github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/charts/kvisor/templates/agent.yaml (about) 1 {{- if .Values.agent.enabled }} 2 apiVersion: apps/v1 3 kind: DaemonSet 4 metadata: 5 name: {{ include "kvisor.agent.fullname" . }} 6 namespace: {{ .Release.Namespace }} 7 labels: 8 {{- include "kvisor.agent.labels" . | nindent 4 }} 9 spec: 10 selector: 11 matchLabels: 12 {{- include "kvisor.agent.selectorLabels" . | nindent 6 }} 13 {{- with .Values.agent.updateStrategy }} 14 updateStrategy: 15 {{- toYaml . | nindent 4 }} 16 {{- end }} 17 template: 18 metadata: 19 annotations: 20 checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} 21 {{- if .Values.agent.prometheusScrape.enabled }} 22 prometheus.io/scrape: "true" 23 prometheus.io/port: "{{.Values.agent.metricsHTTPListenPort}}" 24 {{- end }} 25 {{- if .Values.pyroscope.enabled }} 26 phlare.grafana.com/scrape: "true" 27 phlare.grafana.com/port: "{{ .Values.agent.metricsHTTPListenPort }}" 28 profiles.grafana.com/memory.scrape: "true" 29 profiles.grafana.com/memory.port: "{{ .Values.agent.metricsHTTPListenPort }}" 30 profiles.grafana.com/cpu.scrape: "true" 31 profiles.grafana.com/cpu.port: "{{ .Values.agent.metricsHTTPListenPort }}" 32 profiles.grafana.com/goroutine.scrape: "true" 33 profiles.grafana.com/goroutine.port: "{{ .Values.agent.metricsHTTPListenPort }}" 34 {{- end }} 35 {{- with .Values.agent.podAnnotations }} 36 {{- toYaml . | nindent 8 }} 37 {{- end }} 38 labels: 39 app.kubernetes.io/component: agent 40 {{- include "kvisor.agent.selectorLabels" . | nindent 8 }} 41 {{- include "kvisor.commonLabels" . | nindent 8 }} 42 spec: 43 {{- with .Values.imagePullSecrets }} 44 imagePullSecrets: 45 {{- toYaml . | nindent 8 }} 46 {{- end }} 47 serviceAccountName: {{ include "kvisor.agent.serviceAccountName" . }} 48 hostPID: true 49 securityContext: 50 {{- toYaml .Values.agent.podSecurityContext | nindent 8 }} 51 containers: 52 - name: kvisor 53 securityContext: 54 {{- toYaml .Values.agent.containerSecurityContext | nindent 12 }} 55 image: "{{ .Values.image.repository }}-agent:{{ .Values.image.tag | default .Chart.AppVersion }}" 56 imagePullPolicy: {{ .Values.image.pullPolicy }} 57 resources: 58 {{- toYaml .Values.agent.resources | nindent 12 }} 59 command: 60 - "/usr/local/bin/kvisor-agent" 61 args: 62 - "run" 63 - "--metrics-http-listen-port={{.Values.agent.metricsHTTPListenPort}}" 64 {{- if .Values.castai.enabled }} 65 - "--send-logs-level=WARN" 66 {{- end }} 67 {{- if eq .Values.mockServer.enabled true }} 68 - "--castai-server-insecure=true" 69 {{- end }} 70 {{- if .Values.clickhouse.enabled }} 71 - "--clickhouse-addr={{ include "kvisor.clickhouse.fullname" . }}.{{ .Release.Namespace}}:9000" 72 - "--clickhouse-database={{.Values.clickhouse.auth.database}}" 73 - "--clickhouse-username={{.Values.clickhouse.auth.username}}" 74 {{- end }} 75 - "--kube-api-service-addr={{ include "kvisor.controller.fullname" .}}.{{.Release.Namespace}}:{{ .Values.controller.kubeAPIListenPort }}" 76 {{- range $key, $value := .Values.agent.extraArgs }} 77 - "--{{ $key }}={{ $value }}" 78 {{- end }} 79 envFrom: 80 {{- if .Values.castai.enabled }} 81 - secretRef: 82 name: {{ include "kvisor.castaiSecretName" . }} 83 {{- end }} 84 {{- if.Values.clickhouse.enabled }} 85 - secretRef: 86 name: {{ include "kvisor.clickhouse.fullname" . }} 87 {{- end }} 88 env: 89 - name: NODE_NAME 90 valueFrom: 91 fieldRef: 92 fieldPath: spec.nodeName 93 - name: NODE_IP 94 valueFrom: 95 fieldRef: 96 fieldPath: status.hostIP 97 - name: POD_NAME 98 valueFrom: 99 fieldRef: 100 