feat: Add sandbox controller

ponimas · ponimas · commit fabf6247d461 · 2025-06-30T17:44:59.000+02:00
Added the deployment manifest for the sandbox-controller component.

A new cluster configuration item, sandbox_controller_enabled, has been introduced to control its deployment. The controller is disabled by default, and setting this config item to "true" is required to enable its deployment in the cluster.

A conditional deletion rule was added to ensure the deployment is removed when the configuration item is not set to "true".
diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
@@ -1287,3 +1287,6 @@ aws_vpc_cni_network_policy_enforcing_mode: "standard"
 # aws-load-balancer-controller resource settings
 aws_load_balancer_controller_cpu: "100m"
 aws_load_balancer_controller_mem_max: "4Gi"
+
+# configure if sandbox-controller should be deployed
+sandbox_controller_enabled: "false" 
diff --git a/cluster/manifests/deletions.yaml b/cluster/manifests/deletions.yaml
@@ -297,6 +297,11 @@ post_apply:
   kind : Deployment
   namespace: wiz
 {{- end }}
+{{ if ne .Cluster.ConfigItems.sandbox_controller_enabled "true" }}
+- name: sandbox-controller
+  namespace: kube-system
+  kind: Deployment
+{{ end }}
 {{- if and (ne .Cluster.ConfigItems.wiz_enable_runtime_connector_broker "true") (ne .Cluster.ConfigItems.wiz_enable_runtime_connector "true") }}
 - name: wiz-connector-connector
   kind : Secret
diff --git a/cluster/manifests/sandbox-controller/deployment.yaml b/cluster/manifests/sandbox-controller/deployment.yaml
@@ -0,0 +1,42 @@
+# {{ $image := "container-registry.zalando.net/gwproxy/sandbox-controller:main-8" }}
+# {{ $version := index (split $image ":") 1 }}
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sandbox-controller
+  namespace: kube-system
+  labels:
+    application: sandbox-controller
+    version: "{{ $version }}"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      application: sandbox-controller
+  template:
+    metadata:
+      labels:
+        application: sandbox-controller
+        version: "{{ $version }}"
+      annotations:
+        kubernetes-log-watcher/scalyr-parser: |
+          [{"container": "controller", "parser": "keyValue"}]
+        logging/destination: "{{ .Cluster.ConfigItems.log_destination_both }}"
+        # no metrics exposed so far
+        # prometheus.io/path: /metrics
+        # prometheus.io/port: "7979"
+        # prometheus.io/scrape: "true"
+    spec:
+      priorityClassName: "{{ .Cluster.ConfigItems.system_priority_class }}"
+      serviceAccountName: sandbox-controller
+      containers:
+        - name: controller
+          image: "{{ $image }}"
+          resources:
+            limits:
+              cpu: 50m
+              memory: 0.3Gi
+            requests:
+              cpu: 50m
+              memory: 0.3Gi
