From 187e2d96d564e2c49bfb33f008fa4cf325cfc001 Mon Sep 17 00:00:00 2001 From: Gus Luxton Date: Sun, 20 Oct 2024 14:25:45 -0300 Subject: [PATCH 1/2] teleport-kube-agent: Propagate resources to post-install and post-delete Jobs (#47677) --- .../templates/delete_hook.yaml | 3 ++ .../teleport-kube-agent/templates/hook.yaml | 3 ++ .../tests/__snapshot__/job_test.yaml.snap | 39 +++++++++++++------ .../teleport-kube-agent/tests/job_test.yaml | 33 +++++++++++++++- 4 files changed, 66 insertions(+), 12 deletions(-) diff --git a/examples/chart/teleport-kube-agent/templates/delete_hook.yaml b/examples/chart/teleport-kube-agent/templates/delete_hook.yaml index f0a4b2edf6b06..3cf584a323896 100644 --- a/examples/chart/teleport-kube-agent/templates/delete_hook.yaml +++ b/examples/chart/teleport-kube-agent/templates/delete_hook.yaml @@ -118,3 +118,6 @@ spec: {{- if .Values.securityContext }} securityContext: {{- toYaml .Values.securityContext | nindent 10 }} {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 10 }} + {{- end }} diff --git a/examples/chart/teleport-kube-agent/templates/hook.yaml b/examples/chart/teleport-kube-agent/templates/hook.yaml index 3a2f13e98e8f1..efd5124511dab 100644 --- a/examples/chart/teleport-kube-agent/templates/hook.yaml +++ b/examples/chart/teleport-kube-agent/templates/hook.yaml @@ -103,4 +103,7 @@ spec: {{- if .Values.securityContext }} securityContext: {{- toYaml .Values.securityContext | nindent 10 }} {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 10 }} + {{- end }} {{- end}} diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap index f487cf98e658f..5778a68644853 100644 --- a/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap +++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap @@ -25,17 +25,19 @@ should create ServiceAccount for post-delete hook by default: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:15.4.20 + image: public.ecr.aws/gravitational/teleport-distroless:17.0.0-dev imagePullPolicy: IfNotPresent name: post-delete-job securityContext: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: lint-serviceaccount should not create ServiceAccount for post-delete hook if serviceAccount.create is false: @@ -106,17 +108,19 @@ should not create ServiceAccount for post-delete hook if serviceAccount.create i fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:15.4.20 + image: public.ecr.aws/gravitational/teleport-distroless:17.0.0-dev imagePullPolicy: IfNotPresent name: post-delete-job securityContext: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: lint-serviceaccount should not create ServiceAccount, Role or RoleBinding for post-delete hook if serviceAccount.create and rbac.create are false: @@ -134,17 +138,19 @@ should not create ServiceAccount, Role or RoleBinding for post-delete hook if se fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:15.4.20 + image: public.ecr.aws/gravitational/teleport-distroless:17.0.0-dev imagePullPolicy: IfNotPresent name: post-delete-job securityContext: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: lint-serviceaccount should set nodeSelector in post-delete hook: @@ -162,22 +168,24 @@ should set nodeSelector in post-delete hook: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:15.4.20 + image: public.ecr.aws/gravitational/teleport-distroless:17.0.0-dev imagePullPolicy: IfNotPresent name: post-delete-job securityContext: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault nodeSelector: gravitational.io/k8s-role: node restartPolicy: OnFailure serviceAccountName: RELEASE-NAME-delete-hook -should set securityContext in post-delete hook: +should set resources in the Job's pod spec if resources is set in values: 1: | containers: - args: @@ -192,16 +200,25 @@ should set securityContext in post-delete hook: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:15.4.20 + image: public.ecr.aws/gravitational/teleport-distroless:17.0.0-dev imagePullPolicy: IfNotPresent name: post-delete-job + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi securityContext: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: RELEASE-NAME-delete-hook diff --git a/examples/chart/teleport-kube-agent/tests/job_test.yaml b/examples/chart/teleport-kube-agent/tests/job_test.yaml index dcef975847663..20a2f6e9a9e5e 100644 --- a/examples/chart/teleport-kube-agent/tests/job_test.yaml +++ b/examples/chart/teleport-kube-agent/tests/job_test.yaml @@ -275,4 +275,35 @@ tests: value: app: RELEASE-NAME testLabel: testValue - + + - it: should set resources in the Job's pod spec if resources is set in values + template: delete_hook.yaml + # documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job + documentIndex: 3 + values: + - ../.lint/backwards-compatibility.yaml + set: + # These are just sample values to test the chart. + # They are not intended to be guidelines or suggestions for running teleport. + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + asserts: + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 2 + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 4Gi + - equal: + path: spec.template.spec.containers[0].resources.requests.cpu + value: 1 + - equal: + path: spec.template.spec.containers[0].resources.requests.memory + value: 2Gi + - matchSnapshot: + path: spec.template.spec From c8c1c31b31e12f50e922b05f4c0693be990bb4bc Mon Sep 17 00:00:00 2001 From: Gus Luxton Date: Mon, 21 Oct 2024 09:47:40 -0300 Subject: [PATCH 2/2] Update snapshots --- .../tests/__snapshot__/job_test.yaml.snap | 58 ++++++++++++------- 1 file changed, 38 insertions(+), 20 deletions(-) diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap index 5778a68644853..893b00410bbf6 100644 --- a/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap +++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap @@ -25,19 +25,17 @@ should create ServiceAccount for post-delete hook by default: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:17.0.0-dev + image: public.ecr.aws/gravitational/teleport-distroless:15.4.20 imagePullPolicy: IfNotPresent name: post-delete-job securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 - seccompProfile: - type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: lint-serviceaccount should not create ServiceAccount for post-delete hook if serviceAccount.create is false: @@ -108,19 +106,17 @@ should not create ServiceAccount for post-delete hook if serviceAccount.create i fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:17.0.0-dev + image: public.ecr.aws/gravitational/teleport-distroless:15.4.20 imagePullPolicy: IfNotPresent name: post-delete-job securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 - seccompProfile: - type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: lint-serviceaccount should not create ServiceAccount, Role or RoleBinding for post-delete hook if serviceAccount.create and rbac.create are false: @@ -138,19 +134,17 @@ should not create ServiceAccount, Role or RoleBinding for post-delete hook if se fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:17.0.0-dev + image: public.ecr.aws/gravitational/teleport-distroless:15.4.20 imagePullPolicy: IfNotPresent name: post-delete-job securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 - seccompProfile: - type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: lint-serviceaccount should set nodeSelector in post-delete hook: @@ -168,19 +162,17 @@ should set nodeSelector in post-delete hook: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:17.0.0-dev + image: public.ecr.aws/gravitational/teleport-distroless:15.4.20 imagePullPolicy: IfNotPresent name: post-delete-job securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 - seccompProfile: - type: RuntimeDefault nodeSelector: gravitational.io/k8s-role: node restartPolicy: OnFailure @@ -200,7 +192,7 @@ should set resources in the Job's pod spec if resources is set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport-distroless:17.0.0-dev + image: public.ecr.aws/gravitational/teleport-distroless:15.4.20 imagePullPolicy: IfNotPresent name: post-delete-job resources: @@ -214,11 +206,37 @@ should set resources in the Job's pod spec if resources is set in values: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + restartPolicy: OnFailure + serviceAccountName: RELEASE-NAME-delete-hook +should set securityContext in post-delete hook: + 1: | + containers: + - args: + - kube-state + - delete + command: + - teleport + env: + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:15.4.20 + imagePullPolicy: IfNotPresent + name: post-delete-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 - seccompProfile: - type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: RELEASE-NAME-delete-hook