From fc6605825167b96b4fa027f7c5f3df1fa6332610 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 28 May 2024 14:54:16 -0500 Subject: [PATCH] fleetlock: Deploy Zincati fleet lock manager [fleetlock] is an implementation of the Zincati FleetLock reboot coordination protocol. It only works for machines that are Kubernetes nodes, but it does enable safe rolling updates for those machines. Specifically, when a node acquires a lock (backed by a Kubernetes Lease), it cordons that node and evicts pods from it. After the node has rebooted into the new version of Fedora CoreOS, it uncordons the node and releases the lock. [fleetlock]: https://github.com/poseidon/fleetlock --- fleetlock/fleetlock.yaml | 78 ++++++++++++++++++++++++++++++ fleetlock/kustomization.yaml | 21 ++++++++ fleetlock/namespace.yaml | 7 +++ fleetlock/rbac.yaml | 92 ++++++++++++++++++++++++++++++++++++ 4 files changed, 198 insertions(+) create mode 100644 fleetlock/fleetlock.yaml create mode 100644 fleetlock/kustomization.yaml create mode 100644 fleetlock/namespace.yaml create mode 100644 fleetlock/rbac.yaml diff --git a/fleetlock/fleetlock.yaml b/fleetlock/fleetlock.yaml new file mode 100644 index 0000000..116e635 --- /dev/null +++ b/fleetlock/fleetlock.yaml @@ -0,0 +1,78 @@ +apiVersion: v1 +kind: Service +metadata: + name: fleetlock + labels: + app.kubernetes.io/name: fleetlock + app.kubernetes.io/component: fleetlock + app.kubernetes.io/part-of: fleetlock +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: fleetlock + app.kubernetes.io/component: fleetlock + ports: + - name: http + port: 80 + targetPort: 8080 + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: fleetlock + labels: + app.kubernetes.io/name: fleetlock + app.kubernetes.io/component: fleetlock + app.kubernetes.io/part-of: fleetlock +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: fleetlock + app.kubernetes.io/component: fleetlock + template: + metadata: + labels: + app.kubernetes.io/name: fleetlock + app.kubernetes.io/component: fleetlock + app.kubernetes.io/part-of: fleetlock + spec: + serviceAccountName: fleetlock + containers: + - name: fleetlock + image: quay.io/poseidon/fleetlock:v0.4.0 + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + - name: http + containerPort: 8080 + readinessProbe: &probe + httpGet: + port: 8080 + path: /-/healthy + periodSeconds: 60 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + startupProbe: + <<: *probe + periodSeconds: 1 + timeoutSeconds: 1 + failureThreshold: 30 + resources: + requests: + cpu: 30m + memory: 30Mi + limits: + cpu: 50m + memory: 50Mi + securityContext: + readOnlyRootFilesystem: true + securityContext: + runAsUser: 842 + runAsGroup: 842 + runAsNonRoot: true diff --git a/fleetlock/kustomization.yaml b/fleetlock/kustomization.yaml new file mode 100644 index 0000000..333cffa --- /dev/null +++ b/fleetlock/kustomization.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: fleetlock + +labels: +- pairs: + app.kubernetes.io/instance: fleetlock + +resources: +- rbac.yaml +- fleetlock.yaml + +patches: +- patch: | + apiVersion: v1 + kind: Service + metadata: + name: fleetlock + spec: + clusterIP: 10.96.1.15 diff --git a/fleetlock/namespace.yaml b/fleetlock/namespace.yaml new file mode 100644 index 0000000..5d903b2 --- /dev/null +++ b/fleetlock/namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: fleetlock + labels: + app.kubernetes.io/name: fleetlock + app.kubernetes.io/component: fleetlock diff --git a/fleetlock/rbac.yaml b/fleetlock/rbac.yaml new file mode 100644 index 0000000..2876723 --- /dev/null +++ b/fleetlock/rbac.yaml @@ -0,0 +1,92 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: fleetlock + labels: + app.kubernetes.io/name: fleetlock + app.kubernetes.io/component: fleetlock + app.kubernetes.io/part-of: fleetlock + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: fleetlock + labels: + app.kubernetes.io/name: fleetlock + app.kubernetes.io/component: fleetlock + app.kubernetes.io/part-of: fleetlock +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - list +- apiGroups: + - "" + resources: + - pods/eviction + verbs: + - create + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: fleetlock + labels: + app.kubernetes.io/name: fleetlock + app.kubernetes.io/component: fleetlock + app.kubernetes.io/part-of: fleetlock +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: fleetlock +subjects: +- kind: ServiceAccount + name: fleetlock + namespace: default + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: fleetlock + labels: + app.kubernetes.io/name: fleetlock + app.kubernetes.io/component: fleetlock + app.kubernetes.io/part-of: fleetlock +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: fleetlock + labels: + app.kubernetes.io/name: fleetlock + app.kubernetes.io/component: fleetlock + app.kubernetes.io/part-of: fleetlock +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: fleetlock +subjects: +- kind: ServiceAccount + name: fleetlock