From 6e8d9a6188e526e26eb6e42c307574ca66ab071f Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Thu, 30 May 2024 14:18:00 +0200 Subject: [PATCH] Implement DaemonSet which runs `ip monitor` on all nodes --- class/openshift4-nodes.yml | 1 + component/ip-monitor-daemonset.jsonnet | 77 ++++++++++++++++++ .../openshift4-nodes/40_ip_monitor.yaml | 81 +++++++++++++++++++ .../openshift4-nodes/40_ip_monitor.yaml | 81 +++++++++++++++++++ .../openshift4-nodes/40_ip_monitor.yaml | 81 +++++++++++++++++++ .../openshift4-nodes/40_ip_monitor.yaml | 81 +++++++++++++++++++ .../openshift4-nodes/40_ip_monitor.yaml | 81 +++++++++++++++++++ .../openshift4-nodes/40_ip_monitor.yaml | 81 +++++++++++++++++++ 8 files changed, 564 insertions(+) create mode 100644 component/ip-monitor-daemonset.jsonnet create mode 100644 tests/golden/defaults/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml create mode 100644 tests/golden/gcp/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml create mode 100644 tests/golden/machineconfig/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml create mode 100644 tests/golden/maxpods/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml create mode 100644 tests/golden/pidslimit/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml create mode 100644 tests/golden/remove-machineconfigpool/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml diff --git a/class/openshift4-nodes.yml b/class/openshift4-nodes.yml index d534f79..be43d6e 100644 --- a/class/openshift4-nodes.yml +++ b/class/openshift4-nodes.yml @@ -15,5 +15,6 @@ parameters: - openshift4-nodes/component/oc-debug-node.jsonnet - openshift4-nodes/component/aggregated-clusterroles.jsonnet - openshift4-nodes/component/egress-interfaces.jsonnet + - openshift4-nodes/component/ip-monitor-daemonset.jsonnet input_type: jsonnet output_path: openshift4-nodes/ diff --git a/component/ip-monitor-daemonset.jsonnet b/component/ip-monitor-daemonset.jsonnet new file mode 100644 index 0000000..de3d549 --- /dev/null +++ b/component/ip-monitor-daemonset.jsonnet @@ -0,0 +1,77 @@ +local kap = import 'lib/kapitan.libjsonnet'; +local kube = import 'lib/kube.libjsonnet'; + +local inv = kap.inventory(); +local params = inv.parameters.openshift4_nodes; + +local command = 'ip -ts monitor address link mroute netconf nexthop nsid prefix route rule'; + +// what do we need: +// namespace +// serviceaccount +// rolebinding for scc hostnetwork +// daemonset which has hostNetwork: true and which runs the comment + +local namespace = 'appuio-ip-monitor'; + +local ns = kube.Namespace('appuio-ip-monitor') { + metadata+: { + annotations+: { + 'openshift.io/node-selector': '', + }, + labels+: { + 'openshift.io/cluster-monitoring': 'true', + }, + }, +}; + +local sa = kube.ServiceAccount('ip-monitor') { + metadata+: { + namespace: namespace, + }, +}; + +local sccRoleBinding = kube.RoleBinding('ip-monitor-scc-hostnetwork') { + metadata+: { + namespace: namespace, + }, + subjects_: [ sa ], + roleRef: { + kind: 'ClusterRole', + name: 'system:openshift:scc:hostnetwork-v2', + }, +}; + +local ds = kube.DaemonSet('ip-monitor') { + metadata+: { + namespace: namespace, + }, + spec+: { + template+: { + spec+: { + containers_+: { + ipmon: kube.Container('ip-monitor') { + image: 'image-registry.openshift-image-registry.svc:5000/openshift/tools:latest', + command: [ '/bin/sh', '-c', 'trap : TERM INT; %s & wait' % command ], + }, + }, + hostNetwork: true, + priorityClassName: 'system-node-critical', + // run on all nodes + tolerations: [ + { operator: 'Exists' }, + ], + serviceAccountName: sa.metadata.name, + }, + }, + }, +}; + +{ + '40_ip_monitor': [ + ns, + sa, + sccRoleBinding, + ds, + ], +} diff --git a/tests/golden/defaults/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml b/tests/golden/defaults/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml new file mode 100644 index 0000000..acc84db --- /dev/null +++ b/tests/golden/defaults/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + openshift.io/node-selector: '' + labels: + name: appuio-ip-monitor + openshift.io/cluster-monitoring: 'true' + name: appuio-ip-monitor +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: ip-monitor + name: ip-monitor + namespace: appuio-ip-monitor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: ip-monitor-scc-hostnetwork + name: ip-monitor-scc-hostnetwork + namespace: appuio-ip-monitor +roleRef: + kind: ClusterRole + name: system:openshift:scc:hostnetwork-v2 +subjects: + - kind: ServiceAccount + name: ip-monitor + namespace: appuio-ip-monitor +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: {} + labels: + name: ip-monitor + name: ip-monitor + namespace: appuio-ip-monitor +spec: + selector: + matchLabels: + name: ip-monitor + template: + metadata: + annotations: {} + labels: + name: ip-monitor + spec: + containers: + - args: [] + command: + - /bin/sh + - -c + - 'trap : TERM INT; ip -ts monitor address link mroute netconf nexthop + nsid prefix route rule & wait' + env: [] + image: image-registry.openshift-image-registry.svc:5000/openshift/tools:latest + imagePullPolicy: Always + name: ip-monitor + ports: [] + stdin: false + tty: false + volumeMounts: [] + hostNetwork: true + imagePullSecrets: [] + initContainers: [] + priorityClassName: system-node-critical + serviceAccountName: ip-monitor + terminationGracePeriodSeconds: 30 + tolerations: + - operator: Exists + volumes: [] + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate diff --git a/tests/golden/gcp/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml b/tests/golden/gcp/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml new file mode 100644 index 0000000..acc84db --- /dev/null +++ b/tests/golden/gcp/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + openshift.io/node-selector: '' + labels: + name: appuio-ip-monitor + openshift.io/cluster-monitoring: 'true' + name: appuio-ip-monitor +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: ip-monitor + name: ip-monitor + namespace: appuio-ip-monitor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: ip-monitor-scc-hostnetwork + name: ip-monitor-scc-hostnetwork + namespace: appuio-ip-monitor +roleRef: + kind: ClusterRole + name: system:openshift:scc:hostnetwork-v2 +subjects: + - kind: ServiceAccount + name: ip-monitor + namespace: appuio-ip-monitor +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: {} + labels: + name: ip-monitor + name: ip-monitor + namespace: appuio-ip-monitor +spec: + selector: + matchLabels: + name: ip-monitor + template: + metadata: + annotations: {} + labels: + name: ip-monitor + spec: + containers: + - args: [] + command: + - /bin/sh + - -c + - 'trap : TERM INT; ip -ts monitor address link mroute netconf nexthop + nsid prefix route rule & wait' + env: [] + image: image-registry.openshift-image-registry.svc:5000/openshift/tools:latest + imagePullPolicy: Always + name: ip-monitor + ports: [] + stdin: false + tty: false + volumeMounts: [] + hostNetwork: true + imagePullSecrets: [] + initContainers: [] + priorityClassName: system-node-critical + serviceAccountName: ip-monitor + terminationGracePeriodSeconds: 30 + tolerations: + - operator: Exists + volumes: [] + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate diff --git a/tests/golden/machineconfig/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml b/tests/golden/machineconfig/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml new file mode 100644 index 0000000..acc84db --- /dev/null +++ b/tests/golden/machineconfig/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + openshift.io/node-selector: '' + labels: + name: appuio-ip-monitor + openshift.io/cluster-monitoring: 'true' + name: appuio-ip-monitor +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: ip-monitor + name: ip-monitor + namespace: appuio-ip-monitor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: ip-monitor-scc-hostnetwork + name: ip-monitor-scc-hostnetwork + namespace: appuio-ip-monitor +roleRef: + kind: ClusterRole + name: system:openshift:scc:hostnetwork-v2 +subjects: + - kind: ServiceAccount + name: ip-monitor + namespace: appuio-ip-monitor +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: {} + labels: + name: ip-monitor + name: ip-monitor + namespace: appuio-ip-monitor +spec: + selector: + matchLabels: + name: ip-monitor + template: + metadata: + annotations: {} + labels: + name: ip-monitor + spec: + containers: + - args: [] + command: + - /bin/sh + - -c + - 'trap : TERM INT; ip -ts monitor address link mroute netconf nexthop + nsid prefix route rule & wait' + env: [] + image: image-registry.openshift-image-registry.svc:5000/openshift/tools:latest + imagePullPolicy: Always + name: ip-monitor + ports: [] + stdin: false + tty: false + volumeMounts: [] + hostNetwork: true + imagePullSecrets: [] + initContainers: [] + priorityClassName: system-node-critical + serviceAccountName: ip-monitor + terminationGracePeriodSeconds: 30 + tolerations: + - operator: Exists + volumes: [] + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate diff --git a/tests/golden/maxpods/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml b/tests/golden/maxpods/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml new file mode 100644 index 0000000..acc84db --- /dev/null +++ b/tests/golden/maxpods/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + openshift.io/node-selector: '' + labels: + name: appuio-ip-monitor + openshift.io/cluster-monitoring: 'true' + name: appuio-ip-monitor +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: ip-monitor + name: ip-monitor + namespace: appuio-ip-monitor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: ip-monitor-scc-hostnetwork + name: ip-monitor-scc-hostnetwork + namespace: appuio-ip-monitor +roleRef: + kind: ClusterRole + name: system:openshift:scc:hostnetwork-v2 +subjects: + - kind: ServiceAccount + name: ip-monitor + namespace: appuio-ip-monitor +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: {} + labels: + name: ip-monitor + name: ip-monitor + namespace: appuio-ip-monitor +spec: + selector: + matchLabels: + name: ip-monitor + template: + metadata: + annotations: {} + labels: + name: ip-monitor + spec: + containers: + - args: [] + command: + - /bin/sh + - -c + - 'trap : TERM INT; ip -ts monitor address link mroute netconf nexthop + nsid prefix route rule & wait' + env: [] + image: image-registry.openshift-image-registry.svc:5000/openshift/tools:latest + imagePullPolicy: Always + name: ip-monitor + ports: [] + stdin: false + tty: false + volumeMounts: [] + hostNetwork: true + imagePullSecrets: [] + initContainers: [] + priorityClassName: system-node-critical + serviceAccountName: ip-monitor + terminationGracePeriodSeconds: 30 + tolerations: + - operator: Exists + volumes: [] + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate diff --git a/tests/golden/pidslimit/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml b/tests/golden/pidslimit/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml new file mode 100644 index 0000000..acc84db --- /dev/null +++ b/tests/golden/pidslimit/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + openshift.io/node-selector: '' + labels: + name: appuio-ip-monitor + openshift.io/cluster-monitoring: 'true' + name: appuio-ip-monitor +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: ip-monitor + name: ip-monitor + namespace: appuio-ip-monitor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: ip-monitor-scc-hostnetwork + name: ip-monitor-scc-hostnetwork + namespace: appuio-ip-monitor +roleRef: + kind: ClusterRole + name: system:openshift:scc:hostnetwork-v2 +subjects: + - kind: ServiceAccount + name: ip-monitor + namespace: appuio-ip-monitor +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: {} + labels: + name: ip-monitor + name: ip-monitor + namespace: appuio-ip-monitor +spec: + selector: + matchLabels: + name: ip-monitor + template: + metadata: + annotations: {} + labels: + name: ip-monitor + spec: + containers: + - args: [] + command: + - /bin/sh + - -c + - 'trap : TERM INT; ip -ts monitor address link mroute netconf nexthop + nsid prefix route rule & wait' + env: [] + image: image-registry.openshift-image-registry.svc:5000/openshift/tools:latest + imagePullPolicy: Always + name: ip-monitor + ports: [] + stdin: false + tty: false + volumeMounts: [] + hostNetwork: true + imagePullSecrets: [] + initContainers: [] + priorityClassName: system-node-critical + serviceAccountName: ip-monitor + terminationGracePeriodSeconds: 30 + tolerations: + - operator: Exists + volumes: [] + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate diff --git a/tests/golden/remove-machineconfigpool/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml b/tests/golden/remove-machineconfigpool/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml new file mode 100644 index 0000000..acc84db --- /dev/null +++ b/tests/golden/remove-machineconfigpool/openshift4-nodes/openshift4-nodes/40_ip_monitor.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + openshift.io/node-selector: '' + labels: + name: appuio-ip-monitor + openshift.io/cluster-monitoring: 'true' + name: appuio-ip-monitor +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + name: ip-monitor + name: ip-monitor + namespace: appuio-ip-monitor +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: {} + labels: + name: ip-monitor-scc-hostnetwork + name: ip-monitor-scc-hostnetwork + namespace: appuio-ip-monitor +roleRef: + kind: ClusterRole + name: system:openshift:scc:hostnetwork-v2 +subjects: + - kind: ServiceAccount + name: ip-monitor + namespace: appuio-ip-monitor +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: {} + labels: + name: ip-monitor + name: ip-monitor + namespace: appuio-ip-monitor +spec: + selector: + matchLabels: + name: ip-monitor + template: + metadata: + annotations: {} + labels: + name: ip-monitor + spec: + containers: + - args: [] + command: + - /bin/sh + - -c + - 'trap : TERM INT; ip -ts monitor address link mroute netconf nexthop + nsid prefix route rule & wait' + env: [] + image: image-registry.openshift-image-registry.svc:5000/openshift/tools:latest + imagePullPolicy: Always + name: ip-monitor + ports: [] + stdin: false + tty: false + volumeMounts: [] + hostNetwork: true + imagePullSecrets: [] + initContainers: [] + priorityClassName: system-node-critical + serviceAccountName: ip-monitor + terminationGracePeriodSeconds: 30 + tolerations: + - operator: Exists + volumes: [] + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate