diff --git a/keda/README.md b/keda/README.md index 6d983c69..cac1134a 100644 --- a/keda/README.md +++ b/keda/README.md @@ -84,9 +84,15 @@ their default values. | `logging.operator.format` | Logging format for KEDA Operator. Allowed values are 'console' & 'json'. | `console` | | `logging.operator.timeFormat` | Logging time format for KEDA Operator. Allowed values are 'epoch', 'millis', 'nano', or 'iso8601'. | `epoch` | | `logging.metricServer.level` | Logging level for Metrics Server.Policy to use to pull Docker images. Allowed values are '0' for info, '4' for debug, or an integer value greater than 0, specified as string | `0` | -| `securityContext` | Security context of the pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `{}` | -| `podSecurityContext` | Pod security context of the pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `{}` | -| `resources` | Manage resource request & limits of KEDA workload ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `{}` | +| `securityContext` | Security context for all containers ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | `{}` | +| `securityContext.operator` | Security context of the operator container ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | `` | +| `securityContext.metricServer` | Security context of the metricServer container ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | `` | +| `podSecurityContext` | Pod security context for all pods ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `{}` | +| `podSecurityContext.operator` | Pod security context of the KEDA operator pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `` | +| `podSecurityContext.metricServer` | Pod security context of the KEDA metrics apiserver pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `` | +| `resources` | Manage resource request & limits of all KEDA workloads ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `{}` | +| `resources.operator` | Manage resource request & limits of KEDA operator pod ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `` | +| `resources.metricServer` | Manage resource request & limits of KEDA metrics apiserver pod ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `` | | `nodeSelector` | Node selector for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/)) | `{}` | | `tolerations` | Tolerations for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)) | `{}` | | `affinity` | Affinity for pod scheduling ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)) | `{}` | diff --git a/keda/templates/12-keda-deployment.yaml b/keda/templates/12-keda-deployment.yaml index 1e972898..f539dca3 100644 --- a/keda/templates/12-keda-deployment.yaml +++ b/keda/templates/12-keda-deployment.yaml @@ -40,11 +40,19 @@ spec: {{- end }} serviceAccountName: {{ .Values.serviceAccount.name }} securityContext: + {{- if .Values.podSecurityContext.operator }} + {{- toYaml .Values.podSecurityContext.operator | nindent 8 }} + {{- else }} {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} containers: - name: {{ .Values.operator.name }} securityContext: + {{- if .Values.securityContext.operator }} + {{- toYaml .Values.securityContext.operator | nindent 12 }} + {{- else }} {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} image: "{{ .Values.image.keda.repository }}:{{ .Values.image.keda.tag | default .Chart.AppVersion }}" command: - "/keda" @@ -96,7 +104,11 @@ spec: {{- toYaml .Values.volumes.keda.extraVolumeMounts | nindent 12 }} {{- end }} resources: + {{- if .Values.resources.operator }} + {{- toYaml .Values.resources.operator | nindent 12 }} + {{- else }} {{- toYaml .Values.resources | nindent 12 }} + {{- end }} volumes: {{- if .Values.grpcTLSCertsSecret }} - name: grpc-certs diff --git a/keda/templates/22-metrics-deployment.yaml b/keda/templates/22-metrics-deployment.yaml index 0305588f..7fd74136 100644 --- a/keda/templates/22-metrics-deployment.yaml +++ b/keda/templates/22-metrics-deployment.yaml @@ -43,11 +43,19 @@ spec: {{- end }} serviceAccountName: {{ .Values.serviceAccount.name }} securityContext: + {{- if .Values.podSecurityContext.metricServer }} + {{- toYaml .Values.podSecurityContext.metricServer | nindent 8 }} + {{- else }} {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} containers: - name: {{ .Values.operator.name }}-metrics-apiserver securityContext: + {{- if .Values.securityContext.metricServer }} + {{- toYaml .Values.securityContext.metricServer | nindent 12 }} + {{- else }} {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} image: "{{ .Values.image.metricsApiServer.repository }}:{{ .Values.image.metricsApiServer.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} livenessProbe: @@ -106,7 +114,11 @@ spec: {{- toYaml .Values.volumes.metricsApiServer.extraVolumeMounts | nindent 12 }} {{- end }} resources: + {{- if .Values.resources.metricServer }} + {{- toYaml .Values.resources.metricServer | nindent 12 }} + {{- else }} {{- toYaml .Values.resources | nindent 12 }} + {{- end }} volumes: {{- if .Values.grpcTLSCertsSecret }} - name: grpc-certs diff --git a/keda/values.yaml b/keda/values.yaml index aa2ce93e..b9c64986 100644 --- a/keda/values.yaml +++ b/keda/values.yaml @@ -89,15 +89,27 @@ logging: level: 0 podSecurityContext: {} - # fsGroup: 2000 + # operator: + # fsGroup: 2000 + # metricServer: + # fsGroup: 2000 securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 + # operator: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + # metricServer: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # runAsNonRoot: true + # runAsUser: 1000 service: type: ClusterIP @@ -113,13 +125,21 @@ service: # If you want to specify the resources (or totally remove the defaults), change or comment the following # lines, adjust them as necessary, or simply add the curly braces after 'operator' and/or 'metricServer' # and remove/comment the default values -resources: - limits: - cpu: 1 - memory: 1000Mi - requests: - cpu: 100m - memory: 100Mi +resources: + operator: + limits: + cpu: 1 + memory: 1000Mi + requests: + cpu: 100m + memory: 100Mi + metricServer: + limits: + cpu: 1 + memory: 1000Mi + requests: + cpu: 100m + memory: 100Mi nodeSelector: {}