Add evicter to helm chart (WIP)

cruise-automation · Aug 6, 2020 · 7bc0b34 · 7bc0b34
1 parent 1d75425
commit 7bc0b34
Showing 1 changed file with 117 additions and 0 deletions.
diff --git a/charts/k-rail/templates/deployment.yaml b/charts/k-rail/templates/deployment.yaml
@@ -214,3 +214,120 @@ kind: ServiceAccount
 metadata:
   name: k-rail
   namespace: {{ .Release.Namespace }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: k-rail-evicter
+  namespace: {{ .Release.Namespace }}
+  labels:
+    name: k-rail-evicter
+spec:
+  replicas: 2 # 2 required for leader lock testing
+  selector:
+    matchLabels:
+      name: k-rail-evicter
+  template:
+    metadata:
+      name: k-rail-evicter
+      labels:
+        name: k-rail-evicter
+    spec:
+      serviceAccountName: k-rail-evicter
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        fsGroup: 2000
+      containers:
+        - name: k-rail
+          command: ["/evicter"]
+          #          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          image: "alpetest/k-rail-wip:manual"
+          #          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          imagePullPolicy: Always
+          resources:
+          {{- toYaml .Values.resources | nindent 12 }}
+          securityContext:
+            readOnlyRootFilesystem: true
+#    {{- with .Values.nodeSelector }}
+#    nodeSelector:
+#      {{- toYaml . | nindent 8 }}
+#    {{- end }}
+#    {{- with .Values.affinity }}
+#    affinity:
+#      {{- toYaml . | nindent 8 }}
+#    {{- end }}
+#    {{- with .Values.tolerations }}
+#    tolerations:
+#      {{- toYaml . | nindent 8 }}
+#    {{- end }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: k-rail-evicter
+  namespace: {{ .Release.Namespace }}
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      name: k-rail-evicter
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k-rail-evicter
+  namespace: {{ .Release.Namespace }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: k-rail-evicter
+rules:
+  - apiGroups:
+      - "" # "" indicates the core API group
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "" # "" indicates the core API group
+    resources:
+      - pods/eviction
+    verbs:
+      - create
+  - apiGroups:
+      - "" # "" indicates the core API group
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - patch
+      - update
+
+# todo: anything to do about jobs and daemon-sets?
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: k-rail-evicter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: k-rail-evicter
+subjects:
+  - kind: ServiceAccount
+    name: k-rail-evicter
+    namespace: {{ .Release.Namespace }}