kubernetes-sigs
diff --git a/‎docs/bootstrap-methods.md‎
Lines changed: 72 additions & 0 deletions b/‎docs/bootstrap-methods.md‎
Lines changed: 72 additions & 0 deletions
diff --git a/‎examples/kubelet-configuration.yaml‎
Lines changed: 96 additions & 0 deletions b/‎examples/kubelet-configuration.yaml‎
Lines changed: 96 additions & 0 deletions
diff --git a/‎pkg/apis/v1alpha1/ibmnodeclass_types.go‎
Lines changed: 80 additions & 0 deletions b/‎pkg/apis/v1alpha1/ibmnodeclass_types.go‎
Lines changed: 80 additions & 0 deletions
diff --git a/‎pkg/apis/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 90 additions & 0 deletions b/‎pkg/apis/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 90 additions & 0 deletions
@@ -121,6 +121,78 @@ spec:
 
 ### Customization Options
 
+### Kubelet Configuration Overrides
+
+For VPC bootstrap, you can override a subset of kubelet configuration directly from the `IBMNodeClass`. These settings are rendered into the kubelet `config.yaml` on the node and validated by the CRD.
+
+```yaml
+apiVersion: karpenter-ibm.sh/v1alpha1
+kind: IBMNodeClass
+metadata:
+  name: vpc-bootstrap-kubelet
+spec:
+  region: us-south
+  zone: us-south-1
+  vpc: "r006-a8efb117-fd5e-4f63-ae16-4fb9faafa4ff"
+  image: ubuntu-24-04-amd64
+  apiServerEndpoint: "https://10.240.0.1:6443"
+  bootstrapMode: cloud-init
+  securityGroups:
+    - "r006-12345678-1234-1234-1234-123456789012"
+
+  kubelet:
+    clusterDNS:
+      - 10.96.0.10
+      - 10.96.0.11
+
+    maxPods: 150
+    podsPerCore: 10
+
+    kubeReserved:
+      cpu: "200m"
+      memory: "512Mi"
+
+    systemReserved:
+      cpu: "100m"
+      memory: "256Mi"
+
+    evictionHard:
+      memory.available: "500Mi"
+
+    evictionSoft:
+      memory.available: "1Gi"
+
+    evictionSoftGracePeriod:
+      memory.available: "1m0s"
+
+    evictionMaxPodGracePeriod: 120
+
+    imageGCHighThresholdPercent: 85
+    imageGCLowThresholdPercent: 70
+
+    cpuCFSQuota: true
+
+```
+* **Reserved resources**
+    * `systemReserved` and `kubeReserved` keys must be one of:
+      `cpu`, `memory`, `ephemeral-storage`, `pid`.
+    * Values must not be negative (strings starting with `-` are rejected).
+
+* **Eviction settings**
+    * `evictionHard`, `evictionSoft`, and `evictionSoftGracePeriod` may only use:
+      `memory.available`, `nodefs.available`, `nodefs.inodesFree`,
+      `imagefs.available`, `imagefs.inodesFree`, `pid.available`.
+    * Every key in `evictionSoft` must exist in `evictionSoftGracePeriod`.
+    * Every key in `evictionSoftGracePeriod` must exist in `evictionSoft`.
+
+* **Image garbage collection**
+    * `imageGCHighThresholdPercent` and `imageGCLowThresholdPercent` must be in
+      the range `[0, 100]`.
+    * If both are set, `imageGCLowThresholdPercent` must be **less than**
+      `imageGCHighThresholdPercent`.
+
+For a complete reference, see `examples/kubelet-configuration.yaml`.
