diff --git a/Makefile b/Makefile index 10cdb183086b..220b6aeaa9f1 100644 --- a/Makefile +++ b/Makefile @@ -9,9 +9,10 @@ WITH_GOFLAGS = GOFLAGS=$(GOFLAGS) ## Extra helm options CLUSTER_NAME ?= $(shell kubectl config view --minify -o jsonpath='{.clusters[].name}' | rev | cut -d"/" -f1 | rev) CLUSTER_ENDPOINT ?= $(shell kubectl config view --minify -o jsonpath='{.clusters[].cluster.server}') -HELM_OPTS ?= --set controller.clusterName=${CLUSTER_NAME} \ - --set controller.clusterEndpoint=${CLUSTER_ENDPOINT} \ - --set aws.defaultInstanceProfile=KarpenterNodeInstanceProfile-${CLUSTER_NAME} +HELM_OPTS ?= --set serviceAccount.annotations.eks\.amazonaws\.com/role-arn=${KARPENTER_IAM_ROLE_ARN} \ + --set clusterName=${CLUSTER_NAME} \ + --set clusterEndpoint=${CLUSTER_ENDPOINT} \ + --set aws.defaultInstanceProfile=KarpenterNodeInstanceProfile-${CLUSTER_NAME} help: ## Display help @awk 'BEGIN {FS = ":.*##"; printf "Usage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) @@ -49,7 +50,7 @@ licenses: ## Verifies dependency licenses and requires GITHUB_TOKEN to be set golicense hack/license-config.hcl karpenter apply: ## Deploy the controller into your ~/.kube/config cluster - helm template --include-crds karpenter charts/karpenter --namespace karpenter \ + helm template --include-crds karpenter charts/karpenter --namespace karpenter \ $(HELM_OPTS) \ --set controller.image=ko://github.com/aws/karpenter/cmd/controller \ --set webhook.image=ko://github.com/aws/karpenter/cmd/webhook \ @@ -58,7 +59,6 @@ apply: ## Deploy the controller into your ~/.kube/config cluster delete: ## Delete the controller from your ~/.kube/config cluster helm template karpenter charts/karpenter --namespace karpenter \ $(HELM_OPTS) \ - --set serviceAccount.create=false \ | kubectl delete -f - codegen: ## Generate code. Must be run if changes are made to ./pkg/apis/... diff --git a/charts/karpenter/.helmignore b/charts/karpenter/.helmignore new file mode 100644 index 000000000000..0e8a0eb36f4c --- /dev/null +++ b/charts/karpenter/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/karpenter/Chart.yaml b/charts/karpenter/Chart.yaml index e0d62e39fb87..d6a19a98a78d 100644 --- a/charts/karpenter/Chart.yaml +++ b/charts/karpenter/Chart.yaml @@ -1,6 +1,16 @@ apiVersion: v2 -appVersion: "0.6.0" name: karpenter -description: A Helm chart for https://github.com/aws/karpenter/. +description: A Helm chart for Karpenter, an open-source node provisioning project built for Kubernetes. type: application -version: "0.6.0" +version: 0.6.0 +appVersion: 0.6.0 +keywords: + - cluster + - node + - scheduler + - autoscaling + - lifecycle +home: https://karpenter.sh/ +icon: https://repository-images.githubusercontent.com/278480393/dab059c8-caa1-4b55-aaa7-3d30e47a5616 +sources: + - https://github.com/aws/karpenter/ diff --git a/charts/karpenter/README.md b/charts/karpenter/README.md index ad9110d3c7e1..4e21924ddcec 100644 --- a/charts/karpenter/README.md +++ b/charts/karpenter/README.md @@ -1,21 +1,24 @@ # karpenter -A Helm chart for https://github.com/aws/karpenter/. +A Helm chart for Karpenter, an open-source node provisioning project built for Kubernetes. ![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.0](https://img.shields.io/badge/AppVersion-0.6.0-informational?style=flat-square) ## Installing the Chart -To install the chart with the release name `karpenter`: +Before installing the chart you will need an AWS IAM role that can be used by Karpenter; the suggested way of doing this is by creating an [IRSA role](https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html) and passing the ARN into the chart. + +To install the chart with the release name `karpenter` you can run the following commands. ```console -$ helm repo add karpenter https://charts.karpenter.sh +$ helm repo add karpenter https://charts.karpenter.sh/ $ helm repo update $ helm upgrade --install karpenter karpenter/karpenter --namespace karpenter \ - --create-namespace --set serviceAccount.create=false --version 0.6.0 \ - --set controller.clusterName=${CLUSTER_NAME} \ - --set controller.clusterEndpoint=$(aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.endpoint" --output json) \ - --wait # for the defaulting webhook to install before creating a Provisioner + --create-namespace --version 0.6.0 \ + --set serviceAccount.annotations.eks\.amazonaws\.com/role-arn=${KARPENTER_IAM_ROLE_ARN} + --set clusterName=${CLUSTER_NAME} \ + --set clusterEndpoint=$(aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.endpoint" --output json) \ + --wait # for the defaulting webhook to install before creating a Provisioner ``` You can follow the detailed installation instruction [here](https://karpenter.sh/docs/getting-started/#install). @@ -24,33 +27,40 @@ You can follow the detailed installation instruction [here](https://karpenter.sh | Key | Type | Default | Description | |-----|------|---------|-------------| -| additionalLabels | object | `{}` | Additional