add support for container args, imagePullPolicy and tolerations

Signed-off-by: rksharma95 <[email protected]>

deployments/helm/KubeArmor/templates/daemonset.yaml

@@ -20,6 +20,10 @@ spec:
       imagePullSecrets:
       {{ toYaml .Values.kubearmor.image.imagePullSecrets | indent 6 }}
       {{- end }}
+      {{- if .Values.kubearmor.tolerations }}
+      tolerations:
+      {{ toYaml .Values.kubearmor.tolerations | indent 6 }}
+      {{- end }}
       containers:
       - args:
         - -gRPC=32767

deployments/helm/KubeArmor/templates/deployment.yaml

@@ -22,6 +22,10 @@ spec:
       imagePullSecrets:
       {{ toYaml .Values.kubearmorRelay.image.imagePullSecrets | indent 6 }}
       {{- end }}
+      {{- if .Values.kubearmorRelay.tolerations }}
+      tolerations:
+      {{ toYaml .Values.kubearmorRelay.tolerations | indent 6 }}
+      {{- end }}
       containers:
       - args:
         {{printf "- -tlsEnabled=%t" .Values.tls.enabled}}
@@ -86,6 +90,10 @@ spec:
       {{- if .Values.kubearmorController.image.imagePullSecrets }}
         imagePullSecrets:
       {{ toYaml .Values.kubearmorController.image.imagePullSecrets | indent 8 }}
+      {{- end }}
+      {{- if .Values.kubearmorController.tolerations }}
+      tolerations:
+      {{ toYaml .Values.kubearmorController.tolerations | indent 6 }}
       {{- end }}
         livenessProbe:
           httpGet:

deployments/helm/KubeArmor/values.yaml

@@ -20,6 +20,7 @@ kubearmorRelay:
     imagePullSecrets: ""
   # kubearmor-init imagePullPolicy
   imagePullPolicy: Always
+  tolerations: ""
 
   # Add environment variables for STDOUT logging
   enableStdoutLogs: "false"
@@ -92,6 +93,7 @@ kubearmorController:
     tag: latest
     # Optional, but if there are a lot of image pulls required, Docker might be rate-limited. So, it's good to add pull secrets for production.
     imagePullSecrets: ""
+  tolerations: ""  
   mutation:
     # kubearmor-controller failure policy
     failurePolicy: Ignore
@@ -109,6 +111,8 @@ kubearmorConfigMap:
 
 #volume mounts and volumes
 kubearmor:
+  # https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+  tolerations: ""
   image:
     # kubearmor daemonset image repo
     repository: kubearmor/kubearmor

deployments/helm/KubeArmorOperator/templates/deployment.yaml

@@ -18,6 +18,10 @@ spec:
       imagePullSecrets:
       {{ toYaml .Values.kubearmorOperator.image.imagePullSecrets | indent 6 }}
       {{- end }}
+      {{- if .Values.kubearmorOperator.image.tolerations }}
+      tolerations:
+      {{ toYaml .Values.kubearmorOperator.tolerations | indent 6 }}
+      {{- end }}
       containers:
       - name: {{ .Values.kubearmorOperator.name }}
         env:

deployments/helm/KubeArmorOperator/values.yaml

@@ -36,6 +36,8 @@ kubearmorOperator:
     repository: kubearmor/kubearmor-operator
     tag: ""
   imagePullPolicy: IfNotPresent
+  # https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+  tolerations: ""
   initDeploy: true
   # Optional, but if there are a lot of image pulls required, Docker might be rate-limited. So, it's good to add pull secrets for production.
   imagePullSecrets: ""

pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go

@@ -1,9 +1,11 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2023 Authors of KubeArmor
 
+// +kubebuilder:validation:optional
 package v1
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -12,21 +14,26 @@ import (
 
