From 31b9e36adab803bd685a8e61e04b53e5009f4d1b Mon Sep 17 00:00:00 2001 From: Jacob Colvin Date: Sun, 25 Feb 2024 00:21:23 -0500 Subject: [PATCH] Fix spread-pods policy --- .../base/kyverno-policies/kustomization.yaml | 2 +- .../mutating-policies/kustomization.yaml | 4 - .../mutating-policies/spread-pods.yaml | 35 -------- .../.kyverno-test/kyverno-test.yaml | 16 ++++ .../spread-pods/.kyverno-test/patched.yaml | 18 ++++ .../spread-pods/.kyverno-test/resource.yaml | 18 ++++ .../spread-pods/spread-pods.yaml | 84 +++++++++++++++++++ 7 files changed, 137 insertions(+), 40 deletions(-) delete mode 100644 applications/base/kyverno-policies/mutating-policies/kustomization.yaml delete mode 100644 applications/base/kyverno-policies/mutating-policies/spread-pods.yaml create mode 100644 applications/base/kyverno-policies/mutating-policies/spread-pods/.kyverno-test/kyverno-test.yaml create mode 100644 applications/base/kyverno-policies/mutating-policies/spread-pods/.kyverno-test/patched.yaml create mode 100644 applications/base/kyverno-policies/mutating-policies/spread-pods/.kyverno-test/resource.yaml create mode 100644 applications/base/kyverno-policies/mutating-policies/spread-pods/spread-pods.yaml diff --git a/applications/base/kyverno-policies/kustomization.yaml b/applications/base/kyverno-policies/kustomization.yaml index fd7f8defc..56b15730a 100644 --- a/applications/base/kyverno-policies/kustomization.yaml +++ b/applications/base/kyverno-policies/kustomization.yaml @@ -1,4 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - mutating-policies + - mutating-policies/spread-pods/spread-pods.yaml diff --git a/applications/base/kyverno-policies/mutating-policies/kustomization.yaml b/applications/base/kyverno-policies/mutating-policies/kustomization.yaml deleted file mode 100644 index d4fbd3d0e..000000000 --- a/applications/base/kyverno-policies/mutating-policies/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - spread-pods.yaml diff --git a/applications/base/kyverno-policies/mutating-policies/spread-pods.yaml b/applications/base/kyverno-policies/mutating-policies/spread-pods.yaml deleted file mode 100644 index 362399891..000000000 --- a/applications/base/kyverno-policies/mutating-policies/spread-pods.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: spread-pods - annotations: - policies.kyverno.io/title: Spread Pods Across Nodes - policies.kyverno.io/category: Sample - policies.kyverno.io/subject: Deployment, StatefulSet, Pod - policies.kyverno.io/minversion: 1.6.0 - policies.kyverno.io/description: >- - Deployments to a Kubernetes cluster with multiple availability zones often - need to distribute those replicas to align with those zones to ensure - site-level failures do not impact availability. This policy matches - Deployments with two or more replicas and mutates them to spread Pods - across zones. -spec: - rules: - - name: spread-pods-across-nodes - match: - any: - - resources: - kinds: - - Deployment - - StatefulSet - mutate: - patchStrategicMerge: - spec: - <(replicas): ">=2" - template: - spec: - # Adds the topologySpreadConstraints field if non-existent in the request. - +(topologySpreadConstraints): - - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway diff --git a/applications/base/kyverno-policies/mutating-policies/spread-pods/.kyverno-test/kyverno-test.yaml b/applications/base/kyverno-policies/mutating-policies/spread-pods/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..8bc7e3700 --- /dev/null +++ b/applications/base/kyverno-policies/mutating-policies/spread-pods/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,16 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: spread-pods-test +policies: + - ../spread-pods.yaml +resources: + - resource.yaml +results: + - policy: spread-pods + rule: spread-statefulset-across-zones + kind: StatefulSet + resources: + - my-statefulset + patchedResource: patched.yaml + result: pass diff --git a/applications/base/kyverno-policies/mutating-policies/spread-pods/.kyverno-test/patched.yaml b/applications/base/kyverno-policies/mutating-policies/spread-pods/.kyverno-test/patched.yaml new file mode 100644 index 000000000..ae85f7e8f --- /dev/null +++ b/applications/base/kyverno-policies/mutating-policies/spread-pods/.kyverno-test/patched.