diff --git a/config/namespace.yaml b/config/namespace.yaml new file mode 100644 index 0000000..73dddc4 --- /dev/null +++ b/config/namespace.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: resourceconsist-manager + app.kubernetes.io/name: namespace + app.kubernetes.io/instance: system + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: resourceconsist + app.kubernetes.io/part-of: resourceconsist + name: resourceconsist \ No newline at end of file diff --git a/config/rbac/rbac.yaml b/config/rbac/rbac.yaml new file mode 100644 index 0000000..02d6d15 --- /dev/null +++ b/config/rbac/rbac.yaml @@ -0,0 +1,192 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: resourceconsist-manager + namespace: resourceconsist +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: resourceconsist-leader-election-role + namespace: resourceconsist +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: resourceconsist-manager-role +rules: + - apiGroups: + - apps + resources: + - controllerrevisions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps.kusionstack.io + resources: + - "*" + - "*/status" + - "*/finalizers" + verbs: + - "*" + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - pods/status + verbs: + - get + - patch + - update + - apiGroups: + - "" + resources: + - services + - persistentvolumeclaims + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: resourceconsist-webhook-role +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - secrets/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: resourceconsist-leader-election-rolebinding + namespace: resourceconsist +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: resourceconsist-leader-election-role +subjects: + - kind: ServiceAccount + name: resourceconsist-manager + namespace: resourceconsist +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: resourceconsist-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: resourceconsist-manager-role +subjects: + - kind: ServiceAccount + name: resourceconsist-manager + namespace: resourceconsist +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: resourceconsist-webhook-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: resourceconsist-webhook-role +subjects: + - kind: ServiceAccount + name: resourceconsist-manager + namespace: resourceconsist diff --git a/config/statefulset.yaml b/config/statefulset.yaml new file mode 100644 index 0000000..bb1bb63 --- /dev/null +++ b/config/statefulset.yaml @@ -0,0 +1,63 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + control-plane: resourceconsist-manager + name: resourceconsist-manager + namespace: resourceconsist +spec: + replicas: 3 + selector: + matchLabels: + control-plane: resourceconsist-manager + serviceName: resourceconsist-manager + template: + metadata: + labels: + control-plane: resourceconsist-manager + spec: + containers: + - args: + - --leader-elect=true + - --cert-dir=/webhook-certs + - --dns-name=resourceconsist-manager.resourceconsist.svc + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - -v=4 + command: + - /manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: kusionstack/resourceconsist:v0.1.0 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + serviceAccountName: resourceconsist-manager + terminationGracePeriodSeconds: 0 + volumes: + - name: webhook-certs + secret: + secretName: webhook-certs +updateStrategy: + type: OnDelete \ No newline at end of file diff --git a/config/webhook/service.yaml b/config/webhook/service.yaml new file mode 100644 index 0000000..624805d --- /dev/null +++ b/config/webhook/service.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: resourceconsist-manager + namespace: resourceconsist +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + control-plane: resourceconsist-manager \ No newline at end of file diff --git a/config/webhook/webhook.yaml b/config/webhook/webhook.yaml new file mode 100644 index 0000000..6aecc1e --- /dev/null +++ b/config/webhook/webhook.yaml @@ -0,0 +1,71 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: resourceconsist-manager-mutating +webhooks: + - admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + namespace: resourceconsist + name: resourceconsist-manager + path: /mutating-generic + failurePolicy: Fail + name: mutating-pod.apps.kusionstack.io + objectSelector: + matchExpressions: + - key: kusionstack.io/control + operator: In + values: + - "true" + rules: + - apiGroups: + - '*' + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - pods + - pods/status + scope: '*' + sideEffects: None +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: resourceconsist-manager-validating +webhooks: + - admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + namespace: resourceconsist + name: resourceconsist-manager + path: /validating-generic + failurePolicy: Fail + name: validating-pod.apps.kusionstack.io + objectSelector: + matchExpressions: + - key: kusionstack.io/control + operator: In + values: + - "true" + rules: + - apiGroups: + - '*' + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - pods + scope: '*' + sideEffects: None \ No newline at end of file