 // ImageSpec defines the image specifications
 type ImageSpec struct {
-	// +kubebuilder:validation:optional
+	Args []string `json:"args,omitempty"`
+
 	Image string `json:"image,omitempty"`
-	// +kubebuilder:validation:optional
+
 	// +kubebuilder:validation:Enum=Always;IfNotPresent;Never
 	// +kubebuilder:default:=Always
 	ImagePullPolicy string `json:"imagePullPolicy,omitempty"`
+
+	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
+
+	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
 }
 
 type Tls struct {
-	// +kubebuilder:validation:optional
+
 	// +kubebuilder:default:=false
 	Enable bool `json:"enable,omitempty"`
-	// +kubebuilder:validation:optional
+
 	RelayExtraDnsNames []string `json:"extraDnsNames,omitempty"`
-	// +kubebuilder:validation:optional
+
 	RelayExtraIpAddresses []string `json:"extraIpAddresses,omitempty"`
 }
 
@@ -35,49 +42,52 @@ type KubeArmorConfigSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 
-	// +kubebuilder:validation:optional
 	DefaultFilePosture PostureType `json:"defaultFilePosture,omitempty"`
-	// +kubebuilder:validation:optional
+
 	DefaultCapabilitiesPosture PostureType `json:"defaultCapabilitiesPosture,omitempty"`
-	// +kubebuilder:validation:optional
+
 	DefaultNetworkPosture PostureType `json:"defaultNetworkPosture,omitempty"`
-	// +kubebuilder:validation:optional
+
 	DefaultVisibility string `json:"defaultVisibility,omitempty"`
-	// +kubebuilder:validation:optional
+
+	GloabalImagePullSecrets []corev1.LocalObjectReference `json:"globalImagePullSecrets,omitempty"`
+
+	GlobalTolerations []corev1.Toleration `json:"globalTolerations,omitempty"`
+
 	KubeArmorImage ImageSpec `json:"kubearmorImage,omitempty"`
-	// +kubebuilder:validation:optional
+
 	KubeArmorInitImage ImageSpec `json:"kubearmorInitImage,omitempty"`
-	// +kubebuilder:validation:optional
+
 	KubeArmorRelayImage ImageSpec `json:"kubearmorRelayImage,omitempty"`
-	// +kubebuilder:validation:optional
+
 	KubeArmorControllerImage ImageSpec `json:"kubearmorControllerImage,omitempty"`
-	// +kubebuilder:validation:optional
+
 	KubeRbacProxyImage ImageSpec `json:"kubeRbacProxyImage,omitempty"`
-	// +kubebuilder:validation:optional
+
 	Tls Tls `json:"tls,omitempty"`
-	// +kubebuilder:validation:optional
+
 	EnableStdOutLogs bool `json:"enableStdOutLogs,omitempty"`
-	// +kubebuilder:validation:optional
+
 	EnableStdOutAlerts bool `json:"enableStdOutAlerts,omitempty"`
-	// +kubebuilder:validation:optional
+
 	EnableStdOutMsgs bool `json:"enableStdOutMsgs,omitempty"`
-	// +kubebuilder:validation:Optional
+
 	SeccompEnabled bool `json:"seccompEnabled,omitempty"`
-	// +kubebuilder:validation:Optional
+
 	AlertThrottling bool `json:"alertThrottling,omitempty"`
-	// +kubebuilder:validation:Optional
+
 	MaxAlertPerSec int `json:"maxAlertPerSec,omitempty"`
-	// +kubebuilder:validation:Optional
+
 	ThrottleSec int `json:"throttleSec,omitempty"`
 }
 
 // KubeArmorConfigStatus defines the observed state of KubeArmorConfig
 type KubeArmorConfigStatus struct {
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
-	// +kubebuilder:validation:optional
+
 	Phase string `json:"phase,omitempty"`
-	// +kubebuilder:validation:optional
+
 	Message string `json:"message,omitempty"`
 }
 

pkg/KubeArmorOperator/common/defaults.go

@@ -85,30 +85,49 @@ var (
 	ConfigMaxAlertPerSec             string = "maxAlertPerSec"
 	ConfigThrottleSec                string = "throttleSec"
 
+	GlobalImagePullSecrets []corev1.LocalObjectReference = []corev1.LocalObjectReference{}
+	GlobalTolerations      []corev1.Toleration           = []corev1.Toleration{}
 	//KubearmorRelayEnvVariables
 
