Skip to content

Commit

Permalink
Merge pull request #318 from linode/securityContextAffinity
Browse files Browse the repository at this point in the history 
[improvement] set securityContext and use affinity instead of nodeSelector
  • Loading branch information
@AshleyDumaine
AshleyDumaine authored Feb 5, 2025
2 parents 1b9f2e7 + caacc51 commit 9a56e2d
Show file tree
Hide file tree
Showing 3 changed files with 68 additions and 27 deletions.
18 changes: 15 additions & 3 deletions deploy/ccm-linode-template.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,10 +77,17 @@ spec:
labels:
app: ccm-linode
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: Exists
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: ccm-linode
nodeSelector:
# The CCM will only run on a Node labelled as a master, you may want to change this
node-role.kubernetes.io/control-plane: ""
tolerations:
# The CCM can run on Nodes tainted as masters
- key: "node-role.kubernetes.io/control-plane"
Expand Down Expand Up @@ -122,6 +129,11 @@ spec:
secretKeyRef:
name: ccm-linode
key: region
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
volumes:
- name: k8s
hostPath:
Expand Down
52 changes: 32 additions & 20 deletions deploy/chart/templates/daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,21 @@ spec:
app: ccm-linode
spec:
serviceAccountName: ccm-linode
{{- if .Values.nodeSelector }}
{{- with .Values.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- toYaml . | nindent 8 }}
{{- end }}
hostNetwork: true
containers:
Expand All @@ -33,8 +41,8 @@ spec:
- --v=3
- --secure-port=10253
- --webhook-secure-port=0
{{- if .Values.linodegoDebug }}
- --linodego-debug={{ .Values.linodegoDebug }}
{{- with .Values.linodegoDebug }}
- --linodego-debug={{ . }}
{{- end }}
{{- if .Values.routeController }}
- --enable-route-controller=true
Expand All @@ -44,36 +52,40 @@ spec:
{{- if not (or .Values.routeController.vpcName .Values.routeController.vpcNames) }}
{{- fail "Neither vpcName nor vpcNames is set. Please set one of them." }}
{{- end }}
{{- if .Values.routeController.vpcName }}
- --vpc-name={{ .Values.routeController.vpcName }}
{{- with .Values.routeController.vpcName }}
- --vpc-name={{ . }}
{{- end }}
{{- if .Values.routeController.vpcNames }}
- --vpc-names={{ .Values.routeController.vpcNames }}
{{- with .Values.routeController.vpcNames }}
- --vpc-names={{ . }}
{{- end }}
- --configure-cloud-routes={{ default true .Values.routeController.configureCloudRoutes }}
- --cluster-cidr={{ required "A valid .Values.routeController.clusterCIDR is required" .Values.routeController.clusterCIDR }}
{{- if .Values.routeController.routeReconciliationPeriod }}
- --route-reconciliation-period={{ .Values.routeController.routeReconciliationPeriod }}
{{- with .Values.routeController.routeReconciliationPeriod }}
- --route-reconciliation-period={{ . }}
{{- end }}
{{- end }}
{{- if .Values.sharedIPLoadBalancing }}
{{- if .Values.sharedIPLoadBalancing.bgpNodeSelector }}
- --bgp-node-selector={{ .Values.sharedIPLoadBalancing.bgpNodeSelector }}
{{- with .Values.sharedIPLoadBalancing.bgpNodeSelector }}
- --bgp-node-selector={{ . }}
{{- end }}
{{- if .Values.sharedIPLoadBalancing.ipHolderSuffix }}
- --ip-holder-suffix={{ .Values.sharedIPLoadBalancing.ipHolderSuffix }}
{{- with .Values.sharedIPLoadBalancing.ipHolderSuffix }}
- --ip-holder-suffix={{ . }}
{{- end}}
- --load-balancer-type={{ required "A valid .Values.sharedIPLoadBalancing.loadBalancerType is required for shared IP load-balancing" .Values.sharedIPLoadBalancing.loadBalancerType }}
{{- end }}
{{- if .Values.tokenHealthChecker }}
- --enable-token-health-checker={{ .Values.tokenHealthChecker }}
{{- with .Values.tokenHealthChecker }}
- --enable-token-health-checker={{ . }}
{{- end }}
{{- if .Values.nodeBalancerTags }}
- --nodebalancer-tags={{ join " " .Values.nodeBalancerTags }}
{{- with .Values.nodeBalancerTags }}
- --nodebalancer-tags={{ join " " . }}
{{- end }}
{{- if .Values.allowUnauthorizedMetrics }}
- --authorization-always-allow-paths="/metrics"
{{- end }}
{{- with .Values.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
- mountPath: /etc/kubernetes
name: k8s
Expand Down
25 changes: 21 additions & 4 deletions deploy/chart/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,27 @@ region: ""
# apiTokenRef: "apiToken"
# regionRef: "region"

# node-role.kubernetes.io/master - if set true, it deploys the svc on the master node
nodeSelector:
# The CCM will only run on a Node labelled as a master, you may want to change this
node-role.kubernetes.io/control-plane: ""
# Ensures the CCM runs on control plane nodes
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: Exists

# DEPRECATED: use affinity instead
nodeSelector: {}

securityContext:
seccompProfile:
type: RuntimeDefault

containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL

# Image repository must be 'linode/linode-cloud-controller-manager'. The tag can be changed/set to various ccm versions.
# The pullPolicy is set to Always but can be changed when it is not required to always pull the new image
Expand Down

0 comments on commit 9a56e2d

Please sign in to comment.