fieldPath: metadata.name 101 - name: CASTAI_API_GRPC_ADDR 102 value: {{ if .Values.mockServer.enabled -}} 103 {{ (printf "%s:8443" (include "kvisor.castaiMockServer.service" .)) | quote }} 104 {{- else -}} 105 {{ .Values.castai.grpcAddr | quote }} 106 {{- end }} 107 - name: CASTAI_CLUSTER_ID 108 value: {{ .Values.castai.clusterID | quote }} 109 {{- if .Values.agent.debug.ebpf }} 110 - name: KVISOR_EBPF_DEBUG 111 value: "1" 112 {{- end }} 113 ports: 114 - containerPort: {{.Values.agent.metricsHTTPListenPort}} 115 name: metrics 116 protocol: TCP 117 livenessProbe: 118 httpGet: 119 port: metrics 120 path: /healthz 121 periodSeconds: 5 122 startupProbe: 123 httpGet: 124 port: metrics 125 path: /healthz 126 failureThreshold: 12 127 periodSeconds: 10 128 volumeMounts: 129 - name: cgroups 130 mountPath: "/cgroups" 131 readOnly: true 132 - name: etc-os-release 133 mountPath: /etc/os-release-host 134 readOnly: true 135 - name: debugfs 136 mountPath: /sys/kernel/debug 137 - name: containerd-k8s-rootfs 138 mountPath: /run/containerd/io.containerd.runtime.v2.task/k8s.io 139 readOnly: true 140 - name: containerd-sock 141 mountPath: /run/containerd/containerd.sock 142 readOnly: true 143 dnsPolicy: {{.Values.agent.dnsPolicy}} 144 {{- with .Values.agent.nodeSelector }} 145 nodeSelector: 146 {{- toYaml . | nindent 8 }} 147 {{- end }} 148 {{- with .Values.agent.affinity }} 149 affinity: 150 {{- toYaml . | nindent 8 }} 151 {{- end }} 152 {{- with .Values.agent.tolerations }} 153 tolerations: 154 {{- toYaml . | nindent 8 }} 155 {{- end }} 156 # TODO: Since we run with hostPID these volumes could be removed and accessed via `/proc/1/root` prefix. 157 volumes: 158 - name: etc-os-release 159 hostPath: 160 path: /etc/os-release 161 - name: debugfs 162 hostPath: 163 path: /sys/kernel/debug 164 - name: cgroups 165 hostPath: 166 path: /sys/fs/cgroup 167 - name: containerd-k8s-rootfs 168 hostPath: 169 path: /run/containerd/io.containerd.runtime.v2.task/k8s.io 170 type: Directory 171 - name: containerd-sock 172 hostPath: 173 path: /run/containerd/containerd.sock 174 type: Socket 175 {{- end }} 176 --- 177 {{- if .Values.agent.serviceAccount.create -}} 178 apiVersion: v1 179 kind: ServiceAccount 180 metadata: 181 name: {{ include "kvisor.agent.serviceAccountName" . }} 182 namespace: {{ .Release.Namespace }} 183 labels: 184 {{- include "kvisor.labels" . | nindent 4}} 185 {{- with .Values.agent.serviceAccount.annotations }} 186 annotations: 187 {{- toYaml . | nindent 4 }} 188 {{- end }} 189 --- 190 apiVersion: rbac.authorization.k8s.io/v1 191 kind: ClusterRole 192 metadata: 193 name: {{ include "kvisor.fullname" . }} 194 labels: 195 {{- include "kvisor.labels" . | nindent 4}} 196 rules: 197 - apiGroups: 198 - "" 199 resources: 200 - pods 201 verbs: 202 - get 203 - list 204 - watch 205 - apiGroups: 206 - "apps" 207 resources: 208 - deployments 209 - replicasets 210 - daemonsets 211 - statefulsets 212 verbs: 213 - get 214 - list 215 - watch 216 - apiGroups: 217 - "batch" 218 resources: 219 - jobs 220 - cronjobs 221 verbs: 222 - get 223 - list 224 - watch 225 --- 226 apiVersion: rbac.authorization.k8s.io/v1 227 kind: ClusterRoleBinding 228 metadata: 229 name: {{ include "kvisor.fullname" . }} 230 labels: 231 {{- include "kvisor.labels" . | nindent 4}} 232 roleRef: 233 apiGroup: rbac.authorization.k8s.io 234 kind: ClusterRole 235 name: {{ include "kvisor.fullname" . }} 236 subjects: 237 - kind: ServiceAccount 238 name: {{ include "kvisor.agent.serviceAccountName" . }} 239 namespace: {{.Release.Namespace}} 240 {{- end }}