 	EnableStdOutAlerts string = "enableStdOutAlerts"
 	EnableStdOutLogs   string = "enableStdOutLogs"
 	EnableStdOutMsgs   string = "enableStdOutMsgs"
 
 	// Images
-	KubeArmorName                      string = "kubearmor"
-	KubeArmorImage                     string = "kubearmor/kubearmor:stable"
-	KubeArmorImagePullPolicy           string = "Always"
-	KubeArmorInitName                  string = "kubearmor-init"
-	KubeArmorInitImage                 string = "kubearmor/kubearmor-init:stable"
-	KubeArmorInitImagePullPolicy       string = "Always"
-	KubeArmorRelayName                 string = "kubearmor-relay"
-	KubeArmorRelayImage                string = "kubearmor/kubearmor-relay-server:latest"
-	KubeArmorRelayImagePullPolicy      string = "Always"
-	KubeArmorControllerName            string = "kubearmor-controller"
-	KubeArmorControllerImage           string = "kubearmor/kubearmor-controller:latest"
-	KubeArmorControllerImagePullPolicy string = "Always"
-	KubeRbacProxyName                  string = "kube-rbac-proxy"
-	KubeRbacProxyImage                 string = "gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0"
-	KubeRbacProxyImagePullPolicy       string = "Always"
-	SeccompProfile                            = "kubearmor-seccomp.json"
-	SeccompInitProfile                        = "kubearmor-init-seccomp.json"
+	KubeArmorName             string                        = "kubearmor"
+	KubeArmorArgs             []string                      = []string{}
+	KubeArmorImage            string                        = "kubearmor/kubearmor:stable"
+	KubeArmorImagePullPolicy  string                        = "Always"
+	KubeArmorImagePullSecrets []corev1.LocalObjectReference = []corev1.LocalObjectReference{}
+	KubeArmorTolerations      []corev1.Toleration           = []corev1.Toleration{}
+
+	KubeArmorInitName             string                        = "kubearmor-init"
+	KubeArmorInitArgs             []string                      = []string{}
+	KubeArmorInitImage            string                        = "kubearmor/kubearmor-init:stable"
+	KubeArmorInitImagePullPolicy  string                        = "Always"
+	KubeArmorInitImagePullSecrets []corev1.LocalObjectReference = []corev1.LocalObjectReference{}
+	KubeArmorInitTolerations      []corev1.Toleration           = []corev1.Toleration{}
+
+	KubeArmorRelayName             string                        = "kubearmor-relay"
+	KubeArmorRelayArgs             []string                      = []string{}
+	KubeArmorRelayImage            string                        = "kubearmor/kubearmor-relay-server:latest"
+	KubeArmorRelayImagePullPolicy  string                        = "Always"
+	KubeArmorRelayImagePullSecrets []corev1.LocalObjectReference = []corev1.LocalObjectReference{}
+	KubeArmorRelayTolerations      []corev1.Toleration           = []corev1.Toleration{}
+
+	KubeArmorControllerName             string                        = "kubearmor-controller"
+	KubeArmorControllerArgs             []string                      = []string{}
+	KubeArmorControllerImage            string                        = "kubearmor/kubearmor-controller:latest"
+	KubeArmorControllerImagePullPolicy  string                        = "Always"
+	KubeArmorControllerImagePullSecrets []corev1.LocalObjectReference = []corev1.LocalObjectReference{}
+	KubeArmorControllerTolerations      []corev1.Toleration           = []corev1.Toleration{}
+
+	KubeRbacProxyName            string = "kube-rbac-proxy"
+	KubeRbacProxyImage           string = "gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0"
+	KubeRbacProxyImagePullPolicy string = "Always"
+
+	SeccompProfile     = "kubearmor-seccomp.json"
+	SeccompInitProfile = "kubearmor-init-seccomp.json"
 
 	// tls
 	EnableTls                      bool     = false
@@ -469,7 +488,7 @@ func IsCertifiedOperator() bool {
 	if certified == "" {
 		return false
 	}
-	return true
+	return true // +kubebuilder:validation:optional
 }
 
 func CopyStrMap(src map[string]string) map[string]string {