Skip to content

Commit df3dd84

Browse files
hayk99hayk99
authored
feat(registry-scanner): add support for tolerations (#2392)
1 parent 4fa7096 commit df3dd84

File tree

5 files changed

+228
-3
lines changed

5 files changed

+228
-3
lines changed

charts/registry-scanner/Chart.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ description: Sysdig Registry Scanner
44
type: application
55
home: https://www.sysdig.com/
66
icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
7-
version: 1.8.0
8-
appVersion: 0.9.0
7+
version: 1.9.0
8+
appVersion: 0.10.0
99
maintainers:
1010
- name: sysdiglabs

charts/registry-scanner/README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,7 @@ The following table lists the configurable parameters of the Sysdig Registry Sca
9999
| config.scan.jobs.resources.limits.cpu | The CPU limit for the scanner job. | <code>1</code> |
100100
| config.scan.jobs.temporaryVolumeSizeLimit | The size limit for the emptyDir volume used by the scanner job.<br/> This volume is used to store both the vulnerability database and the image to scan. | <code>2Gi</code> |
101101
| config.scan.jobs.nodeSelector | NodeSelector for child jobs. If only .Values.nodeSelector is specified, child jobs will inherit the same nodeSelector as the main pod | <code>{}</code> |
102+
| config.scan.jobs.tolerations | Tolerations for child jobs. If only .Values.tolerations is specified, child jobs will inherit the same tolerations as the main pod | <code>[]</code> |
102103
| config.scan.disablePlatformScanning | Force the scan to happen on the client component rather than relying on backend scanning | <code>false</code> |
103104
| config.scan.imageAnalyzer.maxFileSizeBytes | Maximum size (in bytes) of files that will be analyzed. Larger files, will be skipped during analysis. Default set to 100MB. | <code>104857600</code> |
104105
| config.scan.imageAnalyzer.maxFileSizeBytesInMemory | Maximum size (in bytes) of files that will be analyzed in memory. Larger files will be first written to disk as temporary files. Default set to 5MB. | <code>5242880</code> |
@@ -140,7 +141,7 @@ Use the following command to deploy:
140141
helm upgrade --install registry-scanner \
141142
--namespace sysdig-agent \
142143
--create-namespace \
143-
--version=1.8.0 \
144+
--version=1.9.0 \
144145
--set config.secureBaseURL=<SYSDIG_SECURE_URL> \
145146
--set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
146147
--set config.secureSkipTLS=true \

charts/registry-scanner/templates/configmap.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -109,6 +109,13 @@ data:
109109
nodeSelector:
110110
{{- toYaml .Values.nodeSelector | nindent 8 }}
111111
{{- end }}
112+
{{- if .Values.config.scan.jobs.tolerations }}
113+
tolerations:
114+
{{- toYaml .Values.config.scan.jobs.tolerations | nindent 8 }}
115+
{{- else if .Values.tolerations }}
116+
tolerations:
117+
{{- toYaml .Values.tolerations | nindent 8 }}
118+
{{- end }}
112119
{{- if .Values.config.scan.securityContext }}
113120
securityContext:
114121
{{- include "registry-scanner.scan.securityContext" . | nindent 8}}

charts/registry-scanner/tests/tolerations_test.yaml

Lines changed: 215 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,215 @@
1+
suite: Registry Scanner - Tolerations
2+
templates:
3+
- templates/cronjob.yaml
4+
- templates/job.yaml
5+
- templates/configmap.yaml
6+
tests:
7+
# Main pod tolerations tests
8+
- it: applies tolerations to cronjob pod spec
9+
template: templates/cronjob.yaml
10+
set:
11+
tolerations:
12+
- key: node.kubernetes.io/not-ready
13+
operator: Exists
14+
effect: NoExecute
15+
tolerationSeconds: 300
16+
- key: registry-scanner
17+
operator: Equal
18+
value: "true"
19+
effect: NoSchedule
20+
asserts:
21+
- equal:
22+
path: spec.jobTemplate.spec.template.spec.tolerations
23+
value:
24+
- key: node.kubernetes.io/not-ready
25+
operator: Exists
26+
effect: NoExecute
27+
tolerationSeconds: 300
28+
- key: registry-scanner
29+
operator: Equal
30+
value: "true"
31+
effect: NoSchedule
32+
33+
- it: applies tolerations to scanOnStart job pod spec
34+
template: templates/job.yaml
35+
set:
36+
scanOnStart:
37+
enabled: true
38+
tolerations:
39+
- key: node.kubernetes.io/not-ready
40+
operator: Exists
41+
effect: NoExecute
42+
tolerationSeconds: 300
43+
asserts:
44+
- equal:
45+
path: spec.template.spec.tolerations
46+
value:
47+
- key: node.kubernetes.io/not-ready
48+
operator: Exists
49+
effect: NoExecute
50+
tolerationSeconds: 300
51+
52+
- it: does not set tolerations when not configured
53+
template: templates/cronjob.yaml
54+
asserts:
55+
- isNull:
56+
path: spec.jobTemplate.spec.template.spec.tolerations
57+
58+
# Child job tolerations tests via configmap
59+
- it: applies specific child job tolerations to configmap
60+
template: templates/configmap.yaml
61+
set:
62+
config:
63+
scan:
64+
jobs:
65+
tolerations:
66+
- key: scanner-node
67+
operator: Equal
68+
value: "dedicated"
69+
effect: NoSchedule
70+
- key: node.kubernetes.io/disk-pressure
71+
operator: Exists
72+
effect: NoExecute
73+
asserts:
74+
- matchRegex:
75+
path: data['config.yaml']
76+
pattern: |
77+
tolerations:
78+
- effect: NoSchedule
79+
key: scanner-node
80+
operator: Equal
81+
value: dedicated
82+
- effect: NoExecute
83+
key: node\.kubernetes\.io/disk-pressure
84+
operator: Exists
85+
86+
- it: inherits main pod tolerations for child jobs when job-specific tolerations not set
87+
template: templates/configmap.yaml
88+
set:
89+
tolerations:
90+
- key: main-pod-toleration
91+
operator: Equal
92+
value: "true"
93+
effect: NoSchedule
94+
asserts:
95+
- matchRegex:
96+
path: data['config.yaml']
97+
pattern: |
98+
tolerations:
99+
- effect: NoSchedule
100+
key: main-pod-toleration
101+
operator: Equal
102+
value: "true"
103+
104+
- it: prefers job-specific tolerations over main pod tolerations
105+
template: templates/configmap.yaml
106+
set:
107+
tolerations:
108+
- key: main-pod-toleration
109+
operator: Equal
110+
value: "true"
111+
effect: NoSchedule
112+
config:
113+
scan:
114+
jobs:
115+
tolerations:
116+
- key: job-specific-toleration
117+
operator: Equal
118+
value: "dedicated"
119+
effect: NoSchedule
120+
asserts:
121+
- matchRegex:
122+
path: data['config.yaml']
123+
pattern: |
124+
tolerations:
125+
- effect: NoSchedule
126+
key: job-specific-toleration
127+
operator: Equal
128+
value: dedicated
129+
- notMatchRegex:
130+
path: data['config.yaml']
131+
pattern: main-pod-toleration
132+
133+
- it: does not set tolerations in configmap when neither are configured
134+
template: templates/configmap.yaml
135+
asserts:
136+
- notMatchRegex:
137+
path: data['config.yaml']
138+
pattern: "tolerations:"
139+
140+
# Complex tolerations scenarios
141+
- it: handles multiple complex tolerations correctly
142+
template: templates/configmap.yaml
143+
set:
144+
config:
145+
scan:
146+
jobs:
147+
tolerations:
148+
- key: node.kubernetes.io/not-ready
149+
operator: Exists
150+
effect: NoExecute
151+
tolerationSeconds: 300
152+
- key: node.kubernetes.io/unreachable
153+
operator: Exists
154+
effect: NoExecute
155+
tolerationSeconds: 300
156+
- key: registry-scanner
157+
operator: Equal
158+
value: "true"
159+
effect: NoSchedule
160+
- key: high-memory
161+
operator: Exists
162+
effect: NoSchedule
163+
asserts:
164+
- matchRegex:
165+
path: data['config.yaml']
166+
pattern: |
167+
tolerations:
168+
- effect: NoExecute
169+
key: node\.kubernetes\.io/not-ready
170+
operator: Exists
171+
tolerationSeconds: 300
172+
- effect: NoExecute
173+
key: node\.kubernetes\.io/unreachable
174+
operator: Exists
175+
tolerationSeconds: 300
176+
- effect: NoSchedule
177+
key: registry-scanner
178+
operator: Equal
179+
value: "true"
180+
- effect: NoSchedule
181+
key: high-memory
182+
operator: Exists
183+
184+
- it: handles tolerations with various operators
185+
template: templates/cronjob.yaml
186+
set:
187+
tolerations:
188+
- key: test-key
189+
operator: Equal
190+
value: "test-value"
191+
effect: NoSchedule
192+
- key: exists-key
193+
operator: Exists
194+
effect: NoExecute
195+
- effect: NoExecute
196+
tolerationSeconds: 600
197+
asserts:
198+
- equal:
199+
path: spec.jobTemplate.spec.template.spec.tolerations[0]
200+
value:
201+
key: test-key
202+
operator: Equal
203+
value: "test-value"
204+
effect: NoSchedule
205+
- equal:
206+
path: spec.jobTemplate.spec.template.spec.tolerations[1]
207+
value:
208+
key: exists-key
209+
operator: Exists
210+
effect: NoExecute
211+
- equal:
212+
path: spec.jobTemplate.spec.template.spec.tolerations[2]
213+
value:
214+
effect: NoExecute
215+
tolerationSeconds: 600

charts/registry-scanner/values.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -116,6 +116,8 @@ config:
116116
temporaryVolumeSizeLimit: 2Gi
117117
# NodeSelector for child jobs. If only .Values.nodeSelector is specified, child jobs will inherit the same nodeSelector as the main pod
118118
nodeSelector: {}
119+
# Tolerations for child jobs. If only .Values.tolerations is specified, child jobs will inherit the same tolerations as the main pod
120+
tolerations: []
119121
# Force the scan to happen on the client component rather than relying on backend scanning
120122
disablePlatformScanning: false
121123
imageAnalyzer:

0 commit comments

Comments
 (0)