diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 050b5874e6..b30fbc34e7 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -66,3 +66,14 @@ nodeSelector: true {{- end }} {{- end }} + +{{- define "vpa.policyUpdateMode" -}} +{{- $kubeVersion := .Values.global.discovery.kubernetesVersion -}} +{{- $updateMode := "" -}} +{{- if semverCompare ">=1.33.0" $kubeVersion -}} +{{- $updateMode = "InPlaceOrRecreate" -}} +{{- else -}} +{{- $updateMode = "Recreate" -}} +{{- end }} +{{- $updateMode }} +{{- end }} \ No newline at end of file diff --git a/templates/cdi/cdi-apiserver/vpa.yaml b/templates/cdi/cdi-apiserver/vpa.yaml index b7d30b5b54..4a0c3adcd3 100644 --- a/templates/cdi/cdi-apiserver/vpa.yaml +++ b/templates/cdi/cdi-apiserver/vpa.yaml @@ -12,7 +12,7 @@ spec: kind: Deployment name: cdi-apiserver updatePolicy: - updateMode: "Auto" + updateMode: {{ include "vpa.policyUpdateMode" . }} resourcePolicy: containerPolicies: {{- include "kube_api_rewriter.vpa_container_policy" . | nindent 4 }} diff --git a/templates/cdi/cdi-deployment/vpa.yaml b/templates/cdi/cdi-deployment/vpa.yaml index 98336946b6..ed1f167b88 100644 --- a/templates/cdi/cdi-deployment/vpa.yaml +++ b/templates/cdi/cdi-deployment/vpa.yaml @@ -12,7 +12,7 @@ spec: kind: Deployment name: cdi-deployment updatePolicy: - updateMode: "Auto" + updateMode: {{ include "vpa.policyUpdateMode" . }} resourcePolicy: containerPolicies: {{- include "kube_api_rewriter.vpa_container_policy" . | nindent 4 }} diff --git a/templates/cdi/cdi-operator/deployment.yaml b/templates/cdi/cdi-operator/deployment.yaml index d255dc092a..40e2dad3f3 100644 --- a/templates/cdi/cdi-operator/deployment.yaml +++ b/templates/cdi/cdi-operator/deployment.yaml @@ -32,7 +32,7 @@ spec: kind: Deployment name: cdi-operator updatePolicy: - updateMode: "Auto" + updateMode: {{ include "vpa.policyUpdateMode" . }} resourcePolicy: containerPolicies: {{- include "kube_api_rewriter.vpa_container_policy" . | nindent 4 }} @@ -89,7 +89,7 @@ spec: ) }} {{- include "kube_rbac_proxy.sidecar_container" (tuple . $kubeRbacProxySettings) | nindent 6 }} - name: cdi-operator - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . | nindent 8 }} + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 8 }} env: {{- include "kube_api_rewriter.kubeconfig_env" . | nindent 8 }} {{- include "cdi_images" . | nindent 8 }} diff --git a/templates/dvcr/deployment.yaml b/templates/dvcr/deployment.yaml index ebd1f73f95..3f0dad9270 100644 --- a/templates/dvcr/deployment.yaml +++ b/templates/dvcr/deployment.yaml @@ -19,7 +19,7 @@ spec: kind: Deployment name: dvcr updatePolicy: - updateMode: "Auto" + updateMode: {{ include "vpa.policyUpdateMode" . }} resourcePolicy: containerPolicies: {{- include "kube_rbac_proxy.vpa_container_policy" . | nindent 4 }} @@ -66,7 +66,7 @@ spec: {{ include "helm_lib_pod_anti_affinity_for_ha" (list . (dict "app" "dvcr")) | nindent 6 }} containers: - name: dvcr - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 10 }} + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 10 }} image: {{ include "helm_lib_module_image" (list . "dvcr") }} imagePullPolicy: IfNotPresent command: diff --git a/templates/kube-rbac-proxy/_helpers.tpl b/templates/kube-rbac-proxy/_helpers.tpl index f047402707..da53f26101 100644 --- a/templates/kube-rbac-proxy/_helpers.tpl +++ b/templates/kube-rbac-proxy/_helpers.tpl @@ -2,7 +2,7 @@ {{- $ctx := index . 0 }} {{- $settings := index . 1 }} - name: {{ $settings.containerName | default "kube-rbac-proxy" }} - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" $ctx | nindent 2 }} + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" $ctx | nindent 2 }} {{- if eq $settings.runAsUserNobody true }} runAsNonRoot: true runAsUser: 65534 diff --git a/templates/kubevirt/virt-api/vpa.yaml b/templates/kubevirt/virt-api/vpa.yaml index 27fe48d5ca..6e5187c070 100644 --- a/templates/kubevirt/virt-api/vpa.yaml +++ b/templates/kubevirt/virt-api/vpa.yaml @@ -12,7 +12,7 @@ spec: kind: Deployment name: virt-api updatePolicy: - updateMode: "Auto" + updateMode: {{ include "vpa.policyUpdateMode" . }} resourcePolicy: containerPolicies: {{- include "kube_api_rewriter.vpa_container_policy" . | nindent 4 }} diff --git a/templates/kubevirt/virt-controller/vpa.yaml b/templates/kubevirt/virt-controller/vpa.yaml index 9e8de9f7da..4ab74ab458 100644 --- a/templates/kubevirt/virt-controller/vpa.yaml +++ b/templates/kubevirt/virt-controller/vpa.yaml @@ -12,7 +12,7 @@ spec: kind: Deployment name: virt-controller updatePolicy: - updateMode: "Auto" + updateMode: {{ include "vpa.policyUpdateMode" . }} resourcePolicy: containerPolicies: {{- include "kube_api_rewriter.vpa_container_policy" . | nindent 