Merge pull request #46 from sachingade20/nodel-level-examples

Added node level sysctl chart for elasticsearch tuning

Author: pattyhair

cloudbees-cd/node-level-sysctl/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v2
+name: node-level-sysctl
+description: TODO
+version: 0.1.0
+appVersion: N/A

cloudbees-cd/node-level-sysctl/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 Cloudbees Flow Public Repos
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

cloudbees-cd/node-level-sysctl/README.md

@@ -0,0 +1,19 @@
+Allows you to configure [node-level sysctls](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#setting-sysctls-for-a-pod).
+Useful for setting Linux kernel parameters which are not namespaced and so not supported by Kubernetes.
+
+A simpler version of [cluster-node-tuning-operator](https://github.com/openshift/cluster-node-tuning-operator).
+
+
+
+Example Install Command  for increasing kernet sysctl count:
+
+```
+
+  helm install \
+                --wait \
+                --namespace kube-system \
+                --set "parameters.vm\.max_map_count=262144" \
+                --set podSecurityPolicy.enabled=true \
+                tune-max-map-count ./
+
+```

cloudbees-cd/node-level-sysctl/templates/NOTES.txt

@@ -0,0 +1 @@
+Kernel parameters should now be tuned.

cloudbees-cd/node-level-sysctl/templates/_helpers.tpl

@@ -0,0 +1,3 @@
+{{/*
+TODO add any required helper functions here
+*/}}

cloudbees-cd/node-level-sysctl/templates/daemonset.yaml

@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  selector:
+    matchLabels:
+      name: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        name: {{ .Release.Name }}
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+{{- if .Values.podSecurityPolicy.enabled }}
+      serviceAccount: {{ .Release.Name }}
+{{- end }}
+      terminationGracePeriodSeconds: 3
+      containers:
+      - name: tune
+        image: busybox:stable
+        securityContext:
+          privileged: true
+          runAsUser: 0
+        resources:
+          requests:
+            cpu: 1m
+            memory: 1Mi
+        command:
+        - sh
+        - -c
+        - |
+          set -ex
+{{- range $k, $v := .Values.parameters }}
+          sysctl -w {{ $k }}={{ $v }}
+{{- end }}
+          sleep infinity

cloudbees-cd/node-level-sysctl/templates/psp.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.podSecurityPolicy.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: privileged-{{ .Release.Namespace }}-{{ .Release.Name }}
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+spec:
+  privileged: true
+  allowPrivilegeEscalation: true
+  allowedCapabilities:
+  - '*'
+  volumes:
+  - '*'
+  hostNetwork: true
+  hostPorts:
+  - min: 0
+    max: 65535
+  hostIPC: true
+  hostPID: true
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+{{- end }}

cloudbees-cd/node-level-sysctl/templates/role.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.podSecurityPolicy.enabled }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}
+rules:
+- apiGroups:
+  - extensions
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+  resourceNames:
+  - privileged-{{ .Release.Namespace }}-{{ .Release.Name }}
+{{- end -}}

cloudbees-cd/node-level-sysctl/templates/rolebinding.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.podSecurityPolicy.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Release.Name }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Release.Name }}
+{{- end -}}

cloudbees-cd/node-level-sysctl/templates/sa.yaml

@@ -0,0 +1,6 @@
+{{- if .Values.podSecurityPolicy.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}
+{{- end -}}