From 4a99be09a14982b7cf353fa254c1dffeb60c7588 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 2 Apr 2021 14:52:10 +0000 Subject: [PATCH] Resolve "Twistlock - Add/Document Affinity" --- CHANGELOG.md | 6 + chart/Chart.yaml | 2 +- ...{twistlock_console.yaml => configmap.yaml} | 117 ------------------ chart/templates/deployment.yaml | 86 +++++++++++++ chart/templates/pvc.yaml | 11 ++ chart/templates/service.yaml | 17 +++ chart/templates/serviceaccount.yaml | 5 + chart/values.yaml | 18 ++- docs/AFFINITY.md | 33 +++++ 9 files changed, 176 insertions(+), 119 deletions(-) rename chart/templates/{twistlock_console.yaml => configmap.yaml} (60%) create mode 100644 chart/templates/deployment.yaml create mode 100644 chart/templates/pvc.yaml create mode 100644 chart/templates/service.yaml create mode 100644 chart/templates/serviceaccount.yaml create mode 100644 docs/AFFINITY.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 042e26b..93ea1ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [0.0.3-bb.2] - 2021-03-31 +### Added +- Values passthroughs for affinity and anti-affinity added +### Changed +- Split out resources into separate yaml files + ## [0.0.3-bb.0] - 2021-02-12 ### Added - Options under istio values to control labels, annotations, gateways and full URL modification for twistlock VirtualService. diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 7821cfc..f64111d 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,4 +1,4 @@ apiVersion: v2 name: twistlock -version: 0.0.3-bb.1 +version: 0.0.3-bb.2 appVersion: 20.12.531 diff --git a/chart/templates/twistlock_console.yaml b/chart/templates/configmap.yaml similarity index 60% rename from chart/templates/twistlock_console.yaml rename to chart/templates/configmap.yaml index ca6f997..34a4680 100644 --- a/chart/templates/twistlock_console.yaml +++ b/chart/templates/configmap.yaml @@ -1,4 +1,3 @@ ---- apiVersion: v1 kind: ConfigMap data: @@ -6,119 +5,3 @@ data: metadata: name: twistlock-console namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -kind: Service -metadata: - labels: - name: console - name: twistlock-console - namespace: {{ .Release.Namespace }} -spec: - ports: - - name: communication-port - port: 8084 - - name: management-port-https - port: 8083 - - name: mgmt-http - port: 8081 - selector: - name: twistlock-console ---- -apiVersion: v1 -kind: ServiceAccount # Service Account is used for managing security context constraints policies in Openshift (SCC) -metadata: - name: twistlock-console - namespace: {{ .Release.Namespace }} ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: twistlock-console - namespace: {{ .Release.Namespace }} -spec: - accessModes: - - {{ .Values.console.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.console.persistence.size }} ---- - ---- - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: twistlock-console - namespace: {{ .Release.Namespace }} - labels: - name: twistlock-console -spec: - replicas: 1 - selector: - matchLabels: - name: twistlock-console - strategy: - type: Recreate - template: - metadata: - name: twistlock-console - namespace: {{ .Release.Namespace }} - labels: - name: twistlock-console - spec: - restartPolicy: Always - serviceAccountName: twistlock-console - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: twistlock-console - image: {{ .Values.console.image.repository }}:{{ .Values.console.image.tag }} - ports: - - name: mgmt-https - containerPort: 8083 - - name: communication - containerPort: 8084 - - name: mgmt-http - containerPort: 8081 - env: - - name: HIGH_AVAILABILITY_ENABLED - value: "false" - - name: CONFIG_PATH - value: /data/config/twistlock.cfg - - name: LOG_PROD - value: "true" - - name: DATA_RECOVERY_ENABLED - value: "true" - - name: COMMUNICATION_PORT - value: "8084" - - name: MANAGEMENT_PORT_HTTPS - value: "8083" - - name: MANAGEMENT_PORT_HTTP - value: "8081" - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - name: twistlock-config-volume - mountPath: "/data/config/" - - name: console-persistent-volume - mountPath: "/var/lib/twistlock" - subPath: "var/lib/twistlock" - - name: console-persistent-volume - mountPath: "/var/lib/twistlock-backup" - subPath: "var/lib/twistlock-backup" - - name: syslog-socket - mountPath: "/dev/log" - volumes: - - name: console-persistent-volume - persistentVolumeClaim: - claimName: "twistlock-console" - - name: twistlock-config-volume - configMap: - name: twistlock-console - - name: syslog-socket - hostPath: - path: "/dev/log" diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml new file mode 100644 index 0000000..d671f67 --- /dev/null +++ b/chart/templates/deployment.yaml @@ -0,0 +1,86 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: twistlock-console + namespace: {{ .Release.Namespace }} + labels: + name: twistlock-console +spec: + replicas: 1 + selector: + matchLabels: + name: twistlock-console + strategy: + type: Recreate + template: + metadata: + name: twistlock-console + namespace: {{ .Release.Namespace }} + labels: + name: twistlock-console + spec: + restartPolicy: Always + serviceAccountName: twistlock-console + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.antiAffinity .Values.nodeAffinity }} + affinity: + {{- with .Values.antiAffinity }} + podAntiAffinity: + {{ toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.nodeAffinity }} + nodeAffinity: + {{ toYaml . | nindent 10 }} + {{- end }} + {{- end }} + containers: + - name: twistlock-console + image: {{ .Values.console.image.repository }}:{{ .Values.console.image.tag }} + ports: + - name: mgmt-https + containerPort: 8083 + - name: communication + containerPort: 8084 + - name: mgmt-http + containerPort: 8081 + env: + - name: HIGH_AVAILABILITY_ENABLED + value: "false" + - name: CONFIG_PATH + value: /data/config/twistlock.cfg + - name: LOG_PROD + value: "true" + - name: DATA_RECOVERY_ENABLED + value: "true" + - name: COMMUNICATION_PORT + value: "8084" + - name: MANAGEMENT_PORT_HTTPS + value: "8083" + - name: MANAGEMENT_PORT_HTTP + value: "8081" + securityContext: + readOnlyRootFilesystem: true + volumeMounts: + - name: twistlock-config-volume + mountPath: "/data/config/" + - name: console-persistent-volume + mountPath: "/var/lib/twistlock" + subPath: "var/lib/twistlock" + - name: console-persistent-volume + mountPath: "/var/lib/twistlock-backup" + subPath: "var/lib/twistlock-backup" + - name: syslog-socket + mountPath: "/dev/log" + volumes: + - name: console-persistent-volume + persistentVolumeClaim: + claimName: "twistlock-console" + - name: twistlock-config-volume + configMap: + name: twistlock-console + - name: syslog-socket + hostPath: + path: "/dev/log" diff --git a/chart/templates/pvc.yaml b/chart/templates/pvc.yaml new file mode 100644 index 0000000..28e7f07 --- /dev/null +++ b/chart/templates/pvc.yaml @@ -0,0 +1,11 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: twistlock-console + namespace: {{ .Release.Namespace }} +spec: + accessModes: + - {{ .Values.console.persistence.accessMode }} + resources: + requests: + storage: {{ .Values.console.persistence.size }} diff --git a/chart/templates/service.yaml b/chart/templates/service.yaml new file mode 100644 index 0000000..2e3391b --- /dev/null +++ b/chart/templates/service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + name: console + name: twistlock-console + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: communication-port + port: 8084 + - name: management-port-https + port: 8083 + - name: mgmt-http + port: 8081 + selector: + name: twistlock-console diff --git a/chart/templates/serviceaccount.yaml b/chart/templates/serviceaccount.yaml new file mode 100644 index 0000000..4b0cd77 --- /dev/null +++ b/chart/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount # Service Account is used for managing security context constraints policies in Openshift (SCC) +metadata: + name: twistlock-console + namespace: {{ .Release.Namespace }} diff --git a/chart/values.yaml b/chart/values.yaml index db55f16..61e8a85 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -26,4 +26,20 @@ console: persistence: size: 100Gi - accessMode: ReadWriteOnce \ No newline at end of file + accessMode: ReadWriteOnce + +antiAffinity: {} + # requiredDuringSchedulingIgnoredDuringExecution: + # - topologyKey: "kubernetes.io/hostname" + # labelSelector: + # matchLabels: + # dont-schedule-with: twistlock + +nodeAffinity: {} + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: node-type + # operator: In + # values: + # - "twistlock" diff --git a/docs/AFFINITY.md b/docs/AFFINITY.md new file mode 100644 index 0000000..f24af8d --- /dev/null +++ b/docs/AFFINITY.md @@ -0,0 +1,33 @@ +# Node Affinity & Anti-Affinity with Twistlock + +Affinity is exposed through values options for Twistlock. If you want to schedule your pods to deploy on specific nodes you can do that through the `nodeAffinity` value and as needed the `antiAffinity` value. Additional info is provided below as well to help in configuring this. + +It is good to have a basic knowledge of node affinity and available options to you before customizing in this way - the upstream kubernetes documentation [has a good walkthrough of this](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). + +## Values for Affinity + +The `nodeAffinity` value at the top level for Twistlock should be used to specify affinity. The format to include follows what you'd specify at a pod/deployment level. See the example below for scheduling the operator pods only to nodes with the label `node-type` equal to `operator`: + +```yaml +nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-type + operator: In + values: + - operator +``` + +## Values for Anti-Affinity + +The `antiAffinity` value at the top level for Twistlock can be set in the same way to schedule pods based on anti-affinity. See the below example to schedule Twistlock pods to not be present on the nodes that already have pods with the `dont-schedule-with: twistlock` label. + +```yaml +antiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: "kubernetes.io/hostname" + labelSelector: + matchLabels: + dont-schedule-with: twistlock +``` -- GitLab