volcano.sh/volcano@v1.9.0/installer/helm/chart/volcano/templates/admission.yaml (about) 1 {{- if .Values.custom.admission_enable }} 2 {{ $admission_affinity := or .Values.custom.admission_affinity .Values.custom.default_affinity }} 3 {{ $admission_tolerations := or .Values.custom.admission_tolerations .Values.custom.default_tolerations }} 4 {{ $admission_sc := or .Values.custom.admission_sc .Values.custom.default_sc }} 5 {{ $admission_ns := or .Values.custom.admission_ns .Values.custom.default_ns }} 6 apiVersion: v1 7 kind: ConfigMap 8 metadata: 9 name: {{ .Release.Name }}-admission-configmap 10 namespace: {{ .Release.Namespace }} 11 data: 12 {{- (.Files.Glob .Values.basic.admission_config_file).AsConfig | nindent 2}} 13 --- 14 apiVersion: v1 15 kind: ServiceAccount 16 metadata: 17 name: {{ .Release.Name }}-admission 18 namespace: {{ .Release.Namespace }} 19 --- 20 kind: ClusterRole 21 apiVersion: rbac.authorization.k8s.io/v1 22 metadata: 23 name: {{ .Release.Name }}-admission 24 rules: 25 - apiGroups: [""] 26 resources: ["configmaps"] 27 verbs: ["get", "list", "watch"] 28 - apiGroups: ["admissionregistration.k8s.io"] 29 resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] 30 verbs: ["get", "list", "watch", "create", "update"] 31 # Rules below is used generate admission service secret 32 - apiGroups: ["certificates.k8s.io"] 33 resources: ["certificatesigningrequests"] 34 verbs: ["get", "list", "create", "delete"] 35 - apiGroups: ["certificates.k8s.io"] 36 resources: ["certificatesigningrequests/approval"] 37 verbs: ["create", "update"] 38 - apiGroups: [""] 39 resources: ["secrets"] 40 verbs: ["create", "get", "patch"] 41 - apiGroups: ["scheduling.incubator.k8s.io", "scheduling.volcano.sh"] 42 resources: ["queues"] 43 verbs: ["get", "list"] 44 - apiGroups: [""] 45 resources: ["services"] 46 verbs: ["get"] 47 - apiGroups: ["scheduling.incubator.k8s.io", "scheduling.volcano.sh"] 48 resources: ["podgroups"] 49 verbs: ["get", "list", "watch"] 50 51 --- 52 kind: ClusterRoleBinding 53 apiVersion: rbac.authorization.k8s.io/v1 54 metadata: 55 name: {{ .Release.Name }}-admission-role 56 subjects: 57 - kind: ServiceAccount 58 name: {{ .Release.Name }}-admission 59 namespace: {{ .Release.Namespace }} 60 roleRef: 61 kind: ClusterRole 62 name: {{ .Release.Name }}-admission 63 apiGroup: rbac.authorization.k8s.io 64 65 --- 66 apiVersion: apps/v1 67 kind: Deployment 68 metadata: 69 labels: 70 app: volcano-admission 71 {{- if .Values.custom.admission_labels }} 72 {{- toYaml .Values.custom.admission_labels | nindent 4 }} 73 {{- end }} 74 name: {{ .Release.Name }}-admission 75 namespace: {{ .Release.Namespace }} 76 spec: 77 replicas: {{ .Values.custom.admission_replicas }} 78 selector: 79 matchLabels: 80 app: volcano-admission 81 template: 82 metadata: 83 labels: 84 app: volcano-admission 85 {{- if .Values.custom.admission_podLabels }} 86 {{- toYaml .Values.custom.admission_podLabels | nindent 8 }} 87 {{- end }} 88 spec: 89 {{- if $admission_tolerations }} 90 tolerations: {{- toYaml $admission_tolerations | nindent 8 }} 91 {{- end }} 92 {{- if $admission_ns }} 93 nodeSelector: {{- toYaml $admission_ns | nindent 8 }} 94 {{- end }} 95 {{- if $admission_affinity }} 96 affinity: 97 {{- toYaml $admission_affinity | nindent 8 }} 98 {{- end }} 99 {{- if $admission_sc }} 100 securityContext: 101 {{- toYaml $admission_sc | nindent 8 }} 102 {{- end }} 103 serviceAccount: {{ .Release.Name }}-admission 104 priorityClassName: system-cluster-critical 