnet/samples:aspnetapp
192
+
imagePullPolicy: Always
193
+
env:
194
+
- name: ASPNETCORE_URLS
195
+
value: http://+:8080
196
+
- name: DOTNET_DiagnosticPorts
197
+
value: /diag/dotnet-monitor.sock
198
+
volumeMounts:
199
+
- mountPath: /diag
200
+
name: diagvol
201
+
resources:
202
+
limits:
203
+
cpu: 250m
204
+
memory: 512Mi
205
+
- name: monitor
206
+
image: mcr.microsoft.com/dotnet/monitor:8
207
+
# DO NOT use the --no-auth argument for deployments in production; this argument is used for demonstration
208
+
# purposes only in this example. Please continue reading after this example for further details.
# ALWAYS use the HTTPS form of the URL for deployments in production; the removal of HTTPS is done for
217
+
# demonstration purposes only in this example. Please continue reading after this example for further details.
218
+
- name: DOTNETMONITOR_Urls
219
+
value: http://localhost:52323
220
+
# The metrics URL is set in the CMD instruction of the image by default. However, this deployment overrides that with the args setting; manually set the URL to the same value using configuration.
221
+
- name: DOTNETMONITOR_Metrics__Endpoints
222
+
value: http://+:52325
223
+
volumeMounts:
224
+
- mountPath: /diag
225
+
name: diagvol
226
+
resources:
227
+
requests:
228
+
cpu: 50m
229
+
memory: 32Mi
230
+
limits:
231
+
cpu: 250m
232
+
memory: 256Mi
233
+
volumes:
234
+
- name: diagvol
235
+
emptyDir: {}
236
+
```
237
+
155
238
## Example Details
156
239
157
240
* __Listen Mode__: The `dotnet monitor` tool is configured to run in `listen` mode. The tool establishes a diagnostic communication channel at the specified Unix Domain Socket path by the `DOTNETMONITOR_DiagnosticPort__EndpointName` environment variable. The application container has a `DOTNET_DiagnosticPorts` environment variable specified so that the application's runtime will communicate with the `dotnet monitor` instance at the specified Unix Domain Socket path. The application runtime will be suspended (e.g. no managed code execution) until it establishes communication with `dotnet monitor`. Application startup time will depend on how long it takes for the `dotnet monitor` container to run, but this should be quick.
0 commit comments