labels to add into metadata | +| additionalLabels | object | `{}` | Additional labels to add into metadata. | +| affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"key":"karpenter.sh/provisioner-name","operator":"DoesNotExist"}]}}}` | Affinity rules for scheduling the pod. | | aws.defaultInstanceProfile | string | `""` | The default instance profile to use when launching nodes on AWS | -| controller.affinity | object | `{}` | Affinity rules for scheduling | -| controller.clusterEndpoint | string | `""` | Cluster endpoint | -| controller.clusterName | string | `""` | Cluster name | -| controller.env | list | `[]` | Additional environment variables to run with | -| controller.image | string | `"public.ecr.aws/karpenter/controller:v0.6.0@sha256:c4b55bafc91bcab268c7c80c98f4341fc23ab0adc29ba33e28a1f9df1ec96de5"` | Image to use for the Karpenter controller | -| controller.nodeSelector | object | `{}` | Node selectors to schedule to nodes with labels. | -| controller.replicas | int | `1` | | -| controller.resources.limits.cpu | int | `1` | | -| controller.resources.limits.memory | string | `"1Gi"` | | -| controller.resources.requests.cpu | int | `1` | | -| controller.resources.requests.memory | string | `"1Gi"` | | -| controller.tolerations | list | `[]` | Tolerations to schedule to nodes with taints. | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account (like the ARN of the IRSA role) | -| serviceAccount.create | bool | `true` | Create a service account for the application controller | -| serviceAccount.name | string | `"karpenter"` | Service account name | -| webhook.affinity | object | `{}` | Affinity rules for scheduling | -| webhook.env | list | `[]` | List of environment items to add to the webhook | -| webhook.hostNetwork | bool | `false` | Set to true if using custom CNI on EKS | -| webhook.image | string | `"public.ecr.aws/karpenter/webhook:v0.6.0@sha256:bce76e56b8315c7f5ebe097a738ef81e9a07f84cfdc5da1e55975ba17783d0dc"` | Image to use for the webhook | -| webhook.nodeSelector | object | `{}` | Node selectors to schedule to nodes with labels. | -| webhook.port | int | `8443` | | -| webhook.replicas | int | `1` | | -| webhook.resources.limits.cpu | string | `"100m"` | | -| webhook.resources.limits.memory | string | `"50Mi"` | | -| webhook.resources.requests.cpu | string | `"100m"` | | -| webhook.resources.requests.memory | string | `"50Mi"` | | -| webhook.tolerations | list | `[]` | Tolerations to schedule to nodes with taints. | +| clusterEndpoint | string | `""` | Cluster endpoint. | +| clusterName | string | `""` | Cluster name. | +| controller.env | list | `[]` | Additional environment variables for the controller pod. | +| controller.image | string | `"public.ecr.aws/karpenter/controller:v0.6.0@sha256:c4b55bafc91bcab268c7c80c98f4341fc23ab0adc29ba33e28a1f9df1ec96de5"` | Controller image. | +| controller.resources | object | `{"limits":{"cpu":1,"memory":"1Gi"},"requests":{"cpu":1,"memory":"1Gi"}}` | Resources for the controller pod. | +| controller.securityContext | object | `{}` | SecurityContext for the controller container. | +| fullnameOverride | string | `""` | Overrides the chart's computed fullname. | +| hostNetwork | bool | `false` | Bind the pod to the host network. This is required when using a custom CNI. | +| imagePullPolicy | string | `"IfNotPresent"` | Image pull policy for Docker images. | +| imagePullSecrets | list | `[]` | Image pull secrets for Docker images. | +| nameOverride | string | `""` | Overrides the chart's name. | +| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selectors to schedule the pod to nodes with labels. | +| podAnnotations | object | `{}` | Additional annotations for the pod. | +| podLabels | object | `{}` | Additional labels for the pod. | +| podSecurityContext | object | `{"fsGroup":1000}` | SecurityContext for the pod. | +| priorityClassName | string | `"system-cluster-critical"` | PriorityClass name for the pod. | +| replicas | int | `1` | Number of replicas. | +| serviceAccount.annotations | object | `{}` | Additional annotations for the ServiceAccount. | +| serviceAccount.create | bool | `true` | Specifies if a ServiceAccount should be created. | +| serviceAccount.name | string | `""` | The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. | +| serviceMonitor.additionalLabels | object | `{}` | Additional labels for the ServiceMonitor. | +| serviceMonitor.enabled | bool | `false` | Specifies whether a ServiceMonitor should be created. | +| serviceMonitor.interval | string | `"1m"` | Scrape interval for the ServiceMonitor. | +| strategy | object | `{"type":"Recreate"}` | Strategy for updating the pod. | +| terminationGracePeriodSeconds | string | `nil` | Override the default termination grace period for the pod. | +| tolerations | list | `[]` | Tolerations to allow the pod to be scheduled to nodes with taints. | +| webhook.env | list | `[]` | Additional environment variables for the