Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support toleration config #1731

Closed
wants to merge 1 commit into from
Closed

feat: support toleration config #1731

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 8 additions & 0 deletions deployments/helm/KubeArmor/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@ spec:
volumeMounts:
{{- toYaml .Values.kubearmorRelay.tls.certVolumeMount | trim | nindent 10 }}
{{- end}}
{{- if .Values.kubearmorRelay.tolerations }}
tolerations:
{{ toYaml .Values.kubearmorRelay.tolerations | indent 8 }}
{{- end }}
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: kubearmor-relay
Expand Down Expand Up @@ -138,6 +142,10 @@ spec:
runAsNonRoot: true
serviceAccountName: {{ .Values.kubearmorController.name }}
terminationGracePeriodSeconds: 10
{{- if .Values.kubearmorController.tolerations }}
tolerations:
{{ toYaml .Values.kubearmorController.tolerations | indent 8 }}
{{- end }}
volumes:
- name: cert
secret:
Expand Down
10 changes: 7 additions & 3 deletions deployments/helm/KubeArmor/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,14 @@ kubearmorRelay:
# to enable/disable kubearmor-relay
enabled: true
image:
# kubearmor-init image repo
# kubearmor-relay image repo
repository: kubearmor/kubearmor-relay-server
# kubearmor-init image tag
# kubearmor-relay image tag
tag: latest
# kubearmor-init imagePullPolicy
# kubearmor-relay imagePullPolicy
imagePullPolicy: Always
# kubearmor-relay tolerations
tolerations: []
# Add environment variables for STDOUT logging
enableStdoutLogs: "false"
enableStdoutAlerts: "false"
Expand Down Expand Up @@ -88,6 +90,8 @@ kubearmorController:
failurePolicy: Ignore
# kubearmor-controller imagePullPolicy
imagePullPolicy: Always
# kubearmor-controller tolerations
tolerations: []

kubearmorConfigMap:
defaultFilePosture: audit
Expand Down
76 changes: 76 additions & 0 deletions deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,44 @@ spec:
- Never
type: string
type: object
kubearmorControllerToleration:
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
kubearmorImage:
description: ImageSpec defines the image specifications
properties:
Expand Down Expand Up @@ -131,6 +169,44 @@ spec:
- Never
type: string
type: object
kubearmorRelayToleration:
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
seccompEnabled:
type: boolean
tls:
Expand Down
4 changes: 4 additions & 0 deletions deployments/helm/KubeArmorOperator/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,8 @@ spec:
{{- end }}
image: {{ include "operatorImage" . }}
imagePullPolicy: {{ .Values.kubearmorOperator.imagePullPolicy }}
{{- if .Values.kubearmorOperator.tolerations }}
tolerations:
{{ toYaml .Values.kubearmorOperator.tolerations | indent 8 }}
{{- end }}
serviceAccountName: {{ .Values.kubearmorOperator.name }}
1 change: 1 addition & 0 deletions deployments/helm/KubeArmorOperator/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ kubearmorOperator:
repository: kubearmor/kubearmor-operator
tag: ""
imagePullPolicy: IfNotPresent
tolerations: []

kubearmorConfig:
defaultCapabilitiesPosture: audit
Expand Down
76 changes: 76 additions & 0 deletions deployments/operator/operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,44 @@ spec:
- Never
type: string
type: object
kubearmorControllerToleration:
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
kubearmorImage:
description: ImageSpec defines the image specifications
properties:
Expand Down Expand Up @@ -130,6 +168,44 @@ spec:
- Never
type: string
type: object
kubearmorRelayToleration:
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
seccompEnabled:
type: boolean
tls:
Expand Down
2 changes: 1 addition & 1 deletion pkg/KubeArmorOperator/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and
CONTROLLER_GEN = $(GOBIN)/controller-gen
.PHONY: controller-gen
controller-gen: ## Download controller-gen locally if necessary.
$(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.4.1)
$(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.14.0)

client/gen:
@echo "--> Running code-generator to generate clients"
Expand Down
5 changes: 5 additions & 0 deletions pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
package v1

import (
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

Expand Down Expand Up @@ -50,8 +51,12 @@ type KubeArmorConfigSpec struct {
// +kubebuilder:validation:optional
KubeArmorRelayImage ImageSpec `json:"kubearmorRelayImage,omitempty"`
// +kubebuilder:validation:optional
KubeArmorRelayToleration []v1.Toleration `json:"kubearmorRelayToleration,omitempty"`
// +kubebuilder:validation:optional
KubeArmorControllerImage ImageSpec `json:"kubearmorControllerImage,omitempty"`
// +kubebuilder:validation:optional
KubeArmorControllerToleration []v1.Toleration `json:"kubearmorControllerToleration,omitempty"`
// +kubebuilder:validation:optional
KubeRbacProxyImage ImageSpec `json:"kubeRbacProxyImage,omitempty"`
// +kubebuilder:validation:optional
Tls Tls `json:"tls,omitempty"`
Expand Down
4 changes: 4 additions & 0 deletions pkg/KubeArmorOperator/common/defaults.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,10 @@ var (
SeccompProfile = "kubearmor-seccomp.json"
SeccompInitProfile = "kubearmor-init-seccomp.json"

// Tolerations
KubeArmorRelayToleration []corev1.Toleration = []corev1.Toleration{}
KubeArmorControllerToleration []corev1.Toleration = []corev1.Toleration{}

// tls
EnableTls bool = false
ExtraDnsNames []string = []string{"localhost"}
Expand Down
76 changes: 76 additions & 0 deletions pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,44 @@ spec:
- Never
type: string
type: object
kubearmorControllerToleration:
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
kubearmorImage:
description: ImageSpec defines the image specifications
properties:
Expand Down Expand Up @@ -131,6 +169,44 @@ spec:
- Never
type: string
type: object
kubearmorRelayToleration:
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
seccompEnabled:
type: boolean
tls:
Expand Down