Giters

FairwindsOps / charts

Fairwinds helm chart repository

Home Page:https://fairwinds.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[stable/polaris] Support additionalExemptions for the default config

imgfrost opened this issue · comments

commented

What happened?

Adding additionExemptions to config, however Dashboard still lists this as a problem.

What did you expect to happen?

I added :
additionalExemptions:
- namespace: ""
rules:
- cpuLimitsMissing

To my Helm values file, however this does not seem to apply.

How can we reproduce this?

Use additionalExemptions and confirm via dashboard that no change took place.

NOTE: Helm value states this as "additionExemptions" whereas the Chart template looks for additionalExemptions, seems to be a typo there in configmap.yaml

Version

5.7.6

Search

  • I did search for other open and closed issues before opening this.

Code of Conduct

  • I agree to follow this project's Code of Conduct

Additional context

No response

commented

Can you please share what chart this is for? I think this is Polaris, but there's not enough context here.

Additionally, can you please share the entire values file so that we can attempt to reproduce this issue? Thanks!

commented

Good Day!

This is indeed for Polaris.

Here is the values.yaml

Note: we have two, this is the main values.yaml and the other one (for our test environment) which are both used for installation

polaris:
  config: null

  fullnameOverride: polaris

  nameOverride: polaris

  image:
    # image.repository -- Image repo
    repository: quay.io/fairwinds/polaris
    # image.tag -- The Polaris Image tag to use. Defaults to the Chart's AppVersion
    tag: ""
    # image.pullPolicy -- Image pull policy
    pullPolicy: Always

  rbac:
    # rbac.enabled -- Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created
    enabled: true

  serviceAccount:
    # serviceAccount.create -- Specifies whether a service account should be created
    create: true
    # serviceAccount.name -- The name of the service account to use.
    name:

  # templateOnly -- Outputs Namespace names, used with `helm template`
  templateOnly: false

  dashboard:
    # dashboard.basePath -- Path on which the dashboard is served. Defaults to `/`
    basePath: null
    # dashboard.enable -- Whether to run the dashboard.
    enable: true
    # dashboard.port -- Port that the dashboard will run from.
    port: 8080
    # dashboard.listeningAddress -- Dashboard listerning address.
    listeningAddress:
    # dashboard.replicas -- Number of replicas to run.
    replicas: 1
    # dashboard.logLevel -- Set the logging level for the Dashboard command
    logLevel: Info
    # dashboard.podAdditionalLabels -- Custom additional labels on dashboard pods.
    # dashboard.extraContainers -- allows injecting additional containers.
    extraContainers: []
    # extraContainers:
    #   - name: oauth-proxy
    #     image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0
    #     args:
    #       - --upstream=http://127.0.0.1:8080
    #       - --http-address=0.0.0.0:8081
    #     ports:
    #     - containerPort: 8081
    #       name: oauth-proxy
    #       protocol: TCP
    #    resources: {}
    service:
      # dashboard.service.type -- Service Type
      type: ClusterIP
      # dashboard.service.annotations -- Service annotations
      annotations: {}
      # dashboard.service.targetPort -- Service targetport, defaults to dashboard.port
      targetPort:
    # dashboard.nodeSelector -- Dashboard pod nodeSelector
    nodeSelector: {}
    # dashboard.tolerations -- Dashboard pod tolerations
    tolerations: []
    # dashboard.affinity -- Dashboard pods affinity
    affinity: {}
    ingress:
      # dashboard.ingress.enabled -- Whether to enable ingress to the dashboard
      enabled: false
      # dashboard.ingress.ingressClassName -- From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation.
      ingressClassName:
      # dashboard.ingress.hosts -- Web ingress hostnames
      hosts: []
      # dashboard.ingress.annotations -- Web ingress annotations
      annotations: {}
      # dashboard.ingress.tls -- Ingress TLS configuration
      tls: []
    # dashboard.priorityClassName -- Priority Class name to be used in deployment if provided.
    priorityClassName:
    # dashboard.disallowExemptions -- Disallow any exemption
    disallowExemptions: false
    # dashboard.disallowConfigExemptions -- Disallow exemptions that are configured in the config file
    disallowConfigExemptions: false
    # dashboard.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations
    disallowAnnotationExemptions: false
    # dashboard.containerSecurityContext -- securityContext to apply to the dashboard container
    containerSecurityContext:
      allowPrivilegeEscalation: false
      privileged: false
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      capabilities:
        drop:
          - ALL