+
 #### **Custom User Data**
 ```yaml
 spec:
 
@@ -0,0 +1,96 @@
+---
+# Example: IBMNodeClass with kubelet configuration overrides
+apiVersion: karpenter-ibm.sh/v1alpha1
+kind: IBMNodeClass
+metadata:
+  name: kubelet-config-nodeclass
+spec:
+  # Basic VPC-backed configuration
+  region: us-south
+  zone: us-south-1
+  vpc: "r006-a8efb117-fd5e-4f63-ae16-4fb9faafa4ff"
+  subnet: "0717-197e06f4-b500-426c-bc0f-900b215f996c"
+
+  apiServerEndpoint: "https://10.240.0.1:6443"
+  bootstrapMode: cloud-init
+
+  securityGroups:
+    - "r006-12345678-1234-1234-1234-123456789012"
+
+  image: "r006-dd3c20fa-71d3-4dc0-913f-2f097bf3e500"
+
+  sshKeys:
+    - "r006-82091c89-68e4-4b3f-bd2b-4e63ca2f67da"
+
+  resourceGroup: "88427352321742ef8cfac50b0ee6cc26"
+
+  # Kubelet configuration (subset of upstream KubeletConfiguration)
+  kubelet:
+    # DNS for the cluster (overrides CLUSTER_DNS from bootstrap)
+    clusterDNS:
+      - 10.96.0.10
+
+    # Pod density settings
+    maxPods: 150
+    podsPerCore: 10
+
+    # Reserved resources for Kubernetes components
+    kubeReserved:
+      cpu: "200m"
+      memory: "512Mi"
+
+    # Reserved resources for OS/system daemons
+    systemReserved:
+      cpu: "100m"
+      memory: "256Mi"
+
+    # Eviction thresholds
+    evictionHard:
+      memory.available: "500Mi"
+
+    evictionSoft:
+      memory.available: "1Gi"
+
+    evictionSoftGracePeriod:
+      memory.available: 1m0s
+
+    evictionMaxPodGracePeriod: 120
+
+    # Image garbage collection thresholds
+    # Validation enforces 0 <= low < high <= 100
+    imageGCHighThresholdPercent: 85
+    imageGCLowThresholdPercent: 70
+
+    # Enforce CPU CFS quota for pods that specify CPU limits
+    cpuCFSQuota: true
+---
+apiVersion: karpenter.sh/v1
+kind: NodePool
+metadata:
+  name: kubelet-config-nodepool
+spec:
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/managed-by: karpenter
+        example: kubelet-config
+    spec:
+      nodeClassRef:
+        apiVersion: karpenter-ibm.sh/v1alpha1
+        kind: IBMNodeClass
+        name: kubelet-config-nodeclass
+      requirements:
+        - key: "kubernetes.io/arch"
+          operator: In
+          values: ["amd64"]
+        - key: "kubernetes.io/os"
+          operator: In
+          values: ["linux"]
+        - key: "node.kubernetes.io/instance-type"
+          operator: In
+          values: ["bx2-4x16", "bx2-8x32"]
+  disruption:
+    consolidationPolicy: WhenEmpty
+    consolidateAfter: 30s
+  limits:
+    cpu: "1000"
@@ -253,6 +253,77 @@ type BlockDeviceMapping struct {
 	RootVolume bool `json:"rootVolume,omitempty"`
 }
 
+// KubeletConfiguration defines args to be used when configuring kubelet on provisioned nodes.
+type KubeletConfiguration struct {
+	// ClusterDNS is a list of IP addresses for the cluster DNS server.
+	// +optional
+	ClusterDNS []string `json:"clusterDNS,omitempty"`
+
+	// MaxPods is an override for the maximum number of pods that can run on a worker node instance.
+	// +kubebuilder:validation:Minimum:=0
+	// +optional
+	MaxPods *int32 `json:"maxPods,omitempty"`
+
+	// PodsPerCore is an override for the number of pods that can run on a worker node
+	// instance based on the number of cpu cores.
+	// +kubebuilder:validation:Minimum:=0
+	// +optional
+	PodsPerCore *int32 `json:"podsPerCore,omitempty"`
+
+	// SystemReserved contains resources reserved for OS system daemons and kernel memory.
+	// +kubebuilder:validation:XValidation:message="valid keys for systemReserved are ['cpu','memory','ephemeral-storage','pid']",rule="self.all(x, x=='cpu' || x=='memory' || x=='ephemeral-storage' || x=='pid')"
+	// +kubebuilder:validation:XValidation:message="systemReserved value cannot be a negative resource quantity",rule="self.all(x, !self[x].startsWith('-'))"
+	// +optional
+	SystemReserved map[string]string `json:"systemReserved,omitempty"`
+
+	// KubeReserved contains resources reserved for Kubernetes system components.
