ncsa · hdpriest-ui · Dec 10, 2025 · Dec 5, 2025 · Dec 5, 2025 · Dec 5, 2025
diff --git a/kubernetes/00-namespace.yaml b/kubernetes/00-namespace.yaml
@@ -0,0 +1,14 @@
+---
+# Namespace for ICRN Kernel Manager
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kernels
+  labels:
+    app: icrn-kernel-manager
+    name: kernels
+  annotations:
+    # Pod Security Standards for hardened cluster
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/warn: restricted
diff --git a/kubernetes/01-pv-pvc.yaml b/kubernetes/01-pv-pvc.yaml
@@ -0,0 +1,40 @@
+---
+# PersistentVolume for NFS mount to kernel repository
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: icrn-kernels-pv
+  labels:
+    app: icrn-kernel-manager
+spec:
+  storageClassName: nfs-static
+  capacity:
+    storage: 500Gi  # Adjust based on your kernel repository size
+  accessModes:
+    - ReadWriteMany  # ReadWriteMany allows multiple pods with read and write access
+  nfs:
+    server: harbor-cc.internal.ncsa.edu
+    path: /harbor/illinois/iccp/sw/icrn/dev/kernels
+    readOnly: false
+  persistentVolumeReclaimPolicy: Retain
+
+---
+# PersistentVolumeClaim for the kernels data
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: icrn-kernels-pvc
+  namespace: kernels  # Change to your desired namespace
+  labels:
+    app: icrn-kernel-manager
+spec:
+  storageClassName: nfs-static
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 500Gi
+  selector:
+    matchLabels:
+      app: icrn-kernel-manager
+  volumeName: icrn-kernels-pv
diff --git a/kubernetes/02-web-deployment.yaml b/kubernetes/02-web-deployment.yaml
@@ -0,0 +1,122 @@
+---
+# Deployment for ICRN Web Interface
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: icrn-web
+  namespace: kernels # Change to your desired namespace
+  labels:
+    app: icrn-web
+    component: web-interface
+spec:
+  replicas: 1 # Adjust based on your needs
+  selector:
+    matchLabels:
+      app: icrn-web
+  template:
+    metadata:
+      labels:
+        app: icrn-web
+        component: web-interface
+    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: web
+          image: hdpriest0uiuc/icrn-kernel-webserver:latest # Update with your registry/tag
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8000
+              name: http
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1000
+            capabilities:
+              drop:
+                - ALL
+          env:
+            - name: COLLATED_MANIFESTS_PATH
+              value: "/app/data/collated_manifests.json"
+            - name: PACKAGE_INDEX_PATH
+              value: "/app/data/package_index.json"
+            - name: WORKERS
+              value: "4"
+          volumeMounts:
+            - name: kernels-data
+              mountPath: /app/data
+              readOnly: true
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 8000
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 8000
+            initialDelaySeconds: 20
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 3
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "250m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"
+      volumes:
+        - name: kernels-data
+          persistentVolumeClaim:
+            claimName: icrn-kernels-pvc
+
+---
+# Service for ICRN Web Interface
+apiVersion: v1
+kind: Service
+metadata:
+  name: icrn-web-service
+  namespace: kernels # Change to your desired namespace
+  labels:
+    app: icrn-web
+spec:
+  type: ClusterIP # Change to LoadBalancer if needed
+  selector:
+    app: icrn-web
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8000
+      name: http
+
+---
+# Ingress for ICRN Web Interface
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: icrn-web-ingress
+  namespace: kernels # Change to your desired namespace
+  labels:
+    app: icrn-web
+spec:
+  ingressClassName: traefik # Adjust based on your ingress controller
+  tls:
+    - hosts:
+        - kernels.cori-dev.ncsa.illinois.edu
+      secretName: icrn-web-tls
+  rules:
+    - host: kernels.cori-dev.ncsa.illinois.edu
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: icrn-web-service
+                port:
+                  number: 80
diff --git a/kubernetes/03-cronjob-indexer.yaml b/kubernetes/03-cronjob-indexer.yaml
@@ -0,0 +1,127 @@
+---
+# CronJob to run kernel indexer every hour
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: icrn-kernel-indexer
+  namespace: kernels # Change to your desired namespace
+  labels:
+    app: icrn-kernel-manager
+    component: kernel-indexer
+spec:
+  # Run every hour at minute 0
+  schedule: "0 * * * *"
+
+  # Keep last 3 successful and 5 failed jobs for debugging
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 5
+
+  # Deadline to complete the job (in seconds)
+  startingDeadlineSeconds: 300
+
+  jobTemplate:
+    spec:
+      # Complete job within 30 minutes
+      backoffLimit: 2
+      # Keep failed job pods for 7 days for debugging
+      ttlSecondsAfterFinished: 604800
+      template:
+        metadata:
+          labels:
+            app: icrn-kernel-manager
+            component: kernel-indexer
+        spec:
+          serviceAccountName: icrn-indexer # See RBAC below
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            fsGroup: 55311
+            supplementalGroups:
+              - 55311
+
+          containers:
+            - name: kernel-indexer
+              image: hdpriest0uiuc/icrn-kernel-indexer:latest # Update with your registry/tag
+              imagePullPolicy: IfNotPresent
+              securityContext:
+                allowPrivilegeEscalation: false
+                runAsNonRoot: true
+                runAsUser: 1000
+                capabilities:
+                  drop:
+                    - ALL
+
+              env:
+                - name: KERNEL_ROOT
+                  value: "/app/data" # Path where kernels are stored in the NFS mount
+
+              volumeMounts:
+                - name: kernels-data
+                  mountPath: /app/data
+                  readOnly: false # Needs write access to update index files
+
+              resources:
+                requests:
+                  memory: "512Mi"
+                  cpu: "500m"
+                limits:
+                  memory: "1Gi"
+                  cpu: "1000m"
+
+              # Fail the job if it takes longer than 25 minutes
+              livenessProbe:
+                exec:
+                  command:
+                    - /bin/sh
+                    - -c
+                    - test -f /tmp/indexer.running || exit 1
+                initialDelaySeconds: 60
+                periodSeconds: 300
+
+          volumes:
+            - name: kernels-data
+              persistentVolumeClaim:
+                claimName: icrn-kernels-pvc
+
+          restartPolicy: Never
+
+---
+# ServiceAccount for the kernel indexer CronJob
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: icrn-indexer
+  namespace: kernels # Change to your desired namespace
+  labels:
+    app: icrn-kernel-manager
+
+---
+# ClusterRole for kernel indexer (minimal permissions)
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: icrn-indexer-role
+  labels:
+    app: icrn-kernel-manager
+rules:
+  # Minimal permissions - adjust as needed
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+
+---
+# ClusterRoleBinding for kernel indexer
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: icrn-indexer-binding
+  labels:
+    app: icrn-kernel-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: icrn-indexer-role
+subjects:
+  - kind: ServiceAccount
+    name: icrn-indexer
+    namespace: kernels # Change to your desired namespace