Skip to content

Commit 75b3118

Browse files
ajanikowajanikow
authored
[Feature] Pod Security Context (#601)
1 parent f007ab0 commit 75b3118

29 files changed

+310
-146
lines changed

CHANGELOG.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,10 @@
1212
- Allow to customize Security Context in pods
1313
- Remove dead Coordinators in Cluster mode
1414
- Add AutoRecovery flag to recover cluster in case of deadlock
15+
- Add Operator Single mode
16+
- Improve SecurityContext settings
17+
- Update k8s dependency to 1.15.11
18+
- Add Scope parameter to Operator
1519

1620
## [1.0.3](https://github.com/arangodb/kube-arangodb/tree/1.0.3) (2020-05-25)
1721
- Prevent deletion of not known PVC's

Makefile

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -226,7 +226,7 @@ endif
226226
.PHONY: update-vendor
227227
update-vendor:
228228
@rm -Rf $(VENDORDIR)/k8s.io/code-generator
229-
@git clone --branch kubernetes-1.14.1 https://github.com/kubernetes/code-generator.git $(VENDORDIR)/k8s.io/code-generator
229+
@git clone --branch kubernetes-1.15.11 https://github.com/kubernetes/code-generator.git $(VENDORDIR)/k8s.io/code-generator
230230
@rm -Rf $(VENDORDIR)/k8s.io/code-generator/.git
231231

232232

@@ -581,8 +581,15 @@ ifdef PUSHIMAGES
581581
endif
582582
$(ROOTDIR)/scripts/kube_run_sync_tests.sh $(DEPLOYMENTNAMESPACE) '$(ARANGODIMAGE)' '$(ARANGOSYNCIMAGE)' '$(ARANGOSYNCTESTIMAGE)' '$(ARANGOSYNCTESTCTRLIMAGE)' '$(TESTOPTIONS)'
583583

584+
.PHONY: tidy
585+
tidy:
586+
@go mod tidy
587+
588+
.PHONY: deps-reload
589+
deps-reload: tidy init
590+
584591
.PHONY: init
585-
init: tools vendor
592+
init: tools update-generated $(GHRELEASE) $(RELEASE) $(TESTBIN) $(BIN) vendor
586593

587594
.PHONY: tools
588595
tools:

README.md

Lines changed: 45 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -28,36 +28,57 @@ state for individual new features, since we expect that new
2828
features will first be released with an "alpha" or "beta" readiness
2929
state and over time move to full "production readiness".
3030

31+
Operator will supports versions supported on providers and maintained by Kubernetes.
32+
Once version is not supported anymore it will go into "Deprecating" state and will be marked as deprecated on Minor release.
33+
3134
The following table has the general readiness state, the table below
3235
covers individual newer features separately.
3336

34-
| Platform | Kubernetes Version | ArangoDB Version | ArangoDB Operator Version | State | Remarks | Provider Remarks |
35-
|---------------------|--------------------|------------------|---------------------------|-------------|-----------------------|------------------------------------|
36-
| Google GKE | 1.14 | >= 3.3.13 | | Production | Don't use micro nodes | |
37-
| Google GKE | 1.15 | >= 3.3.13 | | Production | Don't use micro nodes | |
38-
| Azure AKS | 1.14 | >= 3.3.13 | | Production | | |
39-
| Azure AKS | 1.15 | >= 3.3.13 | | Production | | |
40-
| Amazon EKS | 1.14 | >= 3.3.13 | | Production | | [Amazon EKS](./docs/providers/eks) |
41-
| IBM Cloud | 1.14 | >= 3.4.6.1 | >= 0.3.11 | Production | | |
42-
| OpenShift | 3.11 | >= 3.3.13 | | Production | | |
43-
| OpenShift | 4.2 | >= 3.3.13 | | In Progress | | |
44-
| BareMetal (kubeadm) | 1.14 | >= 3.3.13 | | Production | | |
45-
| Minikube | 1.14 | >= 3.3.13 | | Devel Only | | |
46-
| Other | 1.14 | >= 3.3.13 | | Devel Only | | |
37+
| Platform | Kubernetes Version | ArangoDB Version | ArangoDB Operator Version | State | Remarks | Provider Remarks |
38+
|---------------------|--------------------|------------------|---------------------------|--------------------------|-----------------------|------------------------------------|
39+
| Google GKE | 1.14 | >= 3.3.13 | | Production (Deprecating) | Don't use micro nodes | |
40+
| Google GKE | 1.15 | >= 3.3.13 | | Production (Deprecating) | Don't use micro nodes | |
41+
| Google GKE | 1.16 | >= 3.3.13 | | Production | Don't use micro nodes | |
42+
| Google GKE | 1.17 | >= 3.3.13 | | Production | Don't use micro nodes | |
43+
| Azure AKS | 1.14 | >= 3.3.13 | | Production (Deprecating) | | |
44+
| Azure AKS | 1.15 | >= 3.3.13 | | Production (Deprecating) | | |
45+
| Azure AKS | 1.16 | >= 3.3.13 | | Production | | |
46+
| Azure AKS | 1.17 | >= 3.3.13 | | Production | | |
47+
| Amazon EKS | 1.14 | >= 3.3.13 | | Production (Deprecating) | | [Amazon EKS](./docs/providers/eks) |
48+
| Amazon EKS | 1.15 | >= 3.3.13 | | Production (Deprecating) | | [Amazon EKS](./docs/providers/eks) |
49+
| Amazon EKS | 1.16 | >= 3.3.13 | | Production | | [Amazon EKS](./docs/providers/eks) |
50+
| Amazon EKS | 1.17 | >= 3.3.13 | | Production | | [Amazon EKS](./docs/providers/eks) |
51+
| IBM Cloud | 1.14 | >= 3.4.6.1 | >= 0.3.11 | Production | | |
52+
| OpenShift | 3.11 | >= 3.3.13 | | Production | | |
53+
| OpenShift | 4.2 | >= 3.3.13 | | In Progress | | |
54+
| BareMetal (kubeadm) | 1.14 | >= 3.3.13 | | Production (Deprecating) | | |
55+
| BareMetal (kubeadm) | 1.15 | >= 3.3.13 | | Production (Deprecating) | | |
56+
| BareMetal (kubeadm) | 1.16 | >= 3.3.13 | | Production | | |
57+
| BareMetal (kubeadm) | 1.17 | >= 3.3.13 | | Production | | |
58+
| Minikube | 1.14+ | >= 3.3.13 | | Devel Only | | |
59+
| Other | 1.14+ | >= 3.3.13 | | Devel Only | | |
4760