+	// +kubebuilder:validation:XValidation:message="valid keys for kubeReserved are ['cpu','memory','ephemeral-storage','pid']",rule="self.all(x, x=='cpu' || x=='memory' || x=='ephemeral-storage' || x=='pid')"
+	// +kubebuilder:validation:XValidation:message="kubeReserved value cannot be a negative resource quantity",rule="self.all(x, !self[x].startsWith('-'))"
+	// +optional
+	KubeReserved map[string]string `json:"kubeReserved,omitempty"`
+
+	// EvictionHard is the map of signal names to quantities that define hard eviction thresholds
+	// +kubebuilder:validation:XValidation:message="valid keys for evictionHard are ['memory.available','nodefs.available','nodefs.inodesFree','imagefs.available','imagefs.inodesFree','pid.available']",rule="self.all(x, x in ['memory.available','nodefs.available','nodefs.inodesFree','imagefs.available','imagefs.inodesFree','pid.available'])"
+	// +kubebuilder:validation:XValidation:message="evictionHard value cannot be a negative resource quantity",rule="self.all(x, !self[x].startsWith('-'))"
+	// +optional
+	EvictionHard map[string]string `json:"evictionHard,omitempty"`
+
+	// EvictionSoft is the map of signal names to quantities that define soft eviction thresholds
+	// +kubebuilder:validation:XValidation:message="valid keys for evictionSoft are ['memory.available','nodefs.available','nodefs.inodesFree','imagefs.available','imagefs.inodesFree','pid.available']",rule="self.all(x, x in ['memory.available','nodefs.available','nodefs.inodesFree','imagefs.available','imagefs.inodesFree','pid.available'])"
+	// +kubebuilder:validation:XValidation:message="evictionSoft value cannot be a negative resource quantity",rule="self.all(x, !self[x].startsWith('-'))"
+	// +optional
+	EvictionSoft map[string]string `json:"evictionSoft,omitempty"`
+
+	// EvictionSoftGracePeriod is the map of signal names to quantities that define grace periods for each eviction signal
+	// +kubebuilder:validation:XValidation:message="valid keys for evictionSoftGracePeriod are ['memory.available','nodefs.available','nodefs.inodesFree','imagefs.available','imagefs.inodesFree','pid.available']",rule="self.all(x, x in ['memory.available','nodefs.available','nodefs.inodesFree','imagefs.available','imagefs.inodesFree','pid.available'])"
+	// +optional
+	EvictionSoftGracePeriod map[string]metav1.Duration `json:"evictionSoftGracePeriod,omitempty"`
+
+	// EvictionMaxPodGracePeriod is the maximum allowed grace period (in seconds) to use when terminating pods in
+	// response to soft eviction thresholds being met.
+	// +kubebuilder:validation:Minimum:=0
+	// +optional
+	EvictionMaxPodGracePeriod *int32 `json:"evictionMaxPodGracePeriod,omitempty"`
+
+	// ImageGCHighThresholdPercent is the percent of disk usage after which image
+	// garbage collection is always run.
+	// +kubebuilder:validation:Minimum:=0
+	// +kubebuilder:validation:Maximum:=100
+	// +optional
+	ImageGCHighThresholdPercent *int32 `json:"imageGCHighThresholdPercent,omitempty"`
+
+	// ImageGCLowThresholdPercent is the percent of disk usage before which image
+	// garbage collection is never run.
+	// +kubebuilder:validation:Minimum:=0
+	// +kubebuilder:validation:Maximum:=100
+	// +optional
+	ImageGCLowThresholdPercent *int32 `json:"imageGCLowThresholdPercent,omitempty"`
+
+	// CPUCFSQuota enables CPU CFS quota enforcement for containers that specify CPU limits.
+	// +optional
+	CPUCFSQuota *bool `json:"cpuCFSQuota,omitempty"`
+}
+
 // VolumeSpec defines IBM Cloud volume configuration
 type VolumeSpec struct {
 	// Capacity is the volume size in gigabytes
@@ -507,6 +578,15 @@ type IBMNodeClassSpec struct {
 	// +optional
 	// +kubebuilder:validation:MaxItems=10
 	BlockDeviceMappings []BlockDeviceMapping `json:"blockDeviceMappings,omitempty"`
+
+	// Kubelet defines args to be used when configuring kubelet on provisioned nodes.
+	// They are a subset of the upstream types, recognizing not all options may be supported.
+	// Wherever possible, the types and names should reflect the upstream kubelet types.
+	// +optional
+	// +kubebuilder:validation:XValidation:message="imageGCHighThresholdPercent must be greater than imageGCLowThresholdPercent",rule="has(self.imageGCHighThresholdPercent) && has(self.imageGCLowThresholdPercent) ? self.imageGCHighThresholdPercent > self.imageGCLowThresholdPercent : true"
+	// +kubebuilder:validation:XValidation:message="evictionSoft key does not have a matching evictionSoftGracePeriod",rule="has(self.evictionSoft) ? self.evictionSoft.all(e, e in self.evictionSoftGracePeriod) : true"
+	// +kubebuilder:validation:XValidation:message="evictionSoftGracePeriod key does not have a matching evictionSoft",rule="has(self.evictionSoftGracePeriod) ? self.evictionSoftGracePeriod.all(e, e in self.evictionSoft) : true"
+	Kubelet *KubeletConfiguration `json:"kubelet,omitempty"`
 }
 
 // IBMNodeClassStatus defines the observed state of IBMNodeClass