webhook pod. | +| webhook.image | string | `"public.ecr.aws/karpenter/webhook:v0.6.0@sha256:bce76e56b8315c7f5ebe097a738ef81e9a07f84cfdc5da1e55975ba17783d0dc"` | Webhook image. | +| webhook.port | int | `8443` | The container port to use for the webhook. | +| webhook.resources | object | `{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"100m","memory":"50Mi"}}` | Resources for the webhook pod. | +| webhook.securityContext | object | `{}` | SecurityContext for the webhook container. | +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/charts/karpenter/README.md.gotmpl b/charts/karpenter/README.md.gotmpl index 89f8698d7df5..c784d63df66b 100644 --- a/charts/karpenter/README.md.gotmpl +++ b/charts/karpenter/README.md.gotmpl @@ -5,16 +5,19 @@ ## Installing the Chart -To install the chart with the release name `karpenter`: +Before installing the chart you will need an AWS IAM role that can be used by Karpenter; the suggested way of doing this is by creating an [IRSA role](https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html) and passing the ARN into the chart. + +To install the chart with the release name `karpenter` you can run the following commands. ```console -$ helm repo add karpenter https://charts.karpenter.sh +$ helm repo add karpenter https://charts.karpenter.sh/ $ helm repo update $ helm upgrade --install karpenter karpenter/{{ template "chart.name" . }} --namespace karpenter \ - --create-namespace --set serviceAccount.create=false --version {{ template "chart.version" . }} \ - --set controller.clusterName=${CLUSTER_NAME} \ - --set controller.clusterEndpoint=$(aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.endpoint" --output json) \ - --wait # for the defaulting webhook to install before creating a Provisioner + --create-namespace --version {{ template "chart.version" . }} \ + --set serviceAccount.annotations.eks\.amazonaws\.com/role-arn=${KARPENTER_IAM_ROLE_ARN} + --set clusterName=${CLUSTER_NAME} \ + --set clusterEndpoint=$(aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.endpoint" --output json) \ + --wait # for the defaulting webhook to install before creating a Provisioner ``` You can follow the detailed installation instruction [here](https://karpenter.sh/docs/getting-started/#install). @@ -23,4 +26,4 @@ You can follow the detailed installation instruction [here](https://karpenter.sh {{ template "chart.valuesSection" . }} -{{ template "helm-docs.versionFooter" . }} \ No newline at end of file +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/karpenter/templates/_helpers.tpl b/charts/karpenter/templates/_helpers.tpl index 72bff8769c7b..e6305c711dba 100644 --- a/charts/karpenter/templates/_helpers.tpl +++ b/charts/karpenter/templates/_helpers.tpl @@ -2,8 +2,8 @@ Expand the name of the chart. */}} {{- define "karpenter.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} {{/* Create a default fully qualified app name. @@ -11,46 +11,44 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this If release name contains chart name it will be used as a full name. */}} {{- define "karpenter.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} {{/* Create chart name and version as used by the chart label. */}} {{- define "karpenter.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} {{/* -Generate basic labels +Common labels */}} -{{- define "karpenter.labels" }} +{{- define "karpenter.labels" -}} helm.sh/chart: {{ include "karpenter.chart" . }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/component: karpenter -app.kubernetes.io/part-of: {{ template "karpenter.name" . }} -{{- include "karpenter.selectorLabels" . }} -{{- if .Chart.Version }} -app.kubernetes.io/version: {{ .Chart.Version | quote }} +{{ include "karpenter.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} -{{- if .Values.additionalLabels }} -{{ toYaml .Values.additionalLabels }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Values.additionalLabels }} +{{ toYaml . }} {{- end }} {{- end }} {{/* Selector labels */}} -{{- define "karpenter.selectorLabels" }} +{{- define "karpenter.selectorLabels" -}} app.kubernetes.io/name: {{ include "karpenter.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} @@ -59,9 +57,9 @@ app.kubernetes.io/instance: {{ .Release.Name }} Create the name of the service account to use */}} {{- define "karpenter.serviceAccountName" -}} -{{- if .Values.serviceAccount.enabled -}} - {{ default (include "karpenter.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "karpenter.