From 0d5f6e7c2b9d225a16ea9b7b761bed065e8d656b Mon Sep 17 00:00:00 2001 From: AshutoshNirkhe Date: Thu, 27 Jan 2022 15:54:30 +0530 Subject: [PATCH 1/5] Separate parameters like resources, securityContext for keda-operator and metrics-apiserver, fixes #232 Signed-off-by: AshutoshNirkhe --- keda/Chart.yaml | 2 +- keda/README.md | 2 +- keda/templates/12-keda-deployment.yaml | 6 ++-- keda/templates/22-metrics-deployment.yaml | 6 ++-- keda/values.yaml | 42 +++++++++++++++-------- 5 files changed, 36 insertions(+), 22 deletions(-) diff --git a/keda/Chart.yaml b/keda/Chart.yaml index e72f69a9..afb194bf 100644 --- a/keda/Chart.yaml +++ b/keda/Chart.yaml @@ -4,7 +4,7 @@ description: Event-based autoscaler for workloads on Kubernetes # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.5.1 +version: 2.5.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/keda/README.md b/keda/README.md index 6d983c69..f6c72c4e 100644 --- a/keda/README.md +++ b/keda/README.md @@ -84,7 +84,7 @@ their default values. | `logging.operator.format` | Logging format for KEDA Operator. Allowed values are 'console' & 'json'. | `console` | | `logging.operator.timeFormat` | Logging time format for KEDA Operator. Allowed values are 'epoch', 'millis', 'nano', or 'iso8601'. | `epoch` | | `logging.metricServer.level` | Logging level for Metrics Server.Policy to use to pull Docker images. Allowed values are '0' for info, '4' for debug, or an integer value greater than 0, specified as string | `0` | -| `securityContext` | Security context of the pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `{}` | +| `securityContext` | Security context of the containers within pod. ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | `{}` | | `podSecurityContext` | Pod security context of the pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `{}` | | `resources` | Manage resource request & limits of KEDA workload ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `{}` | | `nodeSelector` | Node selector for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/)) | `{}` | diff --git a/keda/templates/12-keda-deployment.yaml b/keda/templates/12-keda-deployment.yaml index 1e972898..b7b4bab2 100644 --- a/keda/templates/12-keda-deployment.yaml +++ b/keda/templates/12-keda-deployment.yaml @@ -40,11 +40,11 @@ spec: {{- end }} serviceAccountName: {{ .Values.serviceAccount.name }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml .Values.podSecurityContext.operator | nindent 8 }} containers: - name: {{ .Values.operator.name }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml .Values.securityContext.operator | nindent 12 }} image: "{{ .Values.image.keda.repository }}:{{ .Values.image.keda.tag | default .Chart.AppVersion }}" command: - "/keda" @@ -96,7 +96,7 @@ spec: {{- toYaml .Values.volumes.keda.extraVolumeMounts | nindent 12 }} {{- end }} resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- toYaml .Values.resources.operator | nindent 12 }} volumes: {{- if .Values.grpcTLSCertsSecret }} - name: grpc-certs diff --git a/keda/templates/22-metrics-deployment.yaml b/keda/templates/22-metrics-deployment.yaml index 0305588f..47f2a794 100644 --- a/keda/templates/22-metrics-deployment.yaml +++ b/keda/templates/22-metrics-deployment.yaml @@ -43,11 +43,11 @@ spec: {{- end }} serviceAccountName: {{ .Values.serviceAccount.name }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml .Values.podSecurityContext.metricServer | nindent 8 }} containers: - name: {{ .Values.operator.name }}-metrics-apiserver securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml .Values.securityContext.metricServer | nindent 12 }} image: "{{ .Values.image.metricsApiServer.repository }}:{{ .Values.image.metricsApiServer.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} livenessProbe: @@ -106,7 +106,7 @@ spec: {{- toYaml .Values.volumes.metricsApiServer.extraVolumeMounts | nindent 12 }} {{- end }} resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- toYaml .Values.resources.metricServer | nindent 12 }} volumes: {{- if .Values.grpcTLSCertsSecret }} - name: grpc-certs diff --git a/keda/values.yaml b/keda/values.yaml index aa2ce93e..3857a932 100644 --- a/keda/values.yaml +++ b/keda/values.yaml @@ -89,15 +89,21 @@ logging: level: 0 podSecurityContext: {} - # fsGroup: 2000 + # operator: + # fsGroup: 2000 + # metricServer: + # fsGroup: 2000 securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 + # operator: + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + # metricServer: + # allowPrivilegeEscalation: false + # runAsNonRoot: true + # runAsUser: 1000 service: type: ClusterIP @@ -113,13 +119,21 @@ service: # If you want to specify the resources (or totally remove the defaults), change or comment the following # lines, adjust them as necessary, or simply add the curly braces after 'operator' and/or 'metricServer' # and remove/comment the default values -resources: - limits: - cpu: 1 - memory: 1000Mi - requests: - cpu: 100m - memory: 100Mi +resources: + operator: + limits: + cpu: 1 + memory: 1000Mi + requests: + cpu: 100m + memory: 100Mi + metricServer: + limits: + cpu: 1 + memory: 1000Mi + requests: + cpu: 100m + memory: 100Mi nodeSelector: {} From 37783d1187518352a4b4acede5da6fdc785fbadb Mon Sep 17 00:00:00 2001 From: AshutoshNirkhe Date: Thu, 27 Jan 2022 17:10:28 +0530 Subject: [PATCH 2/5] Separate parameters like resources, securityContext for keda-operator and metrics-apiserver, fixes #232 Signed-off-by: AshutoshNirkhe --- keda/Chart.yaml | 2 +- keda/templates/12-keda-deployment.yaml | 12 ++++++++++++ keda/templates/22-metrics-deployment.yaml | 12 ++++++++++++ 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/keda/Chart.yaml b/keda/Chart.yaml index afb194bf..e72f69a9 100644 --- a/keda/Chart.yaml +++ b/keda/Chart.yaml @@ -4,7 +4,7 @@ description: Event-based autoscaler for workloads on Kubernetes # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.5.2 +version: 2.5.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/keda/templates/12-keda-deployment.yaml b/keda/templates/12-keda-deployment.yaml index b7b4bab2..f539dca3 100644 --- a/keda/templates/12-keda-deployment.yaml +++ b/keda/templates/12-keda-deployment.yaml @@ -40,11 +40,19 @@ spec: {{- end }} serviceAccountName: {{ .Values.serviceAccount.name }} securityContext: + {{- if .Values.podSecurityContext.operator }} {{- toYaml .Values.podSecurityContext.operator | nindent 8 }} + {{- else }} + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} containers: - name: {{ .Values.operator.name }} securityContext: + {{- if .Values.securityContext.operator }} {{- toYaml .Values.securityContext.operator | nindent 12 }} + {{- else }} + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} image: "{{ .Values.image.keda.repository }}:{{ .Values.image.keda.tag | default .Chart.AppVersion }}" command: - "/keda" @@ -96,7 +104,11 @@ spec: {{- toYaml .Values.volumes.keda.extraVolumeMounts | nindent 12 }} {{- end }} resources: + {{- if .Values.resources.operator }} {{- toYaml .Values.resources.operator | nindent 12 }} + {{- else }} + {{- toYaml .Values.resources | nindent 12 }} + {{- end }} volumes: {{- if .Values.grpcTLSCertsSecret }} - name: grpc-certs diff --git a/keda/templates/22-metrics-deployment.yaml b/keda/templates/22-metrics-deployment.yaml index 47f2a794..7fd74136 100644 --- a/keda/templates/22-metrics-deployment.yaml +++ b/keda/templates/22-metrics-deployment.yaml @@ -43,11 +43,19 @@ spec: {{- end }} serviceAccountName: {{ .Values.serviceAccount.name }} securityContext: + {{- if .Values.podSecurityContext.metricServer }} {{- toYaml .Values.podSecurityContext.metricServer | nindent 8 }} + {{- else }} + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} containers: - name: {{ .Values.operator.name }}-metrics-apiserver securityContext: + {{- if .Values.securityContext.metricServer }} {{- toYaml .Values.securityContext.metricServer | nindent 12 }} + {{- else }} + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} image: "{{ .Values.image.metricsApiServer.repository }}:{{ .Values.image.metricsApiServer.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} livenessProbe: @@ -106,7 +114,11 @@ spec: {{- toYaml .Values.volumes.metricsApiServer.extraVolumeMounts | nindent 12 }} {{- end }} resources: + {{- if .Values.resources.metricServer }} {{- toYaml .Values.resources.metricServer | nindent 12 }} + {{- else }} + {{- toYaml .Values.resources | nindent 12 }} + {{- end }} volumes: {{- if .Values.grpcTLSCertsSecret }} - name: grpc-certs From d93a50f4194ea1fe1b661dc73234d349a7a5c53d Mon Sep 17 00:00:00 2001 From: AshutoshNirkhe Date: Thu, 27 Jan 2022 18:21:51 +0530 Subject: [PATCH 3/5] Separate parameters like resources, securityContext for keda-operator and metrics-apiserver, fixes #232 Signed-off-by: AshutoshNirkhe --- keda/README.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/keda/README.md b/keda/README.md index f6c72c4e..ae41752d 100644 --- a/keda/README.md +++ b/keda/README.md @@ -84,9 +84,15 @@ their default values. | `logging.operator.format` | Logging format for KEDA Operator. Allowed values are 'console' & 'json'. | `console` | | `logging.operator.timeFormat` | Logging time format for KEDA Operator. Allowed values are 'epoch', 'millis', 'nano', or 'iso8601'. | `epoch` | | `logging.metricServer.level` | Logging level for Metrics Server.Policy to use to pull Docker images. Allowed values are '0' for info, '4' for debug, or an integer value greater than 0, specified as string | `0` | -| `securityContext` | Security context of the containers within pod. ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | `{}` | -| `podSecurityContext` | Pod security context of the pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `{}` | -| `resources` | Manage resource request & limits of KEDA workload ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `{}` | +| `securityContext` | Security context of the containers (legacy option) ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | `{}` | +| `securityContext.operator` | Security context of the operator container ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | `` | +| `securityContext.metricServer` | Security context of the metricServer container ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | `` | +| `podSecurityContext` | Pod security context of the pods (legacy option) ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `{}` | +| `podSecurityContext.operator` | Pod security context of the KEDA operator pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `` | +| `podSecurityContext.metricServer` | Pod security context of the KEDA metrics apiserver pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `` | +| `resources` | Manage resource request & limits of KEDA workload (legacy option) ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `{}` | +| `resources.operator` | Manage resource request & limits of KEDA operator pod ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `` | +| `resources.metricServer` | Manage resource request & limits of KEDA metrics apiserver pod ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `` | | `nodeSelector` | Node selector for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/)) | `{}` | | `tolerations` | Tolerations for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)) | `{}` | | `affinity` | Affinity for pod scheduling ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)) | `{}` | From 46889d5ca84940d9bbe24cebd2bfb4d4c0dc209c Mon Sep 17 00:00:00 2001 From: AshutoshNirkhe Date: Thu, 27 Jan 2022 18:25:59 +0530 Subject: [PATCH 4/5] Separate parameters like resources, securityContext for keda-operator and metrics-apiserver, fixes #232 Signed-off-by: AshutoshNirkhe --- keda/values.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/keda/values.yaml b/keda/values.yaml index 3857a932..b9c64986 100644 --- a/keda/values.yaml +++ b/keda/values.yaml @@ -96,11 +96,17 @@ podSecurityContext: {} securityContext: {} # operator: + # capabilities: + # drop: + # - ALL # allowPrivilegeEscalation: false # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 1000 # metricServer: + # capabilities: + # drop: + # - ALL # allowPrivilegeEscalation: false # runAsNonRoot: true # runAsUser: 1000 From d6d50aee3a124933148a7b11fcb0843939b20fa0 Mon Sep 17 00:00:00 2001 From: AshutoshNirkhe Date: Thu, 27 Jan 2022 18:38:47 +0530 Subject: [PATCH 5/5] Separate parameters like resources, securityContext for keda-operator and metrics-apiserver, fixes #232 Signed-off-by: AshutoshNirkhe --- keda/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/keda/README.md b/keda/README.md index ae41752d..cac1134a 100644 --- a/keda/README.md +++ b/keda/README.md @@ -84,13 +84,13 @@ their default values. | `logging.operator.format` | Logging format for KEDA Operator. Allowed values are 'console' & 'json'. | `console` | | `logging.operator.timeFormat` | Logging time format for KEDA Operator. Allowed values are 'epoch', 'millis', 'nano', or 'iso8601'. | `epoch` | | `logging.metricServer.level` | Logging level for Metrics Server.Policy to use to pull Docker images. Allowed values are '0' for info, '4' for debug, or an integer value greater than 0, specified as string | `0` | -| `securityContext` | Security context of the containers (legacy option) ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | `{}` | +| `securityContext` | Security context for all containers ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | `{}` | | `securityContext.operator` | Security context of the operator container ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | `` | | `securityContext.metricServer` | Security context of the metricServer container ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | `` | -| `podSecurityContext` | Pod security context of the pods (legacy option) ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `{}` | +| `podSecurityContext` | Pod security context for all pods ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `{}` | | `podSecurityContext.operator` | Pod security context of the KEDA operator pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `` | | `podSecurityContext.metricServer` | Pod security context of the KEDA metrics apiserver pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `` | -| `resources` | Manage resource request & limits of KEDA workload (legacy option) ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `{}` | +| `resources` | Manage resource request & limits of all KEDA workloads ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `{}` | | `resources.operator` | Manage resource request & limits of KEDA operator pod ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `` | | `resources.metricServer` | Manage resource request & limits of KEDA metrics apiserver pod ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `` | | `nodeSelector` | Node selector for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/)) | `{}` |