Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure the securityContext, resources and pod annotations in helm #1909

Closed
wants to merge 2 commits into from
Closed

Configure the securityContext, resources and pod annotations in helm #1909

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b625b1d
Configure the securityContext, resources and pod annotations in helm
houshengbo Oct 11, 2024
4e3483d
Updated the helm charts
houshengbo Oct 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
151 changes: 142 additions & 9 deletions config/charts/knative-operator/templates/operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,10 @@ metadata:
app.kubernetes.io/component: operator-webhook
app.kubernetes.io/version: "{{ .Chart.Version }}"
app.kubernetes.io/name: knative-operator
{{- if and .Values.knative_operator.operator_webhook.annotations }}
annotations:
{{ toYaml .Values.knative_operator.operator_webhook.annotations }}
{{- end }}
spec:
selector:
matchLabels:
Expand All @@ -62,6 +66,10 @@ spec:
app.kubernetes.io/version: "{{ .Chart.Version }}"
app.kubernetes.io/name: knative-operator
sidecar.istio.io/inject: "false"
{{- if and .Values.knative_operator.operator_webhook.podAnnotations }}
annotations:
{{ toYaml .Values.knative_operator.operator_webhook.podAnnotations }}
{{- end }}
spec:
# To avoid node becoming SPOF, spread our replicas to different nodes.
affinity:
Expand All @@ -73,7 +81,10 @@ spec:
app: operator-webhook
topologyKey: kubernetes.io/hostname
weight: 100

{{- if and .Values.knative_operator.operator_webhook.securityContext }}
securityContext:
{{ toYaml .Values.knative_operator.operator_webhook.securityContext }}
{{- end }}
serviceAccountName: operator-webhook
containers:
- name: operator-webhook
Expand All @@ -83,11 +94,11 @@ spec:

resources:
requests:
cpu: 100m
memory: 100Mi
cpu: {{ .Values.knative_operator.operator_webhook.resources.requests.cpu }}
memory: {{ .Values.knative_operator.operator_webhook.resources.requests.memory }}
limits:
cpu: 500m
memory: 500Mi
cpu: {{ .Values.knative_operator.operator_webhook.resources.limits.cpu }}
memory: {{ .Values.knative_operator.operator_webhook.resources.limits.memory }}

env:
- name: POD_NAME
Expand All @@ -114,12 +125,12 @@ spec:
- name: KUBERNETES_MIN_VERSION
value: "{{ .Values.knative_operator.kubernetes_min_version }}"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
allowPrivilegeEscalation: {{ .Values.knative_operator.operator_webhook.containerSecurityContext.allowPrivilegeEscalation }}
readOnlyRootFilesystem: {{ .Values.knative_operator.operator_webhook.containerSecurityContext.readOnlyRootFilesystem }}
runAsNonRoot: {{ .Values.knative_operator.operator_webhook.containerSecurityContext.runAsNonRoot }}
capabilities:
drop:
- all
- ALL