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/karpenter/templates/clusterrole.yaml b/charts/karpenter/templates/clusterrole.yaml new file mode 100644 index 000000000000..fb6c8a2ad874 --- /dev/null +++ b/charts/karpenter/templates/clusterrole.yaml @@ -0,0 +1,37 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "karpenter.fullname" . }} + labels: + {{- include "karpenter.labels" . | nindent 4 }} +rules: + - apiGroups: ["karpenter.sh"] + resources: ["provisioners"] + verbs: ["get", "list", "watch"] + - apiGroups: ["karpenter.sh"] + resources: ["provisioners/status"] + verbs: ["create", "delete", "patch", "get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumes", "persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes", "pods"] + verbs: ["get", "list", "watch", "patch", "delete"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["create"] + - apiGroups: [""] + resources: ["pods/binding", "pods/eviction"] + verbs: ["create"] + - apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] + verbs: ["get", "watch", "list", "update"] diff --git a/charts/karpenter/templates/clusterrolebinding.yaml b/charts/karpenter/templates/clusterrolebinding.yaml new file mode 100644 index 000000000000..ad8aede8e2f1 --- /dev/null +++ b/charts/karpenter/templates/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "karpenter.fullname" . }} + labels: + {{- include "karpenter.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "karpenter.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "karpenter.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/karpenter/templates/100-config-logging.yaml b/charts/karpenter/templates/configmap-logging.yaml similarity index 90% rename from charts/karpenter/templates/100-config-logging.yaml rename to charts/karpenter/templates/configmap-logging.yaml index 8361ff92c75a..d96f9af078c8 100644 --- a/charts/karpenter/templates/100-config-logging.yaml +++ b/charts/karpenter/templates/configmap-logging.yaml @@ -2,9 +2,8 @@ apiVersion: v1 kind: ConfigMap metadata: name: config-logging - namespace: {{ .Release.Namespace }} labels: - {{- include "karpenter.labels" . | indent 4 }} + {{- include "karpenter.labels" . | nindent 4 }} data: # https://github.com/uber-go/zap/blob/aa3e73ec0896f8b066ddf668597a02f89628ee50/config.go zap-logger-config: | diff --git a/charts/karpenter/templates/controller/deployment.yaml b/charts/karpenter/templates/controller/deployment.yaml deleted file mode 100644 index 19c0e239706e..000000000000 --- a/charts/karpenter/templates/controller/deployment.yaml +++ /dev/null @@ -1,98 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: karpenter-metrics - namespace: {{ .Release.Namespace }} - labels: - {{- include "karpenter.labels" . | indent 4 }} -spec: - ports: - - name: metrics - port: 8080 - targetPort: metrics - selector: - karpenter: controller ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: karpenter-controller - namespace: {{ .Release.Namespace }} - labels: - {{- include "karpenter.labels" . | indent 4 }} -spec: - replicas: {{ .Values.controller.replicas }} - strategy: - type: Recreate - selector: - matchLabels: - karpenter: controller - template: - metadata: - labels: - karpenter: controller - {{- include "karpenter.labels" . | indent 8 }} - spec: - priorityClassName: system-cluster-critical - serviceAccountName: {{ template "karpenter.serviceAccountName" . }} - containers: - - name: manager - image: {{ .Values.controller.image }} - {{- if .Values.controller.resources }} - resources: {{ toYaml .Values.controller.resources | nindent 12 }} - {{- end }} - ports: - - name: metrics - containerPort: 8080 - - name: health-probe - containerPort: 8081 - livenessProbe: - httpGet: - path: /healthz - port: 8081 - readinessProbe: - httpGet: - path: /readyz - port: 8081 - env: - - name: CLUSTER_NAME - value: {{ .Values.controller.clusterName }} - - name: CLUSTER_ENDPOINT - value: {{ .Values.controller.clusterEndpoint }} - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.aws.defaultInstanceProfile }} - - name: AWS_DEFAULT_INSTANCE_PROFILE - value: {{ .Values.aws.defaultInstanceProfile }} - {{- end }} - {{- with .Values.controller.env }} - {{- toYaml . | nindent 12 }} - {{- end }} - # https://github.com/aws/amazon-eks-pod-identity-webhook/issues/8#issuecomment-636888074 - not needed in k8s versions 1.19+ - securityContext: - fsGroup: 1000 - {{- with .Values.controller.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - affinity: - {{- if .Values.controller.affinity }} - {{- toYaml .Values.controller.affinity | nindent 8 }} - {{- else }} - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux - - key: karpenter.sh/provisioner-name - operator: DoesNotExist - {{- end }} - {{- with .Values.controller.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/karpenter/templates/controller/rbac.yaml b/charts/karpenter/templates/controller/rbac.yaml deleted file mode 100644 index 8bf04d27c02d..000000000000 --- a/charts/karpenter/templates/controller/rbac.yaml +++ /dev/null @@ -1,87 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: karpenter-controller - labels: - {{- include "karpenter.labels" . | indent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: karpenter-controller -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount.name }} - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: karpenter-controller - namespace: {{ .Release.Namespace }} - labels: - {{- include "karpenter.labels" . | indent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: karpenter-controller -subjects: -- kind: ServiceAccount - name: {{ template "karpenter.