-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
7ab6ad4
commit 31b9e36
Showing
7 changed files
with
137 additions
and
40 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| apiVersion: kustomize.config.k8s.io/v1beta1 | ||
| kind: Kustomization | ||
| resources: | ||
| - mutating-policies | ||
| - mutating-policies/spread-pods/spread-pods.yaml |
4 changes: 0 additions & 4 deletions
4
applications/base/kyverno-policies/mutating-policies/kustomization.yaml
This file was deleted.
Oops, something went wrong.
35 changes: 0 additions & 35 deletions
35
applications/base/kyverno-policies/mutating-policies/spread-pods.yaml
This file was deleted.
Oops, something went wrong.
16 changes: 16 additions & 0 deletions
16
...tions/base/kyverno-policies/mutating-policies/spread-pods/.kyverno-test/kyverno-test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| apiVersion: cli.kyverno.io/v1alpha1 | ||
| kind: Test | ||
| metadata: | ||
| name: spread-pods-test | ||
| policies: | ||
| - ../spread-pods.yaml | ||
| resources: | ||
| - resource.yaml | ||
| results: | ||
| - policy: spread-pods | ||
| rule: spread-statefulset-across-zones | ||
| kind: StatefulSet | ||
| resources: | ||
| - my-statefulset | ||
| patchedResource: patched.yaml | ||
| result: pass |
18 changes: 18 additions & 0 deletions
18
applications/base/kyverno-policies/mutating-policies/spread-pods/.kyverno-test/patched.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| apiVersion: apps/v1 | ||
| kind: StatefulSet | ||
| metadata: | ||
| name: my-statefulset | ||
| spec: | ||
| serviceName: "my-service" | ||
| replicas: 3 | ||
| selector: | ||
| matchLabels: | ||
| app: my-app | ||
| template: | ||
| metadata: | ||
| labels: | ||
| app: my-app | ||
| spec: | ||
| containers: | ||
| - name: my-app | ||
| image: my-app:1.0.0 |
18 changes: 18 additions & 0 deletions
18
applications/base/kyverno-policies/mutating-policies/spread-pods/.kyverno-test/resource.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| apiVersion: apps/v1 | ||
| kind: StatefulSet | ||
| metadata: | ||
| name: my-statefulset | ||
| spec: | ||
| serviceName: "my-service" | ||
| replicas: 3 | ||
| selector: | ||
| matchLabels: | ||
| app: my-app | ||
| template: | ||
| metadata: | ||
| labels: | ||
| app: my-app | ||
| spec: | ||
| containers: | ||
| - name: my-app | ||
| image: my-app:1.0.0 |
84 changes: 84 additions & 0 deletions
84
applications/base/kyverno-policies/mutating-policies/spread-pods/spread-pods.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| apiVersion: kyverno.io/v1 | ||
| kind: ClusterPolicy | ||
| metadata: | ||
| name: spread-pods | ||
| annotations: | ||
| policies.kyverno.io/title: Spread Pods Across Nodes | ||
| policies.kyverno.io/category: Sample | ||
| policies.kyverno.io/subject: Deployment, StatefulSet, Pod | ||
| policies.kyverno.io/minversion: 1.6.0 | ||
| policies.kyverno.io/description: >- | ||
| Deployments to a Kubernetes cluster with multiple availability zones often | ||
| need to distribute those replicas to align with those zones to ensure | ||
| site-level failures do not impact availability. This policy matches | ||
| Deployments with two or more replicas and mutates them to spread Pods | ||
| across zones. | ||
| spec: | ||
| rules: | ||
| - name: spread-deployment-across-zones | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - Deployment | ||
| preconditions: &preconditions | ||
| all: | ||
| - key: "{{request.object.spec.replicas}}" | ||
| operator: GreaterThanOrEquals | ||
| value: 2 | ||
| any: | ||
| # Check if the topologySpreadConstraints field already exists. This is | ||
| # done in the precondition because of the "tracking" managed-by field. | ||
| - key: "{{request.object.spec.template.spec.topologySpreadConstraints || ''}}" | ||
| operator: Equals | ||
| value: "" | ||
| - key: >- | ||
| {{request.object.metadata.annotations."topology.jacobcolvin.com/managed-by"}} | ||
| operator: Equals | ||
| value: "kyverno" | ||
| - key: >- | ||
| {{request.object.metadata.labels."topology.jacobcolvin.com/managed-by"}} | ||
| operator: Equals | ||
| value: "kyverno" | ||
| mutate: | ||
| patchesJson6902: |- | ||
| - path: "/metadata/labels/topology.jacobcolvin.com~1managed-by" | ||
| op: add | ||
| value: kyverno | ||
| - path: "/spec/template/spec/topologySpreadConstraints" | ||
| op: replace | ||
| value: | ||
| - maxSkew: 1 | ||
| minDomains: 2 | ||
| topologyKey: topology.kubernetes.io/zone | ||
| whenUnsatisfiable: DoNotSchedule | ||
| - name: spread-statefulset-across-zones | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - StatefulSet | ||
| preconditions: *preconditions | ||
| mutate: | ||
| patchesJson6902: |- | ||
| - path: "/metadata/labels/topology.jacobcolvin.com~1managed-by" | ||
| op: add | ||
| value: kyverno | ||
| - path: "/spec/template/spec" | ||
| op: add | ||
| value: | ||
| topologySpreadConstraints: | ||
| - maxSkew: 1 | ||
| minDomains: 2 | ||
| topologyKey: topology.kubernetes.io/zone | ||
| labelSelector: {{request.object.spec.selector}} | ||
| matchLabelKeys: | ||
| - controller-revision-hash | ||
| whenUnsatisfiable: DoNotSchedule | ||
| # labelSelector: | ||
| # {{request.object.spec.selector}} | ||
| # matchLabelKeys: | ||
| # - pod-template-hash |