  webhook:
    # webhook.enable -- Whether to run the webhook
    enable: false
    # webhook.validate -- Enables the Validating Webhook, to reject resources with issues
    validate: true
    # webhook.mutate -- Enables the Mutating Webhook, to modify resources with issues
    mutate: false
    # webhook.replicas -- Number of replicas
    replicas: 2
    # webhook.nodeSelector -- Webhook pod nodeSelector
    nodeSelector: {}
    # webhook.tolerations -- Webhook pod tolerations
    tolerations: []
    # webhook.affinity -- Webhook pods affinity
    affinity: {}
    # webhook.caBundle -- CA Bundle to use for Validating Webhook instead of cert-manager
    caBundle: null
    # webhook.secretName -- Name of the secret containing a TLS certificate to use if cert-manager is not used.
    secretName: null
    # webhook.failurePolicy -- failurePolicy for the ValidatingWebhookConfiguration
    failurePolicy: Fail
    # webhook.matchPolicy -- matchPolicy for the ValidatingWebhookConfiguration
    matchPolicy: Exact
    # webhook.namespaceSelector -- namespaceSelector for the ValidatingWebhookConfiguration
    namespaceSelector:
      matchExpressions:
      - key: control-plane
        operator: DoesNotExist
    # webhook.objectSelector -- objectSelector for the ValidatingWebhookConfiguration
    objectSelector: {}
    # webhook.rules -- An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope.
    rules: []
    # webhook.mutatingRules -- An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope.
    mutatingRules: []
    # webhook.defaultRules -- An array of rules for common types for the ValidatingWebhookConfiguration
    defaultRules:
    - apiGroups:
      - apps
      apiVersions:
      - v1
      - v1beta1
      - v1beta2
      operations:
      - CREATE
      - UPDATE
      resources:
      - daemonsets
      - deployments
      - statefulsets
      scope: Namespaced
    - apiGroups:
      - batch
      apiVersions:
      - v1
      - v1beta1
      operations:
      - CREATE
      - UPDATE
      resources:
      - jobs
      - cronjobs
      scope: Namespaced
    - apiGroups:
      - ""
      apiVersions:
      - v1
      operations:
      - CREATE
      - UPDATE
      resources:
      - pods
      - replicationcontrollers
      scope: Namespaced
    # webhook.podAdditionalLabels -- Custom additional labels on webhook pods.
    podAdditionalLabels: {}
    # webhook.priorityClassName -- Priority Class name to be used in deployment if provided.
    priorityClassName:
    # webhook.disallowExemptions -- Disallow any exemption
    disallowExemptions: false
    # webhook.disallowConfigExemptions -- Disallow exemptions that are configured in the config file
    disallowConfigExemptions: false
    # webhook.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations
    disallowAnnotationExemptions: false

  audit:
    # audit.enable -- Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others.
    enable: false
    # audit.cleanup -- Whether to delete the namespace once the audit is finished.
    cleanup: false
    # audit.outputURL -- A URL which will receive a POST request with audit results.
    outputURL: ""

Values.yaml for environment

polaris:
  image:
    tag: "7.4"

  additionalExemptions:
    - namespace: "monitoring"
      rules: "cpuLimitsMissing"

  dashboard:
    replicas: 1
    podAdditionalLabels:
        environment: ops-dev
    resources:
      limits:
        # Do not remove the cpu limit entry if you intend to have no limit, it will set a default if it's removed
        cpu:
        memory: 128Mi
      requests:
        cpu: 10m
        memory: 128Mi
    service:
      type: ClusterIP
    nodeSelector: {}
    tolerations:
      - key: "SPOT_INSTANCE"
        operator: "Equal"
        value: "true"
        effect: "NoSchedule"
    affinity:
      nodeAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
          nodeSelectorTerms:
          - matchExpressions:
            - key: eks.amazonaws.com/capacityType
              operator: In
              values:
              - SPOT
commented

I will add, I suspect this is because we are using the default config which is being pulled down at runtime.

Do we need to specify the config for the Additonalexceptions to trigger?

commented

Yeah it looks like additionalExemptions only works if you specify config.

commented

I'm changing the title of this issue to make it a feature request: support additionalExemptions for the default config.

commented

Has this been implemented?