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: karpenter-controller - namespace: {{ .Release.Namespace }} - labels: - {{- include "karpenter.labels" . | indent 4 }} -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -- apiGroups: [""] - resources: ["configmaps/status"] - verbs: ["get", "update", "patch"] -- apiGroups: [""] - resources: ["events"] - verbs: ["create"] -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["create", "get", "patch", "update", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: karpenter-controller - labels: - {{- include "karpenter.labels" . | indent 4 }} -rules: -- apiGroups: ["karpenter.sh"] - resources: ["provisioners"] - verbs: ["get", "list", "watch"] -- apiGroups: ["karpenter.sh"] - resources: ["provisioners/status"] - verbs: ["create", "delete", "patch", "get", "list", "watch"] -- apiGroups: [""] - resources: ["persistentvolumes", "persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] -- apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["nodes", "pods"] - verbs: ["get", "list", "watch", "patch", "delete"] -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["create"] -- apiGroups: [""] - resources: ["pods/binding", "pods/eviction"] - verbs: ["create"] -- apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["list", "watch"] ---- diff --git a/charts/karpenter/templates/deployment.yaml b/charts/karpenter/templates/deployment.yaml new file mode 100644 index 000000000000..573f90b399d3 --- /dev/null +++ b/charts/karpenter/templates/deployment.yaml @@ -0,0 +1,141 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "karpenter.fullname" . }} + labels: + {{- include "karpenter.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicas }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "karpenter.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "karpenter.selectorLabels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "karpenter.serviceAccountName" . }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} + {{- with .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ . }} + {{- end }} + {{- if .Values.webhook.hostNetwork }} + hostNetwork: true + {{- end }} + containers: + - name: controller + {{- with .Values.controller.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + image: {{ .Values.controller.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + env: + - name: CLUSTER_NAME + value: {{ .Values.clusterName }} + - name: CLUSTER_ENDPOINT + value: {{ .Values.clusterEndpoint }} + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.aws.defaultInstanceProfile }} + - name: AWS_DEFAULT_INSTANCE_PROFILE + value: {{ .Values.aws.defaultInstanceProfile }} + {{- end }} + {{- with .Values.controller.env }} + {{- toYaml . | nindent 12 }} + {{- end }} + ports: + - name: http-metrics + containerPort: 8080 + protocol: TCP + - name: http + containerPort: 8081 + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: http + readinessProbe: + httpGet: + path: /readyz + port: http + {{- with .Values.controller.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + - name: webhook + {{- with .Values.webhook.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + image: {{ .Values.webhook.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + env: + - name: CLUSTER_NAME + value: {{ .Values.clusterName }} + - name: CLUSTER_ENDPOINT + value: {{ .Values.clusterEndpoint }} + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.aws.defaultInstanceProfile }} + - name: AWS_DEFAULT_INSTANCE_PROFILE + value: {{ .Values.aws.defaultInstanceProfile }} + {{- end }} + {{- with .Values.webhook.env }} + {{- toYaml . | nindent 12 }} + {{- end }} + args: + - -port={{ .Values.webhook.port }} + ports: + - name: https-webhook + containerPort: {{ .Values.webhook.port }} + protocol: TCP + livenessProbe: + httpGet: + port: https-webhook + scheme: HTTPS + readinessProbe: + httpGet: + port: https-webhook + scheme: HTTPS + {{- with .Values.webhook.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/karpenter/templates/role.yaml b/charts/karpenter/templates/role.yaml new file mode 100644 index 000000000000..397639f19a3e --- /dev/null +++ b/charts/karpenter/templates/role.yaml @@ -0,0 +1,32 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "karpenter.fullname" . }} + labels: + {{- include "karpenter.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["configmaps/status"] + verbs: ["get", "update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "get", "patch", "update", "watch"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["karpenter-webhook-cert"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "create", "update"] diff --git a/charts/karpenter/templates/rolebinding.yaml b/charts/karpenter/templates/rolebinding.yaml new file mode 100644 index 000000000000..c38d63dcf5da --- /dev/null +++ b/charts/karpenter/templates/rolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "karpenter.fullname" . }} + labels: + {{- include "karpenter.