Skip to content

Commit

Permalink
feat: policy server deployment tolerations.
Browse files Browse the repository at this point in the history
Updates the PolicyServer CRDs to allow users to define the toleration to
be used in the policy server deployment.

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
  • Loading branch information
jvanz committed Jul 2, 2024
1 parent 235d006 commit 8b4790e
Show file tree
Hide file tree
Showing 6 changed files with 116 additions and 20 deletions.
5 changes: 5 additions & 0 deletions api/policies/v1/policyserver_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,11 @@ type PolicyServerSpec struct {
// otherwise to an implementation-defined value
// +optional
Requests corev1.ResourceList `json:"requests,omitempty"`

// Tolerations describes the policy server pod's tolerations. It can be
// user to ensure that the policy server pod is not scheduled onto a
// node with a taint.
Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
}

type ReconciliationTransitionReason string
Expand Down
11 changes: 9 additions & 2 deletions api/policies/v1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions api/policies/v1alpha2/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

42 changes: 42 additions & 0 deletions config/crd/bases/policies.kubewarden.io_policyservers.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1580,6 +1580,48 @@ spec:
`sources.yaml`. Reference for `sources.yaml` is found in the Kubewarden
documentation in the reference section.
type: object
tolerations:
description: |-
Tolerations describes the policy server pod's tolerations. It can be
user to ensure that the policy server pod is not scheduled onto a
node with a taint.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
verificationConfig:
description: |-
Name of VerificationConfig configmap in the same namespace, containing
Expand Down
1 change: 1 addition & 0 deletions internal/controller/policyserver_controller_deployment.go
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,7 @@ func (r *PolicyServerReconciler) updatePolicyServerDeployment(policyServer *poli
SecurityContext: podSecurityContext,
Containers: []corev1.Container{admissionContainer},
ServiceAccountName: policyServer.Spec.ServiceAccountName,
Tolerations: policyServer.Spec.Tolerations,
Volumes: []corev1.Volume{
{
Name: policyStoreVolume,
Expand Down
73 changes: 57 additions & 16 deletions internal/controller/policyserver_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,46 @@ var _ = Describe("PolicyServer controller", func() {
})

When("creating a PolicyServer", func() {
It("should use the policy server tolerations configuration in the policy server deployment", func() {
tolerationSeconds := int64(10)
policyServer := policyServerFactory(policyServerName)
policyServer.Spec.Tolerations = []corev1.Toleration{{
Key: "key1",
Operator: corev1.TolerationOpEqual,
Value: "value1",
Effect: corev1.TaintEffectNoSchedule,
TolerationSeconds: nil,
}, {
Key: "key2",
Operator: corev1.TolerationOpEqual,
Value: "value2",
Effect: corev1.TaintEffectNoExecute,
TolerationSeconds: &tolerationSeconds,
}}
createPolicyServerAndWaitForItsService(policyServer)
deployment, err := getTestPolicyServerDeployment(policyServerName)
Expect(err).ToNot(HaveOccurred())
Expect(deployment.Spec.Template.Spec.Tolerations).To(MatchAllElements(func(element interface{}) string {
toleration, _ := element.(corev1.Toleration)
return toleration.Key
}, Elements{
"key1": MatchAllFields(Fields{
"Key": Equal("key1"),
"Operator": Equal(corev1.TolerationOpEqual),
"Value": Equal("value1"),
"Effect": Equal(corev1.TaintEffectNoSchedule),
"TolerationSeconds": BeNil(),
}),
"key2": MatchAllFields(Fields{
"Key": Equal("key2"),
"Operator": Equal(corev1.TolerationOpEqual),
"Value": Equal("value2"),
"Effect": Equal(corev1.TaintEffectNoExecute),
"TolerationSeconds": PointTo(Equal(tolerationSeconds)),
}),
}))
})

It("should use the policy server affinity configuration in the policy server deployment", func() {
policyServer := policyServerFactory(policyServerName)
policyServer.Spec.Affinity = corev1.Affinity{
Expand Down Expand Up @@ -311,22 +351,23 @@ var _ = Describe("PolicyServer controller", func() {
"SeccompProfile": BeNil(),
})),
})))
By("checking the deployment pod security context")
Expect(deployment.Spec.Template.Spec.SecurityContext).To(PointTo(MatchFields(IgnoreExtras, Fields{
"SELinuxOptions": BeNil(),
"WindowsOptions": BeNil(),
"RunAsUser": BeNil(),
"RunAsGroup": BeNil(),
"RunAsNonRoot": BeNil(),
"SupplementalGroups": BeNil(),
"FSGroup": BeNil(),
"Sysctls": BeNil(),
"FSGroupChangePolicy": BeNil(),
"SeccompProfile": BeNil(),
})))

By("checking the deployment affinity")
Expect(deployment.Spec.Template.Spec.Affinity).To(BeNil())
By("checking the deployment spec")
Expect(deployment.Spec.Template.Spec).To(MatchFields(IgnoreExtras, Fields{
"Tolerations": BeEmpty(),
"SecurityContext": PointTo(MatchFields(IgnoreExtras, Fields{
"SELinuxOptions": BeNil(),
"WindowsOptions": BeNil(),
"RunAsUser": BeNil(),
"RunAsGroup": BeNil(),
"RunAsNonRoot": BeNil(),
"SupplementalGroups": BeNil(),
"FSGroup": BeNil(),
"Sysctls": BeNil(),
"FSGroupChangePolicy": BeNil(),
"SeccompProfile": BeNil(),
})),
"Affinity": BeNil(),
}))
})

It("should create the policy server deployment and use the user defined security contexts", func() {
Expand Down

0 comments on commit 8b4790e

Please sign in to comment.