From 493e6b4a49ea35596fa16bc6b8fec46a6b5b4d7b Mon Sep 17 00:00:00 2001 From: Alex Peters Date: Mon, 3 Feb 2020 13:41:44 +0100 Subject: [PATCH] Add evicter to helm chart (WIP) --- deploy/helm/templates/deployment.yaml | 205 ++++++++++++++++++++------ 1 file changed, 161 insertions(+), 44 deletions(-) diff --git a/deploy/helm/templates/deployment.yaml b/deploy/helm/templates/deployment.yaml index e435f1f..4f2232f 100644 --- a/deploy/helm/templates/deployment.yaml +++ b/deploy/helm/templates/deployment.yaml @@ -2,12 +2,12 @@ {{- $ca := genCA "k-rail-admission-ca" 3650 -}} {{- $cert := genSignedCert $cn nil nil 3650 $ca -}} --- -apiVersion: v1 -kind: Namespace -metadata: - name: {{ .Release.Namespace }} - labels: - name: {{ .Release.Namespace }} +#apiVersion: v1 +#kind: Namespace +#metadata: +# name: {{ .Release.Namespace }} +# labels: +# name: {{ .Release.Namespace }} --- apiVersion: v1 kind: Secret @@ -21,44 +21,44 @@ data: cert.pem: {{ b64enc $cert.Cert }} key.pem: {{ b64enc $cert.Key }} --- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - name: k-rail - annotations: - checksum/config: {{ print .Values.config | sha256sum }} - checksum/exemptions: {{ print .Values.exemptions | sha256sum }} -webhooks: - - name: k-rail.cruise-automation.github.com - clientConfig: - service: - namespace: k-rail - name: {{ .Release.Namespace }} - path: "/" - caBundle: {{ b64enc $ca.Cert }} - rules: - - operations: ["CREATE","UPDATE","CONNECT"] - apiGroups: ["*"] - apiVersions: ["*"] - resources: - - pods - - deployments - - replicationcontrollers - - replicasets - - daemonsets - - statefulsets - - jobs - - cronjobs - - ingresses - - pods/exec - failurePolicy: {{ print .Values.failurePolicy }} - sideEffects: None - namespaceSelector: - matchExpressions: - - key: name - operator: NotIn - values: - - {{ .Release.Namespace }} +#apiVersion: admissionregistration.k8s.io/v1beta1 +#kind: MutatingWebhookConfiguration +#metadata: +# name: k-rail +# annotations: +# checksum/config: {{ print .Values.config | sha256sum }} +# checksum/exemptions: {{ print .Values.exemptions | sha256sum }} +#webhooks: +# - name: k-rail.cruise-automation.github.com +# clientConfig: +# service: +# namespace: k-rail +# name: {{ .Release.Namespace }} +# path: "/" +# caBundle: {{ b64enc $ca.Cert }} +# rules: +# - operations: ["CREATE","UPDATE","CONNECT"] +# apiGroups: ["*"] +# apiVersions: ["*"] +# resources: +# - pods +# - deployments +# - replicationcontrollers +# - replicasets +# - daemonsets +# - statefulsets +# - jobs +# - cronjobs +# - ingresses +# - pods/exec +# failurePolicy: {{ print .Values.failurePolicy }} +# sideEffects: None +# namespaceSelector: +# matchExpressions: +# - key: name +# operator: NotIn +# values: +# - {{ .Release.Namespace }} --- apiVersion: apps/v1 kind: Deployment @@ -178,3 +178,120 @@ metadata: data: config.yml: | {{- toYaml .Values.exemptions | nindent 4 }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: k-rail-evicter + namespace: {{ .Release.Namespace }} + labels: + name: k-rail-evicter +spec: + replicas: 2 # 2 required for leader lock testing + selector: + matchLabels: + name: k-rail-evicter + template: + metadata: + name: k-rail-evicter + labels: + name: k-rail-evicter + spec: + serviceAccountName: k-rail-evicter + securityContext: + runAsNonRoot: true + runAsUser: 1000 + fsGroup: 2000 + containers: + - name: k-rail + command: ["/evicter"] +# image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + image: "alpetest/k-rail-wip:manual" +# imagePullPolicy: {{ .Values.image.pullPolicy }} + imagePullPolicy: Always + resources: + {{- toYaml .Values.resources | nindent 12 }} + securityContext: + readOnlyRootFilesystem: true +# {{- with .Values.nodeSelector }} +# nodeSelector: +# {{- toYaml . | nindent 8 }} +# {{- end }} +# {{- with .Values.affinity }} +# affinity: +# {{- toYaml . | nindent 8 }} +# {{- end }} +# {{- with .Values.tolerations }} +# tolerations: +# {{- toYaml . | nindent 8 }} +# {{- end }} +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: k-rail-evicter + namespace: {{ .Release.Namespace }} +spec: + minAvailable: 1 + selector: + matchLabels: + name: k-rail-evicter +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: k-rail-evicter + namespace: {{ .Release.Namespace }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: k-rail-evicter +rules: + - apiGroups: + - "" # "" indicates the core API group + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - "" # "" indicates the core API group + resources: + - pods/eviction + verbs: + - create + - apiGroups: + - "" # "" indicates the core API group + resources: + - events + verbs: + - create + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - patch + - update + +# todo: anything to do about jobs and daemon-sets? +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: k-rail-evicter +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: k-rail-evicter +subjects: + - kind: ServiceAccount + name: k-rail-evicter + namespace: {{ .Release.Namespace }} \ No newline at end of file