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "karpenter.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "karpenter.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/karpenter/templates/secret-webhook-cert.yaml b/charts/karpenter/templates/secret-webhook-cert.yaml new file mode 100644 index 000000000000..3cd69d32ee3c --- /dev/null +++ b/charts/karpenter/templates/secret-webhook-cert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "karpenter.fullname" . }}-webhook--cert + labels: + {{- include "karpenter.labels" . | nindent 4 }} +data: {} # Injected by karpenter-webhook diff --git a/charts/karpenter/templates/service.yaml b/charts/karpenter/templates/service.yaml new file mode 100644 index 000000000000..e452b63f3c70 --- /dev/null +++ b/charts/karpenter/templates/service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "karpenter.fullname" . }} + labels: + {{- include "karpenter.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - name: http-metrics + port: 8080 + targetPort: http-metrics + protocol: TCP + - name: https-webhook + port: 443 + targetPort: https-webhook + protocol: TCP + selector: + {{- include "karpenter.selectorLabels" . | nindent 4 }} diff --git a/charts/karpenter/templates/serviceaccount.yaml b/charts/karpenter/templates/serviceaccount.yaml index aa2a1e001511..996017c21275 100644 --- a/charts/karpenter/templates/serviceaccount.yaml +++ b/charts/karpenter/templates/serviceaccount.yaml @@ -1,11 +1,10 @@ -{{- if .Values.serviceAccount.create }} +{{- if .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "karpenter.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} labels: - {{- include "karpenter.labels" . | indent 4 }} + {{- include "karpenter.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/karpenter/templates/servicemonitor.yaml b/charts/karpenter/templates/servicemonitor.yaml new file mode 100644 index 000000000000..a075d52d66c9 --- /dev/null +++ b/charts/karpenter/templates/servicemonitor.yaml @@ -0,0 +1,24 @@ +{{- if.Values.serviceMonitor.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "karpenter.fullname" . }} + labels: + {{- include "karpenter.labels" . | nindent 4 }} + {{- with .Values.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{- include "karpenter.selectorLabels" . | nindent 6 }} + endpoints: + - port: http-metrics + path: /metrics + {{- with .Values.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} +{{- end -}} diff --git a/charts/karpenter/templates/webhook/deployment.yaml b/charts/karpenter/templates/webhook/deployment.yaml deleted file mode 100644 index 9f86f66f5da9..000000000000 --- a/charts/karpenter/templates/webhook/deployment.yaml +++ /dev/null @@ -1,109 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: karpenter-webhook - namespace: {{ .Release.Namespace }} - labels: - {{- include "karpenter.labels" . | indent 4 }} -spec: - ports: - - port: 443 - targetPort: webhook - selector: - karpenter: webhook ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: karpenter-webhook - namespace: {{ .Release.Namespace }} - labels: - {{- include "karpenter.labels" . | indent 4 }} -spec: - replicas: {{ .Values.webhook.replicas }} - strategy: - type: Recreate - selector: - matchLabels: - karpenter: webhook - template: - metadata: - labels: - karpenter: webhook - {{- include "karpenter.labels" . | indent 8 }} - spec: - priorityClassName: system-cluster-critical - serviceAccountName: {{ template "karpenter.serviceAccountName" . }} - containers: - - name: webhook - image: {{ .Values.webhook.image }} - args: - - -port={{ .Values.webhook.port }} - {{- if .Values.webhook.resources }} - resources: {{ toYaml .Values.webhook.resources | nindent 12 }} - {{- end }} - ports: - - name: webhook - containerPort: {{ .Values.webhook.port }} - livenessProbe: - httpGet: - scheme: HTTPS - port: {{ .Values.webhook.port }} - readinessProbe: - httpGet: - scheme: HTTPS - port: {{ .Values.webhook.port }} - env: - - name: CLUSTER_NAME - value: {{ .Values.controller.clusterName }} - - name: CLUSTER_ENDPOINT - value: {{ .Values.controller.clusterEndpoint }} - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.aws.defaultInstanceProfile }} - - name: AWS_DEFAULT_INSTANCE_PROFILE - value: {{ .Values.aws.defaultInstanceProfile }} - {{- end }} - {{- with .Values.webhook.env }} - {{- toYaml . | nindent 12 }} - {{- end }} - # https://github.com/aws/amazon-eks-pod-identity-webhook/issues/8#issuecomment-636888074 - not needed in k8s versions 1.19+ - securityContext: - fsGroup: 1000 - {{- with .Values.webhook.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - affinity: - {{- if .Values.webhook.affinity }} - {{- toYaml .Values.webhook.affinity | nindent 8 }} - {{- else }} - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux - - key: karpenter.sh/provisioner-name - operator: DoesNotExist - {{- end }} - {{- if .Values.webhook.hostNetwork }} - hostNetwork: true - {{- end }} - {{- with .Values.webhook.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: karpenter-webhook-cert - namespace: {{ .Release.Namespace }} - labels: - {{- include "karpenter.labels" . | indent 4 }} -data: {} # Injected by karpenter-webhook diff --git a/charts/karpenter/templates/webhook/rbac.yaml b/charts/karpenter/templates/webhook/rbac.yaml deleted file mode 100644 index 20305267b4b2..000000000000 --- a/charts/karpenter/templates/webhook/rbac.yaml +++ /dev/null @@ -1,64 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: karpenter-webhook - labels: - {{- include "karpenter.labels" . | indent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: karpenter-webhook -subjects: -- kind: ServiceAccount - name: {{ template "karpenter.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: karpenter-webhook - namespace: {{ .Release.Namespace }} - labels: - {{- include "karpenter.labels" . | indent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: karpenter-webhook -subjects: -- kind: ServiceAccount - name: {{ template "karpenter.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: karpenter-webhook - namespace: {{ .Release.Namespace }} - labels: - {{- include "karpenter.labels" . | indent 4 }} -rules: -- apiGroups: [""] - resources: ["configmaps", "namespaces"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["secrets"] - resourceNames: ["karpenter-webhook-cert"] - verbs: ["get", "list", "watch", "update"] -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "create", "update"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: karpenter-webhook - labels: - {{- include "karpenter.labels" . | indent 4 }} -rules: -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] - verbs: ["get", "watch", "list", "update"] ---- diff --git a/charts/karpenter/templates/webhook/webhooks.yaml b/charts/karpenter/templates/webhook/webhooks.yaml deleted file mode 100644 index dd740c59a0dc..000000000000 --- a/charts/karpenter/templates/webhook/webhooks.yaml +++ /dev/null @@ -1,73 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: defaulting.webhook.provisioners.karpenter.sh - labels: - {{- include "karpenter.labels" . | indent 4 }} -webhooks: -- admissionReviewVersions: ["v1"] - clientConfig: - service: - name: karpenter-webhook - namespace: '{{ .Release.Namespace }}' - failurePolicy: Fail - sideEffects: None - name: defaulting.webhook.provisioners.karpenter.sh - rules: - - apiGroups: - - karpenter.sh - apiVersions: - - v1alpha5 - resources: - - provisioners - - provisioners/status - operations: - - CREATE - - UPDATE ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: validation.webhook.provisioners.karpenter.sh - labels: - {{- include "karpenter.labels" . | indent 4 }} -webhooks: -- admissionReviewVersions: ["v1"] - clientConfig: - service: - name: karpenter-webhook - namespace: '{{ .Release.Namespace }}' - failurePolicy: Fail - sideEffects: None - name: validation.webhook.provisioners.karpenter.sh - rules: - - apiGroups: - - karpenter.sh - apiVersions: - - v1alpha5 - resources: - - provisioners - - provisioners/status - operations: - - CREATE - - UPDATE - - DELETE ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: validation.webhook.config.karpenter.sh - labels: - {{- include "karpenter.labels" . | indent 4 }} -webhooks: -- admissionReviewVersions: ["v1"] - clientConfig: - service: - name: karpenter-webhook - namespace: '{{ .Release.Namespace }}' - failurePolicy: Fail - sideEffects: None - name: validation.webhook.config.karpenter.sh - objectSelector: - matchLabels: - app.kubernetes.io/part-of: karpenter diff --git a/charts/karpenter/templates/webhooks.yaml b/charts/karpenter/templates/webhooks.yaml new file mode 100644 index 000000000000..79018a8ec47d --- /dev/null +++ b/charts/karpenter/templates/webhooks.yaml @@ -0,0 +1,73 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: defaulting.webhook.provisioners.karpenter.sh + labels: + {{- include "karpenter.labels" . | nindent 4 }} +webhooks: + - name: defaulting.webhook.provisioners.karpenter.sh + admissionReviewVersions: ["v1"] + clientConfig: + service: + name: {{ include "karpenter.fullname" . }} + namespace: {{ .Release.Namespace }} + failurePolicy: Fail + sideEffects: None + rules: + - apiGroups: + - karpenter.sh + apiVersions: + - v1alpha5 + resources: + - provisioners + - provisioners/status + operations: + - CREATE + - UPDATE +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: validation.webhook.provisioners.karpenter.sh + labels: + {{- include "karpenter.labels" . | nindent 4 }} +webhooks: + - name: validation.webhook.provisioners.karpenter.sh + admissionReviewVersions: ["v1"] + clientConfig: + service: + name: {{ include "karpenter.fullname" . }} + namespace: {{ .Release.Namespace }} + failurePolicy: Fail + sideEffects: None + rules: + - apiGroups: + - karpenter.sh + apiVersions: + - v1alpha5 + resources: + - provisioners + - provisioners/status + operations: + - CREATE + - UPDATE + - DELETE +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: validation.webhook.config.karpenter.sh + labels: + {{- include "karpenter.labels" . | nindent 4 }} +webhooks: + - name: validation.webhook.config.karpenter.sh + admissionReviewVersions: ["v1"] + clientConfig: + service: + name: {{ include "karpenter.fullname" . }} + namespace: {{ .Release.Namespace }} + failurePolicy: Fail + sideEffects: None + objectSelector: + matchLabels: + app.kubernetes.io/part-of: {{ template "karpenter.name" . }} diff --git a/charts/karpenter/values.yaml b/charts/karpenter/values.yaml index aa1f358a9c75..02b896167ed7 100644 --- a/charts/karpenter/values.yaml +++ b/charts/karpenter/values.yaml @@ -1,30 +1,92 @@ -# -- Additional labels to add into metadata +# -- Overrides the chart's name. +nameOverride: "" + +# -- Overrides the chart's computed fullname. +fullnameOverride: "" + +# -- Additional labels to add into metadata. additionalLabels: {} # app: karpenter + +# -- Image pull policy for Docker images. +imagePullPolicy: IfNotPresent + +# -- Image pull secrets for Docker images. +imagePullSecrets: [] + serviceAccount: - # -- Create a service account for the application controller + # -- Specifies if a ServiceAccount should be created. create: true - # -- Service account name - name: karpenter - # -- Annotations to add to the service account (like the ARN of the IRSA role) + # -- The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" + # -- Additional annotations for the ServiceAccount. annotations: {} + +serviceMonitor: + # -- Specifies whether a ServiceMonitor should be created. + enabled: false + # -- Additional labels for the ServiceMonitor. + additionalLabels: {} + # myLabel: myValue + # -- Scrape interval for the ServiceMonitor. + interval: 1m + +# -- Number of replicas. +replicas: 1 + +# -- Strategy for updating the pod. +strategy: + type: Recreate + +# -- Additional labels for the pod. +podLabels: {} + +# -- Additional annotations for the pod. +podAnnotations: {} + +# -- SecurityContext for the pod. +podSecurityContext: + fsGroup: 1000 + +# -- PriorityClass name for the pod. +priorityClassName: system-cluster-critical + +# -- Override the default termination grace period for the pod. +terminationGracePeriodSeconds: + +# -- Bind the pod to the host network. +# This is required when using a custom CNI. +hostNetwork: false + +# -- Node selectors to schedule the pod to nodes with labels. +nodeSelector: + kubernetes.io/os: linux + +# -- Affinity rules for scheduling the pod. +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - key: karpenter.sh/provisioner-name + operator: DoesNotExist + +# -- Tolerations to allow the pod to be scheduled to nodes with taints. +tolerations: [] + controller: - # -- Additional environment variables to run with - ## - name: AWS_REGION - ## - value: eu-west-1 - env: [] - # -- Node selectors to schedule to nodes with labels. - nodeSelector: {} - # -- Tolerations to schedule to nodes with taints. - tolerations: [] - # -- Affinity rules for scheduling - affinity: {} - # -- Image to use for the Karpenter controller + # -- Controller image. image: "public.ecr.aws/karpenter/controller:v0.6.0@sha256:c4b55bafc91bcab268c7c80c98f4341fc23ab0adc29ba33e28a1f9df1ec96de5" - # -- Cluster name - clusterName: "" - # -- Cluster endpoint - clusterEndpoint: "" + + # -- SecurityContext for the controller container. + securityContext: {} + + # -- Additional environment variables for the controller pod. + env: [] + # - name: AWS_REGION + # - value: eu-west-1 + + # -- Resources for the controller pod. resources: requests: cpu: 1 @@ -32,29 +94,37 @@ controller: limits: cpu: 1 memory: 1Gi - replicas: 1 + webhook: - # -- List of environment items to add to the webhook - env: [] - # -- Node selectors to schedule to nodes with labels. - nodeSelector: {} - # -- Tolerations to schedule to nodes with taints. - tolerations: [] - # -- Affinity rules for scheduling - affinity: {} - # -- Image to use for the webhook + # -- Webhook image. image: "public.ecr.aws/karpenter/webhook:v0.6.0@sha256:bce76e56b8315c7f5ebe097a738ef81e9a07f84cfdc5da1e55975ba17783d0dc" - # -- Set to true if using custom CNI on EKS - hostNetwork: false + + # -- SecurityContext for the webhook container. + securityContext: {} + + # -- The container port to use for the webhook. port: 8443 + + # -- Additional environment variables for the webhook pod. + env: [] + # - name: AWS_REGION + # - value: eu-west-1 + + # -- Resources for the webhook pod. resources: - limits: + requests: cpu: 100m memory: 50Mi - requests: + limits: cpu: 100m memory: 50Mi - replicas: 1 + +# -- Cluster name. +clusterName: "" + +# -- Cluster endpoint. +clusterEndpoint: "" + aws: # -- The default instance profile to use when launching nodes on AWS defaultInstanceProfile: ""