Add evicter to helm chart (WIP)

cruise-automation · Feb 3, 2020 · 493e6b4 · 493e6b4
1 parent 00bb537
commit 493e6b4
Showing 1 changed file with 161 additions and 44 deletions.
diff --git a/deploy/helm/templates/deployment.yaml b/deploy/helm/templates/deployment.yaml
@@ -2,12 +2,12 @@
 {{- $ca := genCA "k-rail-admission-ca" 3650 -}}
 {{- $cert := genSignedCert $cn nil nil 3650 $ca -}}
 ---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: {{ .Release.Namespace }}
-  labels:
-    name: {{ .Release.Namespace }}
+#apiVersion: v1
+#kind: Namespace
+#metadata:
+#  name: {{ .Release.Namespace }}
+#  labels:
+#    name: {{ .Release.Namespace }}
 ---
 apiVersion: v1
 kind: Secret
@@ -21,44 +21,44 @@ data:
   cert.pem: {{ b64enc $cert.Cert }}
   key.pem: {{ b64enc $cert.Key }}
 ---
-apiVersion: admissionregistration.k8s.io/v1beta1
-kind: MutatingWebhookConfiguration
-metadata:
-  name: k-rail
-  annotations:
-    checksum/config: {{ print .Values.config | sha256sum }}
-    checksum/exemptions: {{ print .Values.exemptions | sha256sum }}
-webhooks:
-  - name: k-rail.cruise-automation.github.com
-    clientConfig:
-      service:
-        namespace: k-rail
-        name: {{ .Release.Namespace }}
-        path: "/"
-      caBundle: {{ b64enc $ca.Cert }}
-    rules:
-      - operations: ["CREATE","UPDATE","CONNECT"]
-        apiGroups: ["*"]
-        apiVersions: ["*"]
-        resources: 
-          - pods
-          - deployments
-          - replicationcontrollers
-          - replicasets
-          - daemonsets
-          - statefulsets
-          - jobs
-          - cronjobs
-          - ingresses
-          - pods/exec
-    failurePolicy: {{ print .Values.failurePolicy }}
-    sideEffects: None
-    namespaceSelector:
-      matchExpressions:
-        - key: name
-          operator: NotIn
-          values: 
-            - {{ .Release.Namespace }}
+#apiVersion: admissionregistration.k8s.io/v1beta1
+#kind: MutatingWebhookConfiguration
+#metadata:
+#  name: k-rail
+#  annotations:
+#    checksum/config: {{ print .Values.config | sha256sum }}
+#    checksum/exemptions: {{ print .Values.exemptions | sha256sum }}
+#webhooks:
+#  - name: k-rail.cruise-automation.github.com
+#    clientConfig:
+#      service:
+#        namespace: k-rail
+#        name: {{ .Release.Namespace }}
+#        path: "/"
+#      caBundle: {{ b64enc $ca.Cert }}
+#    rules:
+#      - operations: ["CREATE","UPDATE","CONNECT"]
+#        apiGroups: ["*"]
+#        apiVersions: ["*"]
+#        resources:
+#          - pods
+#          - deployments
+#          - replicationcontrollers
+#          - replicasets
+#          - daemonsets
+#          - statefulsets
+#          - jobs
+#          - cronjobs
+#          - ingresses
+#          - pods/exec
+#    failurePolicy: {{ print .Values.failurePolicy }}
+#    sideEffects: None
+#    namespaceSelector:
+#      matchExpressions:
+#        - key: name
+#          operator: NotIn
+#          values:
+#            - {{ .Release.Namespace }}
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -178,3 +178,120 @@ metadata:
 data:
   config.yml: |
     {{- toYaml .Values.exemptions | nindent 4 }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: k-rail-evicter
+  namespace: {{ .Release.Namespace }}
+  labels:
+    name: k-rail-evicter
+spec:
+  replicas: 2 # 2 required for leader lock testing
+  selector:
+    matchLabels:
+      name: k-rail-evicter
+  template:
+    metadata:
+      name: k-rail-evicter
+      labels:
+        name: k-rail-evicter
+    spec:
+      serviceAccountName: k-rail-evicter
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        fsGroup: 2000
+      containers:
+        - name: k-rail
+          command: ["/evicter"]
+#          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          image: "alpetest/k-rail-wip:manual"
+#          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          imagePullPolicy: Always
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          securityContext:
+            readOnlyRootFilesystem: true
+#    {{- with .Values.nodeSelector }}
+#    nodeSelector:
+#      {{- toYaml . | nindent 8 }}
+#    {{- end }}
+#    {{- with .Values.affinity }}
+#    affinity:
+#      {{- toYaml . | nindent 8 }}
+#    {{- end }}
+#    {{- with .Values.tolerations }}
+#    tolerations:
+#      {{- toYaml . | nindent 8 }}
+#    {{- end }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: k-rail-evicter
+  namespace: {{ .Release.Namespace }}
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      name: k-rail-evicter
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k-rail-evicter
+  namespace: {{ .Release.Namespace }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: k-rail-evicter
+rules:
+  - apiGroups:
+      - "" # "" indicates the core API group
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "" # "" indicates the core API group
+    resources:
+      - pods/eviction
+    verbs:
+      - create
+  - apiGroups:
+      - "" # "" indicates the core API group
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - patch
+      - update
+
+# todo: anything to do about jobs and daemon-sets?
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: k-rail-evicter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: k-rail-evicter
+subjects:
+  - kind: ServiceAccount
+    name: k-rail-evicter
+    namespace: {{ .Release.Namespace }}