ports:
- name: metrics
Expand Down Expand Up @@ -1337,6 +1348,20 @@ spec:
type: object
type: object
type: array
namespace:
description: A field of namespace name to override the labels and annotations
type: object
properties:
labels:
additionalProperties:
type: string
description: Labels overrides labels for the namespace and its template.
type: object
annotations:
additionalProperties:
type: string
description: Annotations overrides labels for the namespace and its template.
type: object
deployments:
description: A mapping of deployment name to override
type: array
Expand Down Expand Up @@ -2396,6 +2421,12 @@ spec:
- type: string
description: An eviction is allowed if at least "minAvailable" pods selected by "selector" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying "100%".
x-kubernetes-int-or-string: true
maxUnavailable:
anyOf:
- type: integer
- type: string
description: An eviction is allowed if at most "maxUnavailable" pods selected by "selector" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with "minAvailable".
x-kubernetes-int-or-string: true
source:
description: The source configuration for Knative Eventing
properties:
Expand Down Expand Up @@ -3715,6 +3746,20 @@ spec:
type: object
type: object
type: array
namespace:
description: A field of namespace name to override the labels and annotations
type: object
properties:
labels:
additionalProperties:
type: string
description: Labels overrides labels for the namespace and its template.
type: object
annotations:
additionalProperties:
type: string
description: Annotations overrides labels for the namespace and its template.
type: object
deployments:
description: A mapping of deployment name to override
type: array
Expand Down Expand Up @@ -4774,6 +4819,12 @@ spec:
- type: string
description: An eviction is allowed if at least "minAvailable" pods selected by "selector" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying "100%".
x-kubernetes-int-or-string: true
maxUnavailable:
anyOf:
- type: integer
- type: string
description: An eviction is allowed if at most "maxUnavailable" pods selected by "selector" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with "minAvailable".
x-kubernetes-int-or-string: true
ingress:
description: The ingress configuration for Knative Serving
properties:
Expand Down Expand Up @@ -4823,6 +4874,17 @@ spec:
format: string
type: string
type: object
tls:
properties:
mode:
description: TLS mode can be SIMPLE, MUTUAL, ISTIO_MUTUAL.
format: string
type: string
credentialName:
description: TLS certificate name.
format: string
type: string
type: object
type: object
type: array
type: object
Expand Down Expand Up @@ -4861,6 +4923,17 @@ spec:
format: string
type: string
type: object
tls:
properties:
mode:
description: TLS mode can be SIMPLE, MUTUAL, ISTIO_MUTUAL.
format: string
type: string
credentialName:
description: TLS certificate name.
format: string
type: string
type: object
type: object
type: array
type: object
Expand All @@ -4872,8 +4945,14 @@ spec:
type: boolean
service-type:
type: string
service-load-balancer-ip:
type: string
bootstrap-configmap:
type: string
http-port:
type: integer
https-port:
type: integer
type: object
type: object
security:
Expand Down Expand Up @@ -5579,6 +5658,8 @@ rules:
- watch
- update
- patch
- create
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
Expand Down Expand Up @@ -5702,6 +5783,32 @@ rules:
verbs:
- deletecollection

# Eventing TLS
- apiGroups:
- "cert-manager.io"
resources:
- certificates
- issuers
- clusterissuers
verbs:
- create
- delete
- update
- list
- get
- watch
- apiGroups:
- "trust.cert-manager.io"
resources:
- bundles
verbs:
- create
- delete
- update
- list
- get
- watch

