From 8e376097565c09046a5753f5efa26dca0fe670a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Thu, 2 Mar 2023 15:56:13 +0100 Subject: [PATCH] refactor: helm admission controller config (#6454) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- charts/kyverno/README.md | 26 ++++--- charts/kyverno/README.md.gotmpl | 8 ++ .../admission-controller/deployment.yaml | 47 +++++------ .../poddisruptionbudget.yaml | 2 +- .../cleanup-controller/deployment.yaml | 2 +- charts/kyverno/values.yaml | 78 +++++++++---------- 6 files changed, 91 insertions(+), 72 deletions(-) diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index ac38442edc..5894ee0a27 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -122,6 +122,14 @@ In `v3` chart values changed significantly, please read the instructions below t - `testResources` has been replaced with `test.resources` - `testSecurityContext` has been replaced with `test.securityContext` - `replicaCount` has been replaced with `admissionController.replicas` +- `updateStrategy` has been replaced with `admissionController.updateStrategy` +- `priorityClassName` has been replaced with `admissionController.priorityClassName` +- `hostNetwork` has been replaced with `admissionController.hostNetwork` +- `dnsPolicy` has been replaced with `admissionController.dnsPolicy` +- `nodeSelector` has been replaced with `admissionController.nodeSelector` +- `tolerations` has been replaced with `admissionController.tolerations` +- `topologySpreadConstraints` has been replaced with `admissionController.topologySpreadConstraints` +- `podDisruptionBudget` has been replaced with `admissionController.podDisruptionBudget` - Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above. @@ -192,17 +200,10 @@ The command removes all the Kubernetes components associated with the chart and | podAnnotations | object | `{}` | Additional annotations to add to each pod | | podSecurityContext | object | `{}` | Security context for the pod | | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | -| priorityClassName | string | `""` | Optional priority class to be used for kyverno pods | | antiAffinity.enable | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. | | podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. | | podAffinity | object | `{}` | Pod affinity constraints. | | nodeAffinity | object | `{}` | Node affinity constraints. | -| podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for kyverno disruptions. Cannot be used if `maxUnavailable` is set. | -| podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for kyverno disruptions. Cannot be used if `minAvailable` is set. | -| nodeSelector | object | `{}` | Node labels for pod assignment | -| tolerations | list | `[]` | List of node taints to tolerate | -| hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the kyverno's pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. | -| dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. | | envVarsInit | object | `{}` | Env variables for initContainers. | | envVars | object | `{}` | Env variables for containers. | | extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the binary. | @@ -218,12 +219,10 @@ The command removes all the Kubernetes components associated with the chart and | generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. | | excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters | | resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters | -| updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | | service.port | int | `443` | Service port. | | service.type | string | `"ClusterIP"` | Service type. | | service.nodePort | string | `nil` | Service node port. Only used if `service.type` is `NodePort`. | | service.annotations | object | `{}` | Service annotations. | -| topologySpreadConstraints | list | `[]` | Topology spread constraints. | | metricsService.create | bool | `true` | Create service. | | metricsService.port | int | `8000` | Service port. Kyverno's metrics server will be exposed at this port. | | metricsService.type | string | `"ClusterIP"` | Service type. | @@ -248,6 +247,15 @@ The command removes all the Kubernetes components associated with the chart and | grafana.namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. | | grafana.annotations | object | `{}` | Grafana dashboard configmap annotations. | | admissionController.replicas | int | `nil` | Desired number of pods | +| admissionController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | +| admissionController.priorityClassName | string | `""` | Optional priority class | +| admissionController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. | +| admissionController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. | +| admissionController.nodeSelector | object | `{}` | Node labels for pod assignment | +| admissionController.tolerations | list | `[]` | List of node taints to tolerate | +| admissionController.topologySpreadConstraints | list | `[]` | Topology spread constraints. | +| admissionController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. | +| admissionController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. | | cleanupController.enabled | bool | `true` | Enable cleanup controller. | | cleanupController.rbac.create | bool | `true` | Create RBAC resources | | cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name | diff --git a/charts/kyverno/README.md.gotmpl b/charts/kyverno/README.md.gotmpl index 551337bc45..f7040b9016 100644 --- a/charts/kyverno/README.md.gotmpl +++ b/charts/kyverno/README.md.gotmpl @@ -122,6 +122,14 @@ In `v3` chart values changed significantly, please read the instructions below t - `testResources` has been replaced with `test.resources` - `testSecurityContext` has been replaced with `test.securityContext` - `replicaCount` has been replaced with `admissionController.replicas` +- `updateStrategy` has been replaced with `admissionController.updateStrategy` +- `priorityClassName` has been replaced with `admissionController.priorityClassName` +- `hostNetwork` has been replaced with `admissionController.hostNetwork` +- `dnsPolicy` has been replaced with `admissionController.dnsPolicy` +- `nodeSelector` has been replaced with `admissionController.nodeSelector` +- `tolerations` has been replaced with `admissionController.tolerations` +- `topologySpreadConstraints` has been replaced with `admissionController.topologySpreadConstraints` +- `podDisruptionBudget` has been replaced with `admissionController.podDisruptionBudget` - Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above. diff --git a/charts/kyverno/templates/admission-controller/deployment.yaml b/charts/kyverno/templates/admission-controller/deployment.yaml index 653f7d4e1f..9813ceb637 100644 --- a/charts/kyverno/templates/admission-controller/deployment.yaml +++ b/charts/kyverno/templates/admission-controller/deployment.yaml @@ -8,13 +8,13 @@ metadata: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} spec: replicas: {{ template "kyverno.deployment.replicas" .Values.admissionController.replicas }} + {{- with .Values.admissionController.updateStrategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} selector: matchLabels: {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }} - {{- if .Values.updateStrategy }} - strategy: - {{ toYaml .Values.updateStrategy | nindent 4 | trim }} - {{- end }} template: metadata: labels: @@ -34,6 +34,27 @@ spec: securityContext: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} + {{- with .Values.admissionController.nodeSelector }} + nodeSelector: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.admissionController.tolerations }} + tolerations: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.admissionController.topologySpreadConstraints }} + topologySpreadConstraints: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.admissionController.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} + {{- with .Values.admissionController.hostNetwork }} + hostNetwork: {{ . }} + {{- end }} + {{- with .Values.admissionController.dnsPolicy }} + dnsPolicy: {{ . }} + {{- end }} {{- if or .Values.antiAffinity.enable .Values.podAffinity .Values.nodeAffinity }} affinity: {{- if .Values.antiAffinity.enable }} @@ -51,25 +72,7 @@ spec: {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: {{ tpl (toYaml .) $ | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: {{ tpl (toYaml .) $ | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: {{ tpl (toYaml .) $ | nindent 8 }} - {{- end }} serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName | quote }} - {{- end }} - {{- if .Values.hostNetwork }} - hostNetwork: {{ .Values.hostNetwork }} - {{- end }} - {{- if .Values.dnsPolicy }} - dnsPolicy: {{ .Values.dnsPolicy }} - {{- end }} initContainers: {{- if .Values.extraInitContainers }} {{- toYaml .Values.extraInitContainers | nindent 8 }} diff --git a/charts/kyverno/templates/admission-controller/poddisruptionbudget.yaml b/charts/kyverno/templates/admission-controller/poddisruptionbudget.yaml index 91beb6d486..c9ef079da9 100644 --- a/charts/kyverno/templates/admission-controller/poddisruptionbudget.yaml +++ b/charts/kyverno/templates/admission-controller/poddisruptionbudget.yaml @@ -7,7 +7,7 @@ metadata: labels: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} spec: - {{- include "kyverno.pdb.spec" .Values.podDisruptionBudget | nindent 2 }} + {{- include "kyverno.pdb.spec" .Values.admissionController.podDisruptionBudget | nindent 2 }} selector: matchLabels: {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }} diff --git a/charts/kyverno/templates/cleanup-controller/deployment.yaml b/charts/kyverno/templates/cleanup-controller/deployment.yaml index 363b04948f..305cec8230 100644 --- a/charts/kyverno/templates/cleanup-controller/deployment.yaml +++ b/charts/kyverno/templates/cleanup-controller/deployment.yaml @@ -4,9 +4,9 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "kyverno.cleanup-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} - namespace: {{ template "kyverno.namespace" . }} spec: replicas: {{ template "kyverno.deployment.replicas" .Values.cleanupController.replicas }} {{- with .Values.cleanupController.updateStrategy }} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 5fccdf7bfc..0c4642a14b 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -257,9 +257,6 @@ securityContext: seccompProfile: type: RuntimeDefault -# -- Optional priority class to be used for kyverno pods -priorityClassName: '' - antiAffinity: # -- Pod antiAffinities toggle. # Enabled by default but can be disabled if you want to schedule pods to the same node. @@ -285,30 +282,6 @@ podAffinity: {} # -- Node affinity constraints. nodeAffinity: {} -podDisruptionBudget: - # -- Configures the minimum available pods for kyverno disruptions. - # Cannot be used if `maxUnavailable` is set. - minAvailable: 1 - # -- Configures the maximum unavailable pods for kyverno disruptions. - # Cannot be used if `minAvailable` is set. - maxUnavailable: - -# -- Node labels for pod assignment -nodeSelector: {} - -# -- List of node taints to tolerate -tolerations: [] - -# -- Change `hostNetwork` to `true` when you want the kyverno's pod to share its host's network namespace. -# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. -# Update the `dnsPolicy` accordingly as well to suit the host network mode. -hostNetwork: false - -# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. -# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. -# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. -dnsPolicy: ClusterFirst - # -- Env variables for initContainers. envVarsInit: {} @@ -408,15 +381,6 @@ excludeKyvernoNamespace: true # Namespaces to exclude from the default resourceFilters resourceFiltersExcludeNamespaces: [] -# -- Deployment update strategy. -# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy -# @default -- See [values.yaml](values.yaml) -updateStrategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 40% - type: RollingUpdate - service: # -- Service port. port: 443 @@ -428,9 +392,6 @@ service: # -- Service annotations. annotations: {} -# -- Topology spread constraints. -topologySpreadConstraints: [] - metricsService: # -- Create service. create: true @@ -514,6 +475,45 @@ admissionController: # -- (int) Desired number of pods replicas: ~ + # -- Deployment update strategy. + # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + # @default -- See [values.yaml](values.yaml) + updateStrategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 40% + type: RollingUpdate + + # -- Optional priority class + priorityClassName: '' + + # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. + # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. + # Update the `dnsPolicy` accordingly as well to suit the host network mode. + hostNetwork: false + + # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. + # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. + # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. + dnsPolicy: ClusterFirst + + # -- Node labels for pod assignment + nodeSelector: {} + + # -- List of node taints to tolerate + tolerations: [] + + # -- Topology spread constraints. + topologySpreadConstraints: [] + + podDisruptionBudget: + # -- Configures the minimum available pods for disruptions. + # Cannot be used if `maxUnavailable` is set. + minAvailable: 1 + # -- Configures the maximum unavailable pods for disruptions. + # Cannot be used if `minAvailable` is set. + maxUnavailable: + # Cleanup controller configuration cleanupController: