Merge pull request #9620 from zalando-incubator/sandbox-controller-deployment

szuecs · web-flow · commit 2f90606a9797 · 2025-07-03T12:29:41.000+02:00
feat: Add sandbox controller configuration, disabled by default.
diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
@@ -1291,3 +1291,6 @@ aws_vpc_cni_network_policy_enforcing_mode: "standard"
 # aws-load-balancer-controller resource settings
 aws_load_balancer_controller_cpu: "100m"
 aws_load_balancer_controller_mem_max: "4Gi"
+
+# configure if sandbox-controller should be deployed
+sandbox_controller_enabled: "false" 
diff --git a/cluster/manifests/deletions.yaml b/cluster/manifests/deletions.yaml
@@ -297,6 +297,11 @@ post_apply:
   kind : Deployment
   namespace: wiz
 {{- end }}
+{{ if ne .Cluster.ConfigItems.sandbox_controller_enabled "true" }}
+- name: sandbox-controller
+  namespace: kube-system
+  kind: Deployment
+{{ end }}
 {{- if and (ne .Cluster.ConfigItems.wiz_enable_runtime_connector_broker "true") (ne .Cluster.ConfigItems.wiz_enable_runtime_connector "true") }}
 - name: wiz-connector-connector
   kind : Secret
diff --git a/cluster/manifests/sandbox-controller/10-sandbox_crd.yaml b/cluster/manifests/sandbox-controller/10-sandbox_crd.yaml
@@ -0,0 +1,38 @@
+{{ if eq .Cluster.ConfigItems.sandbox_controller_enabled "true" }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: sandboxes.zalando.org
+spec:
+  group: zalando.org
+  names:
+    kind: Sandbox
+    plural: sandboxes
+    singular: sandbox
+    shortNames:
+      - sb
+  scope: Namespaced
+  versions:
+    - name: v1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              required:
+                - testContext
+                - sourceHosts
+                - target
+              properties:
+                testContext:
+                  type: string
+                sourceHosts:
+                  type: array
+                  items:
+                    type: string
+                target:
+                  type: string
+{{ end }}
diff --git a/cluster/manifests/sandbox-controller/20-rbac.yaml b/cluster/manifests/sandbox-controller/20-rbac.yaml
@@ -0,0 +1,68 @@
+{{ if eq .Cluster.ConfigItems.sandbox_controller_enabled "true" }}
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sandbox-controller
+  namespace: kube-system
+  labels:
+    application: sandbox-controller
+    component: sandbox-controller
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: sandbox-controller
+  labels:
+    application: sandbox-controller
+    component: sandbox-controller
+rules:
+  - apiGroups:
+      - zalando.org
+    resources:
+      - sandboxes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - zalando.org
+    resources:
+      - routegroups
+    verbs:
+      - list
+      - watch
+      - get
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - list
+      - watch
+      - get
+      - create
+      - update
+      - patch
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: sandbox-controller
+  labels:
+    application: sandbox-controller
+    component: sandbox-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: sandbox-controller
+subjects:
+  - kind: ServiceAccount
+    name: sandbox-controller
+    namespace: kube-system
+{{ end }}
diff --git a/cluster/manifests/sandbox-controller/30-deployment.yaml b/cluster/manifests/sandbox-controller/30-deployment.yaml
@@ -0,0 +1,44 @@
+# {{ $image := "container-registry.zalando.net/gwproxy/sandbox-controller:main-8" }}
+# {{ $version := index (split $image ":") 1 }}
+
+{{ if eq .Cluster.ConfigItems.sandbox_controller_enabled "true" }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sandbox-controller
+  namespace: kube-system
+  labels:
+    application: sandbox-controller
+    version: "{{ $version }}"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      application: sandbox-controller
+  template:
+    metadata:
+      labels:
+        application: sandbox-controller
+        version: "{{ $version }}"
+      annotations:
+        kubernetes-log-watcher/scalyr-parser: |
+          [{"container": "controller", "parser": "keyValue"}]
+        logging/destination: "{{ .Cluster.ConfigItems.log_destination_both }}"
+        # no metrics exposed so far
+        # prometheus.io/path: /metrics
+        # prometheus.io/port: "7979"
+        # prometheus.io/scrape: "true"
+    spec:
+      priorityClassName: "{{ .Cluster.ConfigItems.system_priority_class }}"
+      serviceAccountName: sandbox-controller
+      containers:
+        - name: controller
+          image: "{{ $image }}"
+          resources:
+            limits:
+              cpu: 50m
+              memory: 0.3Gi
+            requests:
+              cpu: 50m
+              memory: 0.3Gi
+{{ end }}