---
# Copyright 2020 The Knative Authors
#
Expand Down Expand Up @@ -6205,6 +6312,10 @@ metadata:
labels:
app.kubernetes.io/name: knative-operator
app.kubernetes.io/version: "{{ .Chart.Version }}"
{{- if and .Values.knative_operator.knative_operator.annotations }}
annotations:
{{ toYaml .Values.knative_operator.knative_operator.annotations }}
{{- end }}
spec:
replicas: 1
selector:
Expand All @@ -6217,11 +6328,26 @@ spec:
app.kubernetes.io/name: knative-operator
app.kubernetes.io/version: "{{ .Chart.Version }}"
sidecar.istio.io/inject: "false"
{{- if and .Values.knative_operator.knative_operator.podAnnotations }}
annotations:
{{ toYaml .Values.knative_operator.knative_operator.podAnnotations }}
{{- end }}
spec:
serviceAccountName: knative-operator
{{- if and .Values.knative_operator.knative_operator.securityContext }}
securityContext:
{{ toYaml .Values.knative_operator.knative_operator.securityContext }}
{{- end }}
containers:
- name: knative-operator
image: "{{ .Values.knative_operator.knative_operator.image }}:{{ .Values.knative_operator.knative_operator.tag }}"
resources:
requests:
cpu: {{ .Values.knative_operator.knative_operator.resources.requests.cpu }}
memory: {{ .Values.knative_operator.knative_operator.resources.requests.memory }}
limits:
cpu: {{ .Values.knative_operator.knative_operator.resources.limits.cpu }}
memory: {{ .Values.knative_operator.knative_operator.resources.limits.memory }}
imagePullPolicy: IfNotPresent
env:
- name: POD_NAME
Expand All @@ -6240,6 +6366,13 @@ spec:
value: config-observability
- name: KUBERNETES_MIN_VERSION
value: "{{ .Values.knative_operator.kubernetes_min_version }}"
securityContext:
allowPrivilegeEscalation: {{ .Values.knative_operator.knative_operator.containerSecurityContext.allowPrivilegeEscalation }}
readOnlyRootFilesystem: {{ .Values.knative_operator.knative_operator.containerSecurityContext.readOnlyRootFilesystem }}
runAsNonRoot: {{ .Values.knative_operator.knative_operator.containerSecurityContext.runAsNonRoot }}
capabilities:
drop:
- ALL
ports:
- name: metrics
containerPort: 9090
Expand Down
22 changes: 22 additions & 0 deletions config/charts/knative-operator/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,29 @@ knative_operator:
knative_operator:
image: gcr.io/knative-releases/knative.dev/operator/cmd/operator
tag: {{ tag }}
containerSecurityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
resources:
requests:
cpu: 100m
memory: 100Mi
limits:
cpu: 1000m
memory: 1000Mi
operator_webhook:
image: gcr.io/knative-releases/knative.dev/operator/cmd/webhook
tag: {{ tag }}
containerSecurityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
resources:
requests:
cpu: 100m
memory: 100Mi
limits:
cpu: 500m
memory: 500Mi
kubernetes_min_version: v1.25.0
20 changes: 0 additions & 20 deletions hack/generate-helm.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,26 +36,6 @@ readonly TARGET_DIR="${CHARTS_DIR}/${NAME}"
# Create the directory, if it does not exist.
mkdir -p ${TARGET_DIR}/templates

# Generate the template based on the yaml files under config
echo "" > ${TARGET_DIR}/templates/operator.yaml
for filename in config/*.yaml; do
if [[ $filename == *namespace.yaml ]]; then
continue
fi
cat $filename >> ${TARGET_DIR}/templates/operator.yaml
echo -e "\n---" >> ${TARGET_DIR}/templates/operator.yaml
done

# Replace the namespace and images with the helm parameters
sed -i.bak 's/namespace: knative-operator/namespace: "{{ .Release.Namespace }}"/g' ${TARGET_DIR}/templates/operator.yaml
sed -i.bak 's/image: ko:\/\/knative.dev\/operator\/cmd\/operator/image: "{{ .Values.knative_operator.knative_operator.image }}:{{ .Values.knative_operator.knative_operator.tag }}"/g' ${TARGET_DIR}/templates/operator.yaml
sed -i.bak 's/image: ko:\/\/knative.dev\/operator\/cmd\/webhook/image: "{{ .Values.knative_operator.operator_webhook.image }}:{{ .Values.knative_operator.operator_webhook.tag }}"/g' ${TARGET_DIR}/templates/operator.yaml
sed -i.bak 's/operator.knative.dev\/release: devel/operator.knative.dev\/release: "v{{ .Chart.Version }}"/g' ${TARGET_DIR}/templates/operator.yaml
sed -i.bak 's/app.kubernetes.io\/version: devel/app.kubernetes.io\/version: "{{ .Chart.Version }}"/g' ${TARGET_DIR}/templates/operator.yaml
sed -i.bak 's/value: ""/value: "{{ .Values.knative_operator.kubernetes_min_version }}"/g' ${TARGET_DIR}/templates/operator.yaml

rm ${TARGET_DIR}/templates/operator.yaml.bak

sed -i.bak "s/{{ version }}/${VERSION:1}/g" ${TARGET_DIR}/Chart.yaml
sed -i.bak "s/{{ tag }}/${VERSION}/g" ${TARGET_DIR}/values.yaml

Expand Down
Loading