Feat: Adding support for priority class (#23)

* Adding support for priority class

Signed-off-by: Roey <[email protected]>

* Add PriorityClass permissions

* Add PriorityClass permissions

---------

Signed-off-by: Roey <[email protected]>
Co-authored-by: ohoffman <[email protected]>

Author: rlevartovsky

charts/konnector/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: konnector
 description: Deploys Palo Alto Networks' Cortex KSPM connector for advanced Kubernetes security posture management.
 type: application
-version: 1.0.24-rc.2
+version: 1.0.24-rc.3
 appVersion: "1.0.0"
 maintainers:
   - name: Palo Alto Networks - Cortex KSPM team

charts/konnector/templates/_helpers.tpl

@@ -61,6 +61,9 @@ spec:
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.priorityClassValues.enabled }}
+      priorityClassName: {{ .Values.priorityClassValues.classes.high.name }}
+      {{- end }}
       volumes:
         - name: {{ .Values.system.secrets.backendAuth.name }}
           secret:

charts/konnector/templates/batch.yaml

@@ -37,6 +37,9 @@ spec:
     spec:
       serviceAccountName: {{ .Values.system.serviceAccount.name }}
       restartPolicy: "Never"
+      {{- if .Values.priorityClassValues.enabled }}
+      priorityClassName: {{ .Values.priorityClassValues.classes.high.name }}
+      {{- end }}
       containers:
         - name: helm-uninstall
           image: alpine/helm:3.17.2

charts/konnector/templates/priorityclass.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.priorityClassValues.enabled }}
+{{- range $priority, $class := .Values.priorityClassValues.classes }}
+apiVersion: scheduling.k8s.io/v1
+kind: PriorityClass
+metadata:
+  name: {{ $class.name }}
+  labels:
+    {{- include "common.labels" $ | nindent 4 }}
+value: {{ $class.value }}
+description: "This priority class should be used for {{ $priority }} Cortex components."
+---
+{{- end }}
+{{- end }}

charts/konnector/values.yaml

@@ -33,6 +33,17 @@ optionalValues:
 proxyValues:
   httpProxy: ""  # Optional proxy URL for external network access
   noProxy: "kubernetes,kubernetes.default.svc,.svc,.cluster.local"  # List of addresses/domains that should bypass the proxy
+
+priorityClassValues:
+  enabled: true
+  classes:
+    critical:
+      name: "cortex-critical"
+      value: 1000000
+    high:
+      name: "cortex-high" # The default value for workloads without priority class defined
+      value: 900000
+
 # ==========================
 # ### System Section ###
 # ==========================
@@ -104,6 +115,9 @@ system:
         - apiGroups: ["rbac.authorization.k8s.io"]
           resources: ["clusterroles", "roles", "rolebindings", "clusterrolebindings"]
           verbs: ["create", "patch", "delete"]
+        - apiGroups: ["scheduling.k8s.io"]
+          resources: ["priorityclasses"]
+          verbs: ["create", "patch", "delete"]
     konnector-cluster-manager:
       rules:
         - apiGroups: [""]