105 {{- if .Values.basic.image_pull_secret }} 106 imagePullSecrets: 107 - name: {{ .Values.basic.image_pull_secret }} 108 {{- end }} 109 containers: 110 - args: 111 - --enabled-admission={{ .Values.custom.enabled_admissions }} 112 - --tls-cert-file=/admission.local.config/certificates/tls.crt 113 - --tls-private-key-file=/admission.local.config/certificates/tls.key 114 - --ca-cert-file=/admission.local.config/certificates/ca.crt 115 - --admission-conf=/admission.local.config/configmap/{{base .Values.basic.admission_config_file}} 116 - --webhook-namespace={{ .Release.Namespace }} 117 - --webhook-service-name={{ .Release.Name }}-admission-service 118 - --enable-healthz=true 119 - --logtostderr 120 - --port={{.Values.basic.admission_port}} 121 - -v=4 122 - 2>&1 123 image: {{.Values.basic.admission_image_name}}:{{.Values.basic.image_tag_version}} 124 imagePullPolicy: {{ .Values.basic.image_pull_policy }} 125 name: admission 126 {{- if .Values.custom.admission_resources }} 127 resources: 128 {{- toYaml .Values.custom.admission_resources | nindent 12 }} 129 {{- end }} 130 volumeMounts: 131 - mountPath: /admission.local.config/certificates 132 name: admission-certs 133 readOnly: true 134 - mountPath: /admission.local.config/configmap 135 name: admission-config 136 volumes: 137 - name: admission-certs 138 secret: 139 defaultMode: 420 140 secretName: {{.Values.basic.admission_secret_name}} 141 - name: admission-config 142 configMap: 143 name: {{ .Release.Name }}-admission-configmap 144 145 --- 146 apiVersion: v1 147 kind: Service 148 metadata: 149 labels: 150 app: volcano-admission 151 name: {{ .Release.Name }}-admission-service 152 namespace: {{ .Release.Namespace }} 153 spec: 154 ports: 155 - port: 443 156 protocol: TCP 157 targetPort: {{.Values.basic.admission_port}} 158 selector: 159 app: volcano-admission 160 sessionAffinity: None 161 162 --- 163 apiVersion: batch/v1 164 kind: Job 165 metadata: 166 name: {{ .Release.Name }}-admission-init 167 namespace: {{ .Release.Namespace }} 168 labels: 169 app: volcano-admission-init 170 {{- if .Values.custom.admission_labels }} 171 {{- toYaml .Values.custom.admission_labels | nindent 4 }} 172 {{- end }} 173 spec: 174 backoffLimit: 3 175 template: 176 spec: 177 {{- if $admission_tolerations }} 178 tolerations: {{- toYaml $admission_tolerations | nindent 8 }} 179 {{- end }} 180 {{- if $admission_ns }} 181 nodeSelector: {{- toYaml $admission_ns | nindent 8 }} 182 {{- end }} 183 {{- if $admission_affinity }} 184 affinity: 185 {{- toYaml $admission_affinity | nindent 8 }} 186 {{- end }} 187 {{- if $admission_sc }} 188 securityContext: 189 {{- toYaml $admission_sc | nindent 8 }} 190 {{- end }} 191 serviceAccountName: {{ .Release.Name }}-admission 192 priorityClassName: system-cluster-critical 193 {{- if .Values.basic.image_pull_secret }} 194 imagePullSecrets: 195 - name: {{ .Values.basic.image_pull_secret }} 196 {{- end }} 197 restartPolicy: Never 198 containers: 199 - name: main 200 {{- if .Values.custom.admission_resources }} 201 resources: 202 {{- toYaml .Values.custom.admission_resources | nindent 12 }} 203 {{- end }} 204 image: {{.Values.basic.admission_image_name}}:{{.Values.basic.image_tag_version}} 205 imagePullPolicy: {{ .Values.basic.image_pull_policy }} 206 command: ["./gen-admission-secret.sh", "--service", "{{ .Release.Name }}-admission-service", "--namespace", 207 "{{ .Release.Namespace }}", "--secret", "{{.Values.basic.admission_secret_name}}"] 208 {{- end }}