mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

feat: add API server priority and fairness configuration for kyverno ()

Browse source 
* feat: add API server priority and fairness configuration for kyverno

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* fix: move priority level config specification to values.yaml

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* feat: support all versions of flowcontrol resources

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* fix: use namespaces instead of clusterscope in rules for the namespaced resources

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

---------

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>
This commit is contained in:
Mariam Fahmy 2023-06-14 16:19:36 +03:00 committed by GitHub
parent 692d419aa4
commit a9cd47e0eb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 394 additions and 0 deletions

4
charts/kyverno/README.md
View file

@ -324,6 +324,8 @@ The chart values are organised per component.
| admissionController.podAnnotations | object | `{}` | Additional annotations to add to each pod |
| admissionController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
| admissionController.priorityClassName | string | `""` | Optional priority class |
| admissionController.apiPriorityAndFairness | bool | `false` | Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno admission controller activities. This will help ensure Kyverno stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/ |
| admissionController.priorityLevelConfigurationSpec | object | See [values.yaml](values.yaml) | Priority level configuration. The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want. ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration |
| admissionController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
| admissionController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
| admissionController.startupProbe | object | See [values.yaml](values.yaml) | Startup probe. The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
@ -540,6 +542,8 @@ The chart values are organised per component.
| reportsController.podAnnotations | object | `{}` | Additional annotations to add to each pod |
| reportsController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
| reportsController.priorityClassName | string | `""` | Optional priority class |
| reportsController.apiPriorityAndFairness | bool | `false` | Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno reports controller activities. This will help ensure Kyverno reports stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/ |
| reportsController.priorityLevelConfigurationSpec | object | See [values.yaml](values.yaml) | Priority level configuration. The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want. ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration |
| reportsController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
| reportsController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
| reportsController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line |

13
charts/kyverno/templates/_helpers/_flowcontrol.tpl Normal file
View file

@ -0,0 +1,13 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.flowcontrol.apiVersion" -}}
{{- if .Capabilities.APIVersions.Has "flowcontrol.apiserver.k8s.io/v1beta3" -}}
flowcontrol.apiserver.k8s.io/v1beta3
{{- else if .Capabilities.APIVersions.Has "flowcontrol.apiserver.k8s.io/v1beta2" -}}
flowcontrol.apiserver.k8s.io/v1beta2
{{- else if .Capabilities.APIVersions.Has "flowcontrol.apiserver.k8s.io/v1beta1" -}}
flowcontrol.apiserver.k8s.io/v1beta1
{{- else -}}
flowcontrol.apiserver.k8s.io/v1alpha1
{{- end -}}
{{- end -}}

195
charts/kyverno/templates/admission-controller/flowschema.yaml Normal file
View file

@ -0,0 +1,195 @@
{{- if .Values.admissionController.apiPriorityAndFairness }}
apiVersion: {{ template "kyverno.flowcontrol.apiVersion" . }}
kind: FlowSchema
metadata:
name: {{ template "kyverno.admission-controller.name" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
spec:
priorityLevelConfiguration:
name: {{ template "kyverno.admission-controller.name" . }}
rules:
- resourceRules:
- apiGroups:
- admissionregistration.k8s.io
clusterScope: true
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- rbac.authorization.k8s.io
clusterScope: true
resources:
- clusterroles
- clusterrolebindings
verbs:
- watch
- list
- apiGroups:
- rbac.authorization.k8s.io
namespaces:
- '*'
resources:
- roles
- rolebindings
verbs:
- watch
- list
- apiGroups:
- kyverno.io
clusterScope: true
resources:
- clusterpolicies
- clusterpolicies/status
- clusteradmissionreports
- clusterbackgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- kyverno.io
namespaces:
- '*'
resources:
- policies
- policies/status
- updaterequests
- updaterequests/status
- admissionreports
- backgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- wgpolicyk8s.io
clusterScope: true
resources:
- clusterpolicyreports
- clusterpolicyreports/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- wgpolicyk8s.io
namespaces:
- '*'
resources:
- policyreports
- policyreports/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- ""
- events.k8s.io
namespaces:
- '*'
resources:
- events
verbs:
- create
- update
- patch
- apiGroups:
- authorization.k8s.io
clusterScope: true
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- '*'
namespaces:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- ''
namespaces:
- {{ template "kyverno.namespace" . }}
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- apiGroups:
- ''
namespaces:
- {{ template "kyverno.namespace" . }}
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
namespaces:
- {{ template "kyverno.namespace" . }}
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
- apiGroups:
- apps
namespaces:
- {{ template "kyverno.namespace" . }}
resources:
- deployments
- deployments/scale
verbs:
- get
- list
- watch
- patch
- update
subjects:
- kind: ServiceAccount
serviceAccount:
name: {{ template "kyverno.admission-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}