4861
Feature-wise production readiness table:
4962

50-
| Feature | ArangoDB K8s Operator Version | Production Readiness | Remarks |
51-
|------------------------------|---------------------------------------|---------------------------|-------------------|
52-
| Pod Disruption Budgets | 0.3.10 | new - alpha | |
53-
| | 0.3.11 | beta | |
54-
| Volume Resizing | 0.3.10 | new - beta | |
55-
| | 0.3.11 | beta | |
56-
| Disabling of liveness probes | 0.3.10 | new - beta | |
57-
| | 0.3.11 | production ready | |
58-
| Volume Claim Templates | 0.3.11 | new - alpha | |
59-
| Prometheus Metrics export | 0.3.11 | new - alpha | needs Prometheus |
60-
| User sidecar containers | 0.3.11 | new - alpha | |
63+
| Feature | Operator Version | ArangoDB Version | ArangoDB Edition | State | Enabled | Flag | Remarks |
64+
|---------------------------------|------------------|------------------|-----------------------|------------|---------|------------------------------------------|--------------------------------------------------------------------------|
65+
| Pod Disruption Budgets | 0.3.10 | Any | Community, Enterprise | Alpha | True | N/A | N/A |
66+
| Pod Disruption Budgets | 0.3.11 | Any | Community, Enterprise | Production | True | N/A | N/A |
67+
| Volume Resizing | 0.3.10 | Any | Community, Enterprise | Alpha | True | N/A | N/A |
68+
| Volume Resizing | 0.3.11 | Any | Community, Enterprise | Production | True | N/A | N/A |
69+
| Disabling of liveness probes | 0.3.10 | Any | Community, Enterprise | Alpha | True | N/A | N/A |
70+
| Disabling of liveness probes | 0.3.11 | Any | Community, Enterprise | Production | True | N/A | N/A |
71+
| Volume Claim Templates | 0.3.11 | Any | Community, Enterprise | Alpha | True | N/A | N/A |
72+
| Volume Claim Templates | 1.0.0 | Any | Community, Enterprise | Production | True | N/A | N/A |
73+
| Prometheus Metrics Exporter | 0.3.11 | Any | Community, Enterprise | Alpha | True | N/A | Prometheus required |
74+
| Prometheus Metrics Exporter | 1.0.0 | Any | Community, Enterprise | Production | True | N/A | Prometheus required |
75+
| Sidecar Containers | 0.3.11 | Any | Community, Enterprise | Alpha | True | N/A | N/A |
76+
| Sidecar Containers | 1.0.0 | Any | Community, Enterprise | Production | True | N/A | N/A |
77+
| Operator Single Mode | 1.0.4 | Any | Community, Enterprise | Production | False | --mode.single | Only 1 instance of Operator allowed in namespace when feature is enabled |
78+
| TLS SNI Support | 1.0.3 | >= 3.7.0 | Enterprise | Production | True | --deployment.feature.tls-sni | N/A |
79+
| TLS Runtime Rotation Support | 1.0.4 | > 3.7.0 | Enterprise | Alpha | False | --deployment.feature.tls-rotation | N/A |
80+
| JWT Rotation Support | 1.0.4 | > 3.7.0 | Enterprise | Alpha | False | --deployment.feature.jwt-rotation | N/A |
81+
| Encryption Key Rotation Support | 1.0.4 | > 3.7.0 | Enterprise | Alpha | False | --deployment.feature.encryption-rotation | N/A |
6182

6283
## Release notes for 0.3.16
6384

chart/kube-arangodb/README.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,15 @@ List of the Image Pull Secrets for Operator images.
6767

