[stable/polaris] Support additionalExemptions for the default config
imgfrost opened this issue · comments
What happened?
Adding additionExemptions to config, however Dashboard still lists this as a problem.
What did you expect to happen?
I added :
additionalExemptions:
- namespace: ""
rules:
- cpuLimitsMissing
To my Helm values file, however this does not seem to apply.
How can we reproduce this?
Use additionalExemptions and confirm via dashboard that no change took place.
NOTE: Helm value states this as "additionExemptions" whereas the Chart template looks for additionalExemptions, seems to be a typo there in configmap.yaml
Version
5.7.6
Search
- I did search for other open and closed issues before opening this.
Code of Conduct
- I agree to follow this project's Code of Conduct
Additional context
No response
Can you please share what chart this is for? I think this is Polaris, but there's not enough context here.
Additionally, can you please share the entire values file so that we can attempt to reproduce this issue? Thanks!
Good Day!
This is indeed for Polaris.
Here is the values.yaml
Note: we have two, this is the main values.yaml and the other one (for our test environment) which are both used for installation
polaris:
config: null
fullnameOverride: polaris
nameOverride: polaris
image:
# image.repository -- Image repo
repository: quay.io/fairwinds/polaris
# image.tag -- The Polaris Image tag to use. Defaults to the Chart's AppVersion
tag: ""
# image.pullPolicy -- Image pull policy
pullPolicy: Always
rbac:
# rbac.enabled -- Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created
enabled: true
serviceAccount:
# serviceAccount.create -- Specifies whether a service account should be created
create: true
# serviceAccount.name -- The name of the service account to use.
name:
# templateOnly -- Outputs Namespace names, used with `helm template`
templateOnly: false
dashboard:
# dashboard.basePath -- Path on which the dashboard is served. Defaults to `/`
basePath: null
# dashboard.enable -- Whether to run the dashboard.
enable: true
# dashboard.port -- Port that the dashboard will run from.
port: 8080
# dashboard.listeningAddress -- Dashboard listerning address.
listeningAddress:
# dashboard.replicas -- Number of replicas to run.
replicas: 1
# dashboard.logLevel -- Set the logging level for the Dashboard command
logLevel: Info
# dashboard.podAdditionalLabels -- Custom additional labels on dashboard pods.
# dashboard.extraContainers -- allows injecting additional containers.
extraContainers: []
# extraContainers:
# - name: oauth-proxy
# image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0
# args:
# - --upstream=http://127.0.0.1:8080
# - --http-address=0.0.0.0:8081
# ports:
# - containerPort: 8081
# name: oauth-proxy
# protocol: TCP
# resources: {}
service:
# dashboard.service.type -- Service Type
type: ClusterIP
# dashboard.service.annotations -- Service annotations
annotations: {}
# dashboard.service.targetPort -- Service targetport, defaults to dashboard.port
targetPort:
# dashboard.nodeSelector -- Dashboard pod nodeSelector
nodeSelector: {}
# dashboard.tolerations -- Dashboard pod tolerations
tolerations: []
# dashboard.affinity -- Dashboard pods affinity
affinity: {}
ingress:
# dashboard.ingress.enabled -- Whether to enable ingress to the dashboard
enabled: false
# dashboard.ingress.ingressClassName -- From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation.
ingressClassName:
# dashboard.ingress.hosts -- Web ingress hostnames
hosts: []
# dashboard.ingress.annotations -- Web ingress annotations
annotations: {}
# dashboard.ingress.tls -- Ingress TLS configuration
tls: []
# dashboard.priorityClassName -- Priority Class name to be used in deployment if provided.
priorityClassName:
# dashboard.disallowExemptions -- Disallow any exemption
disallowExemptions: false
# dashboard.disallowConfigExemptions -- Disallow exemptions that are configured in the config file
disallowConfigExemptions: false
# dashboard.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations
disallowAnnotationExemptions: false
# dashboard.containerSecurityContext -- securityContext to apply to the dashboard container
containerSecurityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
webhook:
# webhook.enable -- Whether to run the webhook
enable: false
# webhook.validate -- Enables the Validating Webhook, to reject resources with issues
validate: true
# webhook.mutate -- Enables the Mutating Webhook, to modify resources with issues
mutate: false
# webhook.replicas -- Number of replicas
replicas: 2
# webhook.nodeSelector -- Webhook pod nodeSelector
nodeSelector: {}
# webhook.tolerations -- Webhook pod tolerations
tolerations: []
# webhook.affinity -- Webhook pods affinity
affinity: {}
# webhook.caBundle -- CA Bundle to use for Validating Webhook instead of cert-manager
caBundle: null
# webhook.secretName -- Name of the secret containing a TLS certificate to use if cert-manager is not used.
secretName: null
# webhook.failurePolicy -- failurePolicy for the ValidatingWebhookConfiguration
failurePolicy: Fail
# webhook.matchPolicy -- matchPolicy for the ValidatingWebhookConfiguration
matchPolicy: Exact
# webhook.namespaceSelector -- namespaceSelector for the ValidatingWebhookConfiguration
namespaceSelector:
matchExpressions:
- key: control-plane
operator: DoesNotExist
# webhook.objectSelector -- objectSelector for the ValidatingWebhookConfiguration
objectSelector: {}
# webhook.rules -- An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope.
rules: []
# webhook.mutatingRules -- An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope.
mutatingRules: []
# webhook.defaultRules -- An array of rules for common types for the ValidatingWebhookConfiguration
defaultRules:
- apiGroups:
- apps
apiVersions:
- v1
- v1beta1
- v1beta2
operations:
- CREATE
- UPDATE
resources:
- daemonsets
- deployments
- statefulsets
scope: Namespaced
- apiGroups:
- batch
apiVersions:
- v1
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- jobs
- cronjobs
scope: Namespaced
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
- replicationcontrollers
scope: Namespaced
# webhook.podAdditionalLabels -- Custom additional labels on webhook pods.
podAdditionalLabels: {}
# webhook.priorityClassName -- Priority Class name to be used in deployment if provided.
priorityClassName:
# webhook.disallowExemptions -- Disallow any exemption
disallowExemptions: false
# webhook.disallowConfigExemptions -- Disallow exemptions that are configured in the config file
disallowConfigExemptions: false
# webhook.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations
disallowAnnotationExemptions: false
audit:
# audit.enable -- Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others.
enable: false
# audit.cleanup -- Whether to delete the namespace once the audit is finished.
cleanup: false
# audit.outputURL -- A URL which will receive a POST request with audit results.
outputURL: ""
Values.yaml for environment
polaris:
image:
tag: "7.4"
additionalExemptions:
- namespace: "monitoring"
rules: "cpuLimitsMissing"
dashboard:
replicas: 1
podAdditionalLabels:
environment: ops-dev
resources:
limits:
# Do not remove the cpu limit entry if you intend to have no limit, it will set a default if it's removed
cpu:
memory: 128Mi
requests:
cpu: 10m
memory: 128Mi
service:
type: ClusterIP
nodeSelector: {}
tolerations:
- key: "SPOT_INSTANCE"
operator: "Equal"
value: "true"
effect: "NoSchedule"
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: eks.amazonaws.com/capacityType
operator: In
values:
- SPOT
I will add, I suspect this is because we are using the default config which is being pulled down at runtime.
Do we need to specify the config for the Additonalexceptions to trigger?
Yeah it looks like additionalExemptions
only works if you specify config
.
I'm changing the title of this issue to make it a feature request: support additionalExemptions
for the default config.
Has this been implemented?