12
charts/kyverno/templates/admission-controller/prioritylevelconfiguration.yaml Normal file
View file

@ -0,0 +1,12 @@
{{- if .Values.admissionController.apiPriorityAndFairness }}
apiVersion: {{ template "kyverno.flowcontrol.apiVersion" . }}
kind: PriorityLevelConfiguration
metadata:
name: {{ template "kyverno.admission-controller.name" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
{{- with .Values.admissionController.priorityLevelConfigurationSpec }}
spec:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- end }}

122
charts/kyverno/templates/reports-controller/flowschema.yaml Normal file
View file

@ -0,0 +1,122 @@
{{- if .Values.reportsController.apiPriorityAndFairness }}
apiVersion: {{ template "kyverno.flowcontrol.apiVersion" . }}
kind: FlowSchema
metadata:
name: {{ template "kyverno.reports-controller.name" . }}
labels:
{{- include "kyverno.reports-controller.labels" . | nindent 4 }}
spec:
priorityLevelConfiguration:
name: {{ template "kyverno.reports-controller.name" . }}
rules:
- resourceRules:
- apiGroups:
- '*'
namespaces:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- kyverno.io
clusterScope: true
resources:
- clusteradmissionreports
- clusterbackgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- kyverno.io
namespaces:
- '*'
resources:
- admissionreports
- backgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- wgpolicyk8s.io
clusterScope: true
resources:
- clusterpolicyreports
- clusterpolicyreports/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- wgpolicyk8s.io
namespaces:
- '*'
resources:
- policyreports
- policyreports/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- ''
- events.k8s.io
namespaces:
- '*'
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ''
namespaces:
- {{ template "kyverno.namespace" . }}
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
namespaces:
- {{ template "kyverno.namespace" . }}
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
subjects:
- kind: ServiceAccount
serviceAccount:
name: {{ template "kyverno.reports-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}

12
charts/kyverno/templates/reports-controller/prioritylevelconfiguration.yaml Normal file
View file

@ -0,0 +1,12 @@
{{- if .Values.reportsController.apiPriorityAndFairness }}
apiVersion: {{ template "kyverno.flowcontrol.apiVersion" . }}
kind: PriorityLevelConfiguration
metadata:
name: {{ template "kyverno.reports-controller.name" . }}
labels:
{{- include "kyverno.reports-controller.labels" . | nindent 4 }}
{{- with .Values.reportsController.priorityLevelConfigurationSpec }}
spec:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- end }}

36
charts/kyverno/values.yaml
View file

@ -546,6 +546,24 @@ admissionController:
# -- Optional priority class
priorityClassName: ''
# -- Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno admission controller activities.
# This will help ensure Kyverno stability in busy clusters.
# Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
apiPriorityAndFairness: false
# -- Priority level configuration.
# The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want.
# ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration
# @default -- See [values.yaml](values.yaml)
priorityLevelConfigurationSpec:
type: Limited
limited:
nominalConcurrencyShares: 10
limitResponse:
queuing:
queueLengthLimit: 50
type: Queue
# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
# Update the `dnsPolicy` accordingly as well to suit the host network mode.
@ -1369,6 +1387,24 @@ reportsController:
# -- Optional priority class
priorityClassName: ''
# -- Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno reports controller activities.
# This will help ensure Kyverno reports stability in busy clusters.
# Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
apiPriorityAndFairness: false
# -- Priority level configuration.
# The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want.
# ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration
# @default -- See [values.yaml](values.yaml)
priorityLevelConfigurationSpec:
type: Limited
limited:
nominalConcurrencyShares: 10
limitResponse:
queuing:
queueLengthLimit: 50
type: Queue
# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
# Update the `dnsPolicy` accordingly as well to suit the host network mode.