6868
Default: `[]string`
6969

70+
### `operator.scope`
71+
72+
Scope on which Operator will be configured.
73+
74+
Default: `legacy`
75+
76+
Supported modes:
77+
- `legacy` - mode with limited cluster scope access
78+
7079
### `operator.service.type`
7180

7281
Type of the Operator service.

chart/kube-arangodb/templates/deployment.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,8 @@
1+
{{- if eq .Values.operator.scope "legacy" -}}
2+
# Scope "legacy" selected
3+
{{ else -}}
4+
{{ fail (printf "Operator Scope %s is not supported!" .Values.operator.scope) }}
5+
{{- end -}}
16
apiVersion: apps/v1
27
kind: Deployment
38
metadata:
@@ -72,6 +77,7 @@ spec:
7277
imagePullPolicy: {{ .Values.operator.imagePullPolicy }}
7378
image: {{ .Values.operator.image }}
7479
args:
80+
- --scope={{ .Values.operator.scope }}
7581
{{- if .Values.operator.features.deployment }}
7682
- --operator.deployment
7783
{{- end -}}

chart/kube-arangodb/values.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@ operator:
55
imagePullPolicy: IfNotPresent
66
imagePullSecrets: []
77

8+
scope: legacy
9+
810
args: []
911

1012
service:

go.mod

Lines changed: 14 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -8,15 +8,20 @@ replace (
88
github.com/stretchr/testify => github.com/stretchr/testify v1.5.1
99
github.com/ugorji/go => github.com/ugorji/go v0.0.0-20181209151446-772ced7fd4c2
1010

11-
k8s.io/api => k8s.io/api v0.15.9
12-
k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.15.9
13-
k8s.io/apimachinery => k8s.io/apimachinery v0.15.9
14-
k8s.io/client-go => k8s.io/client-go v0.15.9
11+
k8s.io/api => k8s.io/api v0.15.11
12+
k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.15.11
13+
k8s.io/apimachinery => k8s.io/apimachinery v0.15.11
14+
k8s.io/apiserver => k8s.io/apiserver v0.15.11
15+
k8s.io/client-go => k8s.io/client-go v0.15.11
16+
k8s.io/cloud-provider => k8s.io/cloud-provider v0.15.11
17+
k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.15.11
1518
k8s.io/code-generator => ./deps/k8s.io/code-generator
19+
k8s.io/component-base => k8s.io/component-base v0.15.11
20+
k8s.io/kubernetes => k8s.io/kubernetes v1.15.11
21+
k8s.io/metrics => k8s.io/metrics v0.15.11
1622
)
1723

1824
require (
19-
github.com/aktau/github-release v0.8.1 // indirect
2025
github.com/arangodb-helper/go-certificates v0.0.0-20180821055445-9fca24fc2680
2126
github.com/arangodb/arangosync-client v0.6.3
2227
github.com/arangodb/go-driver v0.0.0-20191002124627-11b6bfc64f67
@@ -30,13 +35,10 @@ require (
3035
github.com/ghodss/yaml v1.0.0
3136
github.com/gin-contrib/sse v0.0.0-20190301062529-5545eab6dad3 // indirect
3237
github.com/gin-gonic/gin v1.3.0
33-
github.com/github-release/github-release v0.8.1 // indirect
34-
github.com/google/addlicense v0.0.0-20200422172452-68a83edd47bc // indirect
35-
github.com/inconshreveable/log15 v0.0.0-20200109203555-b30bc20e4fd1 // indirect
38+
github.com/google/addlicense v0.0.0-20200622132530-df58acafd6d5 // indirect
3639
github.com/jessevdk/go-assets v0.0.0-20160921144138-4f4301a06e15
3740
github.com/jessevdk/go-assets-builder v0.0.0-20130903091706-b8483521738f
3841
github.com/julienschmidt/httprouter v1.3.0
39-
github.com/kevinburke/rest v0.0.0-20200429221318-0d2892b400f8 // indirect
4042
github.com/magiconair/properties v1.8.0
4143
github.com/mattn/go-isatty v0.0.12 // indirect
4244
github.com/pkg/errors v0.8.1
@@ -46,11 +48,10 @@ require (
4648
github.com/spf13/cobra v0.0.5
4749
github.com/spf13/pflag v1.0.5
4850
github.com/stretchr/testify v1.5.1
49-
github.com/tomnomnom/linkheader v0.0.0-20180905144013-02ca5825eb80 // indirect
5051
github.com/ugorji/go/codec v0.0.0-20181209151446-772ced7fd4c2 // indirect
51-
github.com/voxelbrain/goptions v0.0.0-20180630082107-58cddc247ea2 // indirect
52-
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b
53-
golang.org/x/sys v0.0.0-20200116001909-b77594299b42
52+
golang.org/x/net v0.0.0-20200625001655-4c5254603344
53+
golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd
54+
golang.org/x/tools v0.0.0-20200721223218-6123e77877b2 // indirect
5455
gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
5556
gopkg.in/go-playground/validator.v8 v8.18.2 // indirect
5657
k8s.io/api v0.17.3

0 commit comments

Comments
 (0)