Skip to content

feat(shield): pod disruption budget support for the cluster shield #2275

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(shield): pod disruption budget support for the cluster shield #2275

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/shield/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,5 @@ maintainers:
- name: mavimo
email: marcovito.moscaritolo@sysdig.com
type: application
version: 1.8.0
version: 1.9.0
appVersion: "1.0.0"
2 changes: 2 additions & 0 deletions charts/shield/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,8 @@ The following table lists the configurable parameters of the `shield` chart and
| cluster.env | The custom environment variables for cluster shield | <code>[]</code> |
| cluster.volumes | The custom volumes for cluster shield | <code>[]</code> |
| cluster.volume_mounts | The custom volume mounts for cluster shield | <code>[]</code> |
| cluster.pod_disruption_budget.create | Create the PodDisruptionBudget for the cluster shield | <code>true</code> |
| cluster.pod_disruption_budget.min_available | The minimum number of available pods for the cluster shield | <code>1</code> |
| ssl.verify | Enable SSL verification | <code>true</code> |
| ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | <code>[]</code> |
| ssl.ca.key_name | Filename that is used when creating the secret. Required if cert is provided. | <code></code> |
Expand Down
12 changes: 12 additions & 0 deletions charts/shield/templates/cluster/poddisruptionbudget.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{{- if dig "pod_disruption_budget" "create" true .Values.cluster }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "cluster.fullname" . | trunc 60 }}-pdb
namespace: {{ .Release.Namespace }}
spec:
minAvailable: {{ dig "pod_disruption_budget" "min_available" 1 .Values.cluster }}
selector:
matchLabels:
{{ include "cluster.selector_labels" . | nindent 6 }}
{{- end }}
46 changes: 46 additions & 0 deletions charts/shield/tests/cluster/poddisruptionbudget_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
suite: Cluster - PodDisruptionBudget
templates:
- templates/cluster/poddisruptionbudget.yaml
release:
name: release-name
namespace: shield-namespace
values:
- ../values/base.yaml
tests:
- it: PodDisruptionBudget is created
asserts:
- isKind:
of: PodDisruptionBudget
- isSubset:
path: metadata
content:
name: release-name-shield-cluster-pdb
namespace: shield-namespace
- equal:
path: spec.minAvailable
value: 1
- isSubset:
path: spec.selector.matchLabels
content:
app.kubernetes.io/instance: release-name
app.kubernetes.io/name: shield
sysdig/component: cluster

- it: PodDisruptionBudget is not created when disabled
set:
cluster:
pod_disruption_budget:
create: false
asserts:
- hasDocuments:
count: 0

- it: PodDisruptionBudget minAvailable is configurable
set:
cluster:
pod_disruption_budget:
min_available: 2
asserts:
- equal:
path: spec.minAvailable
value: 2
18 changes: 18 additions & 0 deletions charts/shield/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -329,6 +329,24 @@
"env": {
"$ref": "#/$defs/EnvVars"
},
"pod_disruption_budget": {
"type": "object",
"description": "Pod disruption budget configuration for the Cluster Shield pods",
"properties": {
"create": {
"type": "boolean",
"description": "Create a Pod Disruption Budget for the Cluster Shield pods",
"default": true
},
"min_available": {
"type": ["integer"],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

min_available can also be a percentage (like 50%), see https://github.com/yannh/kubernetes-json-schema/blob/1b63edd2abee94f2f74f008153f7f4e4fff38fe9/v1.21.0/poddisruptionbudget-policy-v1.json#L25 and https://github.com/yannh/kubernetes-json-schema/blob/1b63edd2abee94f2f74f008153f7f4e4fff38fe9/v1.21.0/poddisruptionbudgetspec.json#L4-L11

"description": "Minimum number of pods that must be available",
"default": 1,
"minimum": 1
}
},
"additionalProperties": false
},
"security_context": {
"type": "object"
},
Expand Down
7 changes: 7 additions & 0 deletions charts/shield/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -495,6 +495,13 @@ cluster:
# The custom volume mounts for cluster shield
volume_mounts: []

# Defines the PodDisruptionBudget for the cluster shield
pod_disruption_budget:
# Create the PodDisruptionBudget for the cluster shield
create: true
# The minimum number of available pods for the cluster shield
min_available: 1

ssl:
# Enable SSL verification
verify: true
Expand Down
Loading