diff --git a/.gitignore b/.gitignore index 7f02333d..89196892 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,4 @@ Dockerfile.cross *.swp *.swo *~ +.DS_Store diff --git a/charts/checkpoint-restore-operator/Chart.yaml b/charts/checkpoint-restore-operator/Chart.yaml new file mode 100644 index 00000000..d60108f8 --- /dev/null +++ b/charts/checkpoint-restore-operator/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: checkpoint-restore-operator +description: Kubernetes operator for CRIU checkpoint/restore +type: application +version: 0.1.0 +appVersion: "0.0.0" + diff --git a/charts/checkpoint-restore-operator/crds/criu.org_checkpointrestoreoperators.yaml b/charts/checkpoint-restore-operator/crds/criu.org_checkpointrestoreoperators.yaml new file mode 100644 index 00000000..a235af18 --- /dev/null +++ b/charts/checkpoint-restore-operator/crds/criu.org_checkpointrestoreoperators.yaml @@ -0,0 +1,129 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: checkpointrestoreoperators.criu.org +spec: + group: criu.org + names: + kind: CheckpointRestoreOperator + listKind: CheckpointRestoreOperatorList + plural: checkpointrestoreoperators + singular: checkpointrestoreoperator + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: CheckpointRestoreOperator is the Schema for the checkpointrestoreoperators + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: CheckpointRestoreOperatorSpec defines the desired state of + CheckpointRestoreOperator + properties: + applyPoliciesImmediately: + type: boolean + checkpointDirectory: + description: 'Important: Run "make" to regenerate code after modifying + this file' + type: string + containerPolicies: + items: + properties: + container: + type: string + maxCheckpointSize: + type: integer + maxCheckpoints: + type: integer + maxTotalSize: + type: integer + namespace: + type: string + pod: + type: string + retainOrphan: + type: boolean + type: object + type: array + globalPolicy: + properties: + maxCheckpointSize: + type: integer + maxCheckpointsPerContainer: + type: integer + maxCheckpointsPerNamespace: + type: integer + maxCheckpointsPerPod: + type: integer + maxTotalSizePerContainer: + type: integer + maxTotalSizePerNamespace: + type: integer + maxTotalSizePerPod: + type: integer + retainOrphan: + type: boolean + type: object + namespacePolicies: + items: + properties: + maxCheckpointSize: + type: integer + maxCheckpoints: + type: integer + maxTotalSize: + type: integer + namespace: + type: string + retainOrphan: + type: boolean + type: object + type: array + podPolicies: + items: + properties: + maxCheckpointSize: + type: integer + maxCheckpoints: + type: integer + maxTotalSize: + type: integer + namespace: + type: string + pod: + type: string + retainOrphan: + type: boolean + type: object + type: array + type: object + status: + description: CheckpointRestoreOperatorStatus defines the observed state + of CheckpointRestoreOperator + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/checkpoint-restore-operator/templates/_helpers.tpl b/charts/checkpoint-restore-operator/templates/_helpers.tpl new file mode 100644 index 00000000..4a54e50a --- /dev/null +++ b/charts/checkpoint-restore-operator/templates/_helpers.tpl @@ -0,0 +1,20 @@ +{{- define "cro.name" -}} +checkpoint-restore-operator +{{- end -}} + +{{- define "cro.fullname" -}} +{{- if .Release.Name -}} +{{- printf "%s-%s" .Release.Name (include "cro.name" .) | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- include "cro.name" . -}} +{{- end -}} +{{- end -}} + +{{- define "cro.saName" -}} +{{- if .Values.serviceAccount.name -}} +{{ .Values.serviceAccount.name }} +{{- else -}} +{{ include "cro.fullname" . }} +{{- end -}} +{{- end -}} + diff --git a/charts/checkpoint-restore-operator/templates/deployment.yaml b/charts/checkpoint-restore-operator/templates/deployment.yaml new file mode 100644 index 00000000..57ad7bb1 --- /dev/null +++ b/charts/checkpoint-restore-operator/templates/deployment.yaml @@ -0,0 +1,93 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "cro.fullname" . }}-controller-manager + namespace: {{ .Release.Namespace }} + labels: + control-plane: controller-manager + app.kubernetes.io/name: checkpoint-restore-operator + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + control-plane: controller-manager + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + securityContext: + runAsNonRoot: true + serviceAccountName: {{ include "cro.saName" . }} + terminationGracePeriodSeconds: 10 + + containers: + {{- if .Values.metrics.enabled }} + - name: kube-rbac-proxy + image: {{ .Values.proxy.image }} + args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: +{{ toYaml .Values.proxy.resources | indent 10 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + {{- end }} + + - name: manager + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /manager + args: + - --health-probe-bind-address={{ (default ":8081" .Values.manager.healthProbeBindAddress) }} + - --metrics-bind-address={{ (default "127.0.0.1:8080" .Values.manager.metricsBindAddress) }} + + {{- if .Values.leaderElection.enabled }} + - --leader-elect + {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: +{{ toYaml .Values.resources | indent 10 }} + securityContext: + runAsNonRoot: false + runAsUser: {{ .Values.securityContext.runAsUser }} + allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation }} + capabilities: + drop: ["ALL"] + add: + {{- range .Values.securityContext.addCapabilities }} + - {{ . | quote }} + {{- end }} + volumeMounts: + - name: kubelet-checkpoints + mountPath: /var/lib/kubelet/checkpoints + + volumes: + - name: kubelet-checkpoints + hostPath: + path: {{ .Values.checkpointDir.hostPath }} + type: Directory + diff --git a/charts/checkpoint-restore-operator/templates/rbac.yaml b/charts/checkpoint-restore-operator/templates/rbac.yaml new file mode 100644 index 00000000..9cdd9aa7 --- /dev/null +++ b/charts/checkpoint-restore-operator/templates/rbac.yaml @@ -0,0 +1,99 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "cro.fullname" . }}-leader-election-role + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list","watch","create","update","patch","delete"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get","list","watch","create","update","patch","delete"] +- apiGroups: [""] + resources: ["events"] + verbs: ["create","patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "cro.fullname" . }}-leader-election-rolebinding + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "cro.fullname" . }}-leader-election-role +subjects: +- kind: ServiceAccount + name: {{ include "cro.saName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "cro.fullname" . }}-manager-role +rules: +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get","list","watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["get","list","watch"] +- apiGroups: ["criu.org"] + resources: ["checkpointrestoreoperators"] + verbs: ["create","delete","get","list","patch","update","watch"] +- apiGroups: ["criu.org"] + resources: ["checkpointrestoreoperators/finalizers"] + verbs: ["update"] +- apiGroups: ["criu.org"] + resources: ["checkpointrestoreoperators/status"] + verbs: ["get","patch","update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "cro.fullname" . }}-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "cro.fullname" . }}-manager-role +subjects: +- kind: ServiceAccount + name: {{ include "cro.saName" . }} + namespace: {{ .Release.Namespace }} +{{- if .Values.metrics.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "cro.fullname" . }}-metrics-reader +rules: +- nonResourceURLs: ["/metrics"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "cro.fullname" . }}-proxy-role +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "cro.fullname" . }}-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "cro.fullname" . }}-proxy-role +subjects: +- kind: ServiceAccount + name: {{ include "cro.saName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} + diff --git a/charts/checkpoint-restore-operator/templates/service-metrics.yaml b/charts/checkpoint-restore-operator/templates/service-metrics.yaml new file mode 100644 index 00000000..e4829c27 --- /dev/null +++ b/charts/checkpoint-restore-operator/templates/service-metrics.yaml @@ -0,0 +1,20 @@ +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "cro.fullname" . }}-controller-manager-metrics-service + namespace: {{ .Release.Namespace }} + labels: + control-plane: controller-manager + app.kubernetes.io/name: checkpoint-restore-operator + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager +{{- end }} + diff --git a/charts/checkpoint-restore-operator/templates/serviceaccount.yaml b/charts/checkpoint-restore-operator/templates/serviceaccount.yaml new file mode 100644 index 00000000..0133db72 --- /dev/null +++ b/charts/checkpoint-restore-operator/templates/serviceaccount.yaml @@ -0,0 +1,10 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "cro.saName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: checkpoint-restore-operator + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/checkpoint-restore-operator/values.yaml b/charts/checkpoint-restore-operator/values.yaml new file mode 100644 index 00000000..69f44564 --- /dev/null +++ b/charts/checkpoint-restore-operator/values.yaml @@ -0,0 +1,54 @@ +replicaCount: 1 + +image: + repository: ghcr.io/checkpoint-restore/checkpoint-restore-operator + tag: latest + pullPolicy: IfNotPresent + +leaderElection: + enabled: true + +checkpointDir: + hostPath: /var/lib/kubelet/checkpoints + +serviceAccount: + create: true + name: "" + +resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + +nodeSelector: {} +tolerations: [] +affinity: {} + +securityContext: + runAsUser: 0 + allowPrivilegeEscalation: true + dropAllCapabilities: true + addCapabilities: + - DAC_OVERRIDE + - FOWNER + +metrics: + enabled: true + +proxy: + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + +manager: + healthProbeBindAddress: ":8081" + metricsBindAddress: "127.0.0.1:8080" +