4 }} diff --git a/templates/kubevirt/virt-handler/vpa.yaml b/templates/kubevirt/virt-handler/vpa.yaml index 7a327c5084..1d8cf7dd64 100644 --- a/templates/kubevirt/virt-handler/vpa.yaml +++ b/templates/kubevirt/virt-handler/vpa.yaml @@ -12,7 +12,7 @@ spec: kind: DaemonSet name: virt-handler updatePolicy: - updateMode: "Auto" + updateMode: {{ include "vpa.policyUpdateMode" . }} resourcePolicy: containerPolicies: {{- include "kube_api_rewriter.vpa_container_policy" . | nindent 4 }} diff --git a/templates/kubevirt/virt-operator/deployment.yaml b/templates/kubevirt/virt-operator/deployment.yaml index 44d186acc7..833ef6ccf3 100644 --- a/templates/kubevirt/virt-operator/deployment.yaml +++ b/templates/kubevirt/virt-operator/deployment.yaml @@ -29,7 +29,7 @@ spec: kind: Deployment name: virt-operator updatePolicy: - updateMode: "Auto" + updateMode: {{ include "vpa.policyUpdateMode" . }} resourcePolicy: containerPolicies: {{- include "kube_api_rewriter.vpa_container_policy" . | nindent 4 }} @@ -107,7 +107,7 @@ spec: ) }} {{- include "kube_rbac_proxy.sidecar_container" (tuple . $kubeRbacProxySettings) | nindent 6 }} - name: virt-operator - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . | nindent 8 }} + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 8 }} args: - --port - "8443" diff --git a/templates/pre-delete-hook/job.yaml b/templates/pre-delete-hook/job.yaml index 87b221b3ca..7b48030d44 100644 --- a/templates/pre-delete-hook/job.yaml +++ b/templates/pre-delete-hook/job.yaml @@ -17,8 +17,8 @@ spec: restartPolicy: Never serviceAccountName: virtualization-pre-delete-hook containers: - - name: virtualization-pre-delete-hook - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} + - name: pre-delete-hook + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 8 }} image: {{ include "helm_lib_module_image" (list . "preDeleteHook") }} env: - name: WAIT_TIMEOUT diff --git a/templates/virtualization-api/deployment.yaml b/templates/virtualization-api/deployment.yaml index 722a01b7b1..0a5567c08c 100644 --- a/templates/virtualization-api/deployment.yaml +++ b/templates/virtualization-api/deployment.yaml @@ -22,7 +22,7 @@ spec: kind: Deployment name: virtualization-api updatePolicy: - updateMode: "Auto" + updateMode: {{ include "vpa.policyUpdateMode" . }} resourcePolicy: containerPolicies: - containerName: virtualization-api @@ -75,7 +75,7 @@ spec: {{ include "helm_lib_pod_anti_affinity_for_ha" (list . (dict "app" "virtualization-api")) | nindent 6 }} containers: - name: virtualization-api - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 10 }} + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 10 }} args: - --kubevirt-cabundle=/etc/virt-api/certificates/ca.crt - --kubevirt-endpoint=virt-api.d8-{{ .Chart.Name}}.svc diff --git a/templates/virtualization-audit/deployment.yaml b/templates/virtualization-audit/deployment.yaml index fd19a11537..dfda5edc81 100644 --- a/templates/virtualization-audit/deployment.yaml +++ b/templates/virtualization-audit/deployment.yaml @@ -22,7 +22,7 @@ spec: kind: Deployment name: virtualization-audit updatePolicy: - updateMode: "Auto" + updateMode: {{ include "vpa.policyUpdateMode" . }} resourcePolicy: containerPolicies: - containerName: virtualization-audit diff --git a/templates/virtualization-controller/deployment.yaml b/templates/virtualization-controller/deployment.yaml index d0cf32075b..1ee253d2b0 100644 --- a/templates/virtualization-controller/deployment.yaml +++ b/templates/virtualization-controller/deployment.yaml @@ -22,7 +22,7 @@ spec: kind: Deployment name: virtualization-controller updatePolicy: - updateMode: "Auto" + updateMode: {{ include "vpa.policyUpdateMode" . }} resourcePolicy: containerPolicies: {{- include "kube_api_rewriter.vpa_container_policy" . | nindent 4 }} @@ -78,7 +78,7 @@ spec: containers: {{- include "kube_api_rewriter.sidecar_container" . | nindent 8 }} - name: virtualization-controller - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 10 }} + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 10 }} image: {{ include "helm_lib_module_image" (list . "virtualizationController") }} imagePullPolicy: IfNotPresent {{- if (.Values.global.enabledModules | has "sdn") }} diff --git a/templates/vm-route-forge/daemonset.yaml b/templates/vm-route-forge/daemonset.yaml index 8b0c20cf53..68f9bbb4cf 100644 --- a/templates/vm-route-forge/daemonset.yaml +++ b/templates/vm-route-forge/daemonset.yaml @@ -22,7 +22,7 @@ spec: kind: DaemonSet name: vm-route-forge updatePolicy: - updateMode: "Auto" + updateMode: {{ include "vpa.policyUpdateMode" . }} resourcePolicy: containerPolicies: - containerName: vm-route-forge