penguin/monok8s
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refine controller template and probe listeners

Browse Source
This commit is contained in:
斟酌 鵬兄
2026-04-27 00:28:25 +08:00
parent 8fae920fc8
commit d7c2dac944
20 changed files with 780 additions and 217 deletions
Download Patch File Download Diff File Expand all files Collapse all files

111
clitools/pkg/render/controller.go
View File

@@ -14,13 +14,20 @@ import (
monov1alpha1 "example.com/monok8s/pkg/apis/monok8s/v1alpha1"
buildinfo "example.com/monok8s/pkg/buildinfo"
templates "example.com/monok8s/pkg/templates"
)
func RenderControllerDeployments(namespace string) (string, error) {
vals := templates.LoadTemplateValuesFromEnv()
type ControllerConf struct {
Namespace string
Image string
Labels map[string]string
}
labels := map[string]string{
func RenderControllerDeployments(conf ControllerConf) (string, error) {
if conf.Namespace == "" {
return "", fmt.Errorf("namespace is required")
}
conf.Labels = map[string]string{
"app.kubernetes.io/name": monov1alpha1.ControllerName,
"app.kubernetes.io/component": "controller",
"app.kubernetes.io/part-of": "monok8s",
@@ -28,10 +35,10 @@ func RenderControllerDeployments(namespace string) (string, error) {
}
objs := []runtime.Object{
buildControllerServiceAccount(namespace, labels),
buildControllerClusterRole(labels),
buildControllerClusterRoleBinding(namespace, labels),
buildControllerDeployment(vals, namespace, labels),
buildControllerServiceAccount(conf),
buildControllerClusterRole(conf),
buildControllerClusterRoleBinding(conf),
buildControllerDeployment(conf),
}
s := runtime.NewScheme()
@@ -57,7 +64,7 @@ func RenderControllerDeployments(namespace string) (string, error) {
return buf.String(), nil
}
func buildControllerServiceAccount(namespace string, labels map[string]string) *corev1.ServiceAccount {
func buildControllerServiceAccount(conf ControllerConf) *corev1.ServiceAccount {
automount := true
@@ -68,14 +75,14 @@ func buildControllerServiceAccount(namespace string, labels map[string]string) *
},
ObjectMeta: metav1.ObjectMeta{
Name: monov1alpha1.ControllerName,
Namespace: namespace,
Labels: labels,
Namespace: conf.Namespace,
Labels: conf.Labels,
},
AutomountServiceAccountToken: &automount,
}
}
func buildControllerClusterRole(labels map[string]string) *rbacv1.ClusterRole {
func buildControllerClusterRole(conf ControllerConf) *rbacv1.ClusterRole {
wantRules := []rbacv1.PolicyRule{
{
APIGroups: []string{monov1alpha1.Group},
@@ -111,19 +118,19 @@ func buildControllerClusterRole(labels map[string]string) *rbacv1.ClusterRole {
},
ObjectMeta: metav1.ObjectMeta{
Name: monov1alpha1.ControllerName,
Labels: labels,
Labels: conf.Labels,
},
Rules: wantRules,
}
}
func buildControllerClusterRoleBinding(namespace string, labels map[string]string) *rbacv1.ClusterRoleBinding {
func buildControllerClusterRoleBinding(conf ControllerConf) *rbacv1.ClusterRoleBinding {
wantSubjects := []rbacv1.Subject{
{
Kind: "ServiceAccount",
Name: monov1alpha1.ControllerName,
Namespace: namespace,
Namespace: conf.Namespace,
},
}
@@ -140,14 +147,14 @@ func buildControllerClusterRoleBinding(namespace string, labels map[string]strin
},
ObjectMeta: metav1.ObjectMeta{
Name: monov1alpha1.ControllerName,
Labels: labels,
Labels: conf.Labels,
},
Subjects: wantSubjects,
RoleRef: wantRoleRef,
}
}
func buildControllerDeployment(tVals templates.TemplateValues, namespace string, labels map[string]string) *appsv1.Deployment {
func buildControllerDeployment(conf ControllerConf) *appsv1.Deployment {
replicas := int32(1)
selectorLabels := map[string]string{
@@ -155,10 +162,13 @@ func buildControllerDeployment(tVals templates.TemplateValues, namespace string,
"app.kubernetes.io/component": "controller",
}
podLabels := mergeStringMaps(labels, selectorLabels)
podLabels := mergeStringMaps(conf.Labels, selectorLabels)
runAsNonRoot := true
allowPrivilegeEscalation := false
userGroup := int64(65532)
image, pullPolicy := controllerImage(conf)
return &appsv1.Deployment{
TypeMeta: metav1.TypeMeta{
@@ -167,8 +177,8 @@ func buildControllerDeployment(tVals templates.TemplateValues, namespace string,
},
ObjectMeta: metav1.ObjectMeta{
Name: monov1alpha1.ControllerName,
Namespace: namespace,
Labels: labels,
Namespace: conf.Namespace,
Labels: conf.Labels,
},
Spec: appsv1.DeploymentSpec{
Replicas: &replicas,
@@ -184,12 +194,12 @@ func buildControllerDeployment(tVals templates.TemplateValues, namespace string,
Containers: []corev1.Container{
{
Name: "controller",
Image: fmt.Sprintf("localhost/monok8s/node-control:%s", buildinfo.Version),
ImagePullPolicy: corev1.PullIfNotPresent,
Image: image,
ImagePullPolicy: pullPolicy,
Args: []string{
"controller",
"--namespace",
namespace,
conf.Namespace,
},
Env: []corev1.EnvVar{
{
@@ -239,6 +249,10 @@ func buildControllerDeployment(tVals templates.TemplateValues, namespace string,
Port: intstr.FromString("http"),
},
},
InitialDelaySeconds: 5,
PeriodSeconds: 60,
TimeoutSeconds: 2,
FailureThreshold: 3,
},
ReadinessProbe: &corev1.Probe{
ProbeHandler: corev1.ProbeHandler{
@@ -247,13 +261,64 @@ func buildControllerDeployment(tVals templates.TemplateValues, namespace string,
Port: intstr.FromString("http"),
},
},
InitialDelaySeconds: 2,
PeriodSeconds: 5,
TimeoutSeconds: 2,
FailureThreshold: 3,
},
SecurityContext: &corev1.SecurityContext{
RunAsNonRoot: &runAsNonRoot,
RunAsUser: &userGroup,
RunAsGroup: &userGroup,
AllowPrivilegeEscalation: &allowPrivilegeEscalation,
},
},
},
NodeSelector: controllerNodeSelector(conf),
Affinity: controllerAffinity(conf),
},
},
},
}
}
func controllerImage(conf ControllerConf) (string, corev1.PullPolicy) {
if conf.Image != "" {
return conf.Image, corev1.PullIfNotPresent
}
return fmt.Sprintf("localhost/monok8s/node-control:%s", buildinfo.Version), corev1.PullNever
}
func controllerNodeSelector(conf ControllerConf) map[string]string {
if conf.Image != "" {
return nil
}
// Local image exists on managed nodes only.
return map[string]string{
monov1alpha1.NodeControlKey: "true",
}
}
func controllerAffinity(conf ControllerConf) *corev1.Affinity {
// Local image exists only on managed nodes, so in that mode we already use
// NodeSelector and should not fight placement with anti-affinity.
if conf.Image == "" {
return nil
}
return &corev1.Affinity{
PodAntiAffinity: &corev1.PodAntiAffinity{
PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{
{
Weight: 100,
PodAffinityTerm: corev1.PodAffinityTerm{
TopologyKey: corev1.LabelHostname,
LabelSelector: &metav1.LabelSelector{
MatchLabels: monov1alpha1.NodeAgentLabels(),
},
},
},
},
},

