⛔ [DEPRECATED] Please see Kubex automation controller helm chart

Deprecation Notice

This repository is deprecated as of July 7th, 2025. Please refer to the Kubex automation controller helm chart.

Densify Container Automation - Mutating Admission Controller

This project enables Kubernetes users to automate pod resource configuration using Densify’s optimization engine via a Mutating Admission Controller.

Quick Links

• Densify Container Automation - Mutating Admission Controller
  • Quick Links
  • Purpose
  • Installation
    • 1. Update config files
    • 2. Create densify-automation namespace
    • 3. Create a Persistent Volume Claim for the Mutating Admission Controller
    • 4. Configure TLS Certificates
    • 5. Run the deployment script
    • 6. Verify resources are up and running
  • Argo CD Integration
    • Add Resource Customizations to argocd-cm
    • How to Apply
  • Troubleshooting

Purpose

Automates the optimization of Kubernetes Pods based on Densify’s recommendations, ensuring resources are effectively allocated for better performance and cost efficiency.

---

Installation

1. Update config files

For initial configuration, you need to review and update the following YAML files:

• densify-configmap.yaml: Provide your Densify URL and Kubernetes Cluster name.

• densify-api-secret.yaml: Provide your Densify base64-encoded username and password. To do this run:

  echo -n "<my_user>" | base64
  echo -n "<my_password>" | base64

• densify-automation-policy.yaml:

  • Define or refine automation policies — e.g., specify which resource values (CPU/Memory requests/limits) should be automated.
  • Set the default policy — applied when a webhook does not explicitly reference a specific policy.
  • Enable or disable automation cluster-wide — acts as a global switch to turn on/off all mutations by the controller.
  • Control whether automation can be remotely enabled/disabled via the Densify UI — adds a second layer of dynamic control over policy activation.

• densify-mutating-webhook-config.yaml:

  • Define which pods are candidates for mutation — using namespaceSelector and objectSelector, specify which workloads should be mutated and which policy route (/mutate/<policyName>) to apply.

2. Create densify-automation namespace

kubectl create namespace densify-automation

3. Create a Persistent Volume Claim for the Mutating Admission Controller

To persist recommendation state and automation outputs, the Mutating Admission Controller requires a Persistent Volume Claim (PVC) with ReadWriteOnce access.

If deploying a single replica, no additional configuration is needed — most cluster default StorageClasses will work.

If deploying multiple replicas for high availability, you must ensure your PVC uses a backend that supports ReadWriteMany, such as Azure Files, EFS, or NFS.

You can use the provided example at: deployment/base/densify-recommendations-pvc.yaml

For detailed guidance, refer to: Persistent Volume Claim Requirements

4. Configure TLS Certificates

Option 1. Use CertManager Certificate Generation and Management

Option 2. Generate Certificates Manually

Option 3. Bring Your Own Certificates (BYOC)

5. Run the deployment script

./deploy-kubex-automation.sh

6. Verify resources are up and running

kubectl get pod -n densify-automation

Argo CD Integration

If your Kubernetes cluster uses Argo CD, and you are enabling automated mutations via the Densify Mutating Admission Controller, you should configure Argo CD to ignore resource-related changes made by the controller.

This prevents:

• Applications from showing OutOfSync status unnecessarily.

• Infinite reconciliation loops when the Self-Heal flag is enabled.

Add Resource Customizations to argocd-cm

Update the argocd-cm ConfigMap to ignore differences in container resource requests and limits for common workload types:

data:
  resource.customizations: |
    apps/Deployment:
      ignoreDifferences: |
        jqPathExpressions:
          - .spec.template.spec.containers[].resources.requests
          - .spec.template.spec.containers[].resources.limits
    apps/StatefulSet:
      ignoreDifferences: |
        jqPathExpressions:
          - .spec.template.spec.containers[].resources.requests
          - .spec.template.spec.containers[].resources.limits
    apps/DaemonSet:
      ignoreDifferences: |
        jqPathExpressions:
          - .spec.template.spec.containers[].resources.requests
          - .spec.template.spec.containers[].resources.limits
    argoproj.io/Rollout:
      ignoreDifferences: |
        jqPathExpressions:
          - .spec.template.spec.containers[].resources.requests
          - .spec.template.spec.containers[].resources.limits

How to Apply

1. Edit the ConfigMap:

   kubectl edit configmap argocd-cm -n argocd

2. Add or merge the resource.customizations block under data.

3. Restart the Argo CD application controller:

   kubectl rollout restart deployment argocd-application-controller -n argocd

Once applied, Argo CD will ignore the mutations made by Densify and eliminate unnecessary sync errors and loops.

Troubleshooting

For more guidance on troubleshooting the mutating admission controller, please refer to our Troubleshooting Guide