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: my-statefulset +spec: + serviceName: "my-service" + replicas: 3 + selector: + matchLabels: + app: my-app + template: + metadata: + labels: + app: my-app + spec: + containers: + - name: my-app + image: my-app:1.0.0 diff --git a/applications/base/kyverno-policies/mutating-policies/spread-pods/.kyverno-test/resource.yaml b/applications/base/kyverno-policies/mutating-policies/spread-pods/.kyverno-test/resource.yaml new file mode 100644 index 000000000..ae85f7e8f --- /dev/null +++ b/applications/base/kyverno-policies/mutating-policies/spread-pods/.kyverno-test/resource.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: my-statefulset +spec: + serviceName: "my-service" + replicas: 3 + selector: + matchLabels: + app: my-app + template: + metadata: + labels: + app: my-app + spec: + containers: + - name: my-app + image: my-app:1.0.0 diff --git a/applications/base/kyverno-policies/mutating-policies/spread-pods/spread-pods.yaml b/applications/base/kyverno-policies/mutating-policies/spread-pods/spread-pods.yaml new file mode 100644 index 000000000..2550b100d --- /dev/null +++ b/applications/base/kyverno-policies/mutating-policies/spread-pods/spread-pods.yaml @@ -0,0 +1,84 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: spread-pods + annotations: + policies.kyverno.io/title: Spread Pods Across Nodes + policies.kyverno.io/category: Sample + policies.kyverno.io/subject: Deployment, StatefulSet, Pod + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/description: >- + Deployments to a Kubernetes cluster with multiple availability zones often + need to distribute those replicas to align with those zones to ensure + site-level failures do not impact availability. This policy matches + Deployments with two or more replicas and mutates them to spread Pods + across zones. +spec: + rules: + - name: spread-deployment-across-zones + match: + any: + - resources: + kinds: + - Deployment + preconditions: &preconditions + all: + - key: "{{request.object.spec.replicas}}" + operator: GreaterThanOrEquals + value: 2 + any: + # Check if the topologySpreadConstraints field already exists. This is + # done in the precondition because of the "tracking" managed-by field. + - key: "{{request.object.spec.template.spec.topologySpreadConstraints || ''}}" + operator: Equals + value: "" + - key: >- + {{request.object.metadata.annotations."topology.jacobcolvin.com/managed-by"}} + operator: Equals + value: "kyverno" + - key: >- + {{request.object.metadata.labels."topology.jacobcolvin.com/managed-by"}} + operator: Equals + value: "kyverno" + mutate: + patchesJson6902: |- + - path: "/metadata/labels/topology.jacobcolvin.com~1managed-by" + op: add + value: kyverno + - path: "/spec/template/spec/topologySpreadConstraints" + op: replace + value: + - maxSkew: 1 + minDomains: 2 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: DoNotSchedule + + - name: spread-statefulset-across-zones + match: + any: + - resources: + kinds: + - StatefulSet + preconditions: *preconditions + mutate: + patchesJson6902: |- + - path: "/metadata/labels/topology.jacobcolvin.com~1managed-by" + op: add + value: kyverno + - path: "/spec/template/spec" + op: add + value: + topologySpreadConstraints: + - maxSkew: 1 + minDomains: 2 + topologyKey: topology.kubernetes.io/zone + labelSelector: {{request.object.spec.selector}} + matchLabelKeys: + - controller-revision-hash + whenUnsatisfiable: DoNotSchedule + + + # labelSelector: + # {{request.object.spec.selector}} + # matchLabelKeys: + # - pod-template-hash