139
clitools/pkg/render/sshd.go
View File

@@ -160,6 +160,7 @@ func buildSSHDDeployment(
Labels: podLabels,
},
Spec: corev1.PodSpec{
HostPID: true,
NodeSelector: selectorLabels,
Containers: []corev1.Container{
{
@@ -215,60 +216,110 @@ exec /usr/sbin/sshd \
corev1.ResourceMemory: resource.MustParse("128Mi"),
},
},
VolumeMounts: []corev1.VolumeMount{
{
Name: "authorized-keys",
MountPath: "/authorized-keys",
ReadOnly: true,
},
{
Name: "host-etc",
MountPath: "/host/etc",
},
{
Name: "host-var",
MountPath: "/host/var",
},
},
},
},
Volumes: []corev1.Volume{
{
Name: "authorized-keys",
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: sshdConfigName,
VolumeMounts: append(
[]corev1.VolumeMount{
{
Name: "authorized-keys",
MountPath: "/authorized-keys",
ReadOnly: true,
},
DefaultMode: ptrInt32(0600),
},
},
},
{
Name: "host-etc",
VolumeSource: corev1.VolumeSource{
HostPath: &corev1.HostPathVolumeSource{
Path: "/etc",
Type: ptrHostPathType(corev1.HostPathDirectory),
},
},
},
{
Name: "host-var",
VolumeSource: corev1.VolumeSource{
HostPath: &corev1.HostPathVolumeSource{
Path: "/var",
Type: ptrHostPathType(corev1.HostPathDirectory),
},
},
buildHostRootVolumeMounts()...,
),
},
},
Volumes: append(
[]corev1.Volume{
{
Name: "authorized-keys",
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: sshdConfigName,
},
DefaultMode: ptrInt32(0600),
},
},
},
},
buildHostRootVolumes()...,
),
},
},
},
}
}
func buildHostRootVolumeMounts() []corev1.VolumeMount {
paths := []struct {
name string
mountPath string
readOnly bool
}{
{"host-bin", "/host/bin", true},
{"host-sbin", "/host/sbin", true},
{"host-lib", "/host/lib", true},
{"host-usr", "/host/usr", true},
{"host-etc", "/host/etc", false},
{"host-run", "/host/run", false},
{"host-proc", "/host/proc", false},
{"host-sys", "/host/sys", false},
{"host-dev", "/host/dev", false},
{"host-var", "/host/var", false},
}
mounts := make([]corev1.VolumeMount, 0, len(paths))
for _, p := range paths {
mounts = append(mounts, corev1.VolumeMount{
Name: p.name,
MountPath: p.mountPath,
ReadOnly: p.readOnly,
})
}
return mounts
}
func buildHostRootVolumes() []corev1.Volume {
hostPathDir := corev1.HostPathDirectory
paths := []struct {
name string
path string
}{
{"host-bin", "/bin"},
{"host-sbin", "/sbin"},
{"host-lib", "/lib"},
{"host-usr", "/usr"},
{"host-etc", "/etc"},
{"host-run", "/run"},
{"host-proc", "/proc"},
{"host-sys", "/sys"},
{"host-dev", "/dev"},
// /var is an rbind mount in monok8s and may be private.
// Mount the real backing path instead.
{"host-var", "/data/var"},
}
volumes := make([]corev1.Volume, 0, len(paths))
for _, p := range paths {
volumes = append(volumes, corev1.Volume{
Name: p.name,
VolumeSource: corev1.VolumeSource{
HostPath: &corev1.HostPathVolumeSource{
Path: p.path,
Type: &hostPathDir,
},
},
})
}
return volumes
}
func ptrInt32(v int32) *int32 {
return &v
}