From 18c263e98ecec824b7520ed047642f6bcfc4b8e4 Mon Sep 17 00:00:00 2001 From: viktorbarzin Date: Mon, 3 May 2021 01:26:42 +0100 Subject: [PATCH] add descheduler module [ci skip] --- modules/kubernetes/descheduler/main.tf | 147 +++++++++++++++++++++++++ modules/kubernetes/main.tf | 4 + 2 files changed, 151 insertions(+) create mode 100644 modules/kubernetes/descheduler/main.tf diff --git a/modules/kubernetes/descheduler/main.tf b/modules/kubernetes/descheduler/main.tf new file mode 100644 index 00000000..e3e719b6 --- /dev/null +++ b/modules/kubernetes/descheduler/main.tf @@ -0,0 +1,147 @@ +resource "kubernetes_namespace" "descheduler" { + metadata { + name = "descheduler" + } +} + +resource "kubernetes_cluster_role" "descheduler" { + metadata { + name = "descheduler-cluster-role" + } + rule { + api_groups = [""] + resources = ["events"] + verbs = ["create", "update"] + } + rule { + api_groups = [""] + resources = ["nodes"] + verbs = ["get", "watch", "list"] + } + rule { + api_groups = [""] + resources = ["namespaces"] + verbs = ["get", "list"] + } + rule { + api_groups = [""] + resources = ["pods"] + verbs = ["get", "watch", "list", "delete"] + } + rule { + api_groups = [""] + resources = ["pods/eviction"] + verbs = ["create"] + } + rule { + api_groups = [""] + resources = ["scheduling.k8s.io"] + verbs = ["get", "watch", "list"] + } +} + +resource "kubernetes_service_account" "descheduler" { + metadata { + name = "descheduler-sa" + namespace = "descheduler" + } +} + +resource "kubernetes_cluster_role_binding" "descheduler" { + metadata { + name = "descheduler-cluster-role-binding" + + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = "descheduler-cluster-role" + } + subject { + name = "descheduler-sa" + kind = "ServiceAccount" + namespace = "descheduler" + } +} + +resource "kubernetes_config_map" "policy" { + metadata { + namespace = "descheduler" + name = "policy-configmap" + } + data = { + "policy.yaml" = <<-EOF + apiVersion: "descheduler/v1alpha1" + kind: "DeschedulerPolicy" + strategies: + "RemoveDuplicates": + enabled: true + "RemovePodsViolatingInterPodAntiAffinity": + enabled: true + "LowNodeUtilization": + enabled: true + params: + nodeResourceUtilizationThresholds: + thresholds: + "cpu" : 20 + "memory": 20 + "pods": 20 + targetThresholds: + "cpu" : 50 + "memory": 50 + "pods": 50 + "PodLifeTime": + enabled: true + params: + maxPodLifeTimeSeconds: 86400 + namespaces: + exclude: + - "monitoring" + - "kube-system" + EOF + } +} + +resource "kubernetes_cron_job" "descheduler" { + metadata { + name = "descheduler" + namespace = "descheduler" + } + spec { + schedule = "0 * * * *" + concurrency_policy = "Forbid" + job_template { + metadata { + name = "descheduler" + } + spec { + template { + metadata { + name = "descheduler" + } + spec { + priority_class_name = "system-cluster-critical" + container { + name = "descheduler" + image = "us.gcr.io/k8s-artifacts-prod/descheduler/descheduler:v0.18.0" + volume_mount { + mount_path = "/policy-dir" + name = "policy-volume" + } + command = ["/bin/descheduler"] + args = ["--policy-config-file", "/policy-dir/policy.yaml", "--v", "4"] + } + restart_policy = "Never" + service_account_name = "descheduler-sa" + volume { + name = "policy-volume" + config_map { + name = "policy-configmap" + } + } + } + } + } + } + } +} diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index 67106510..22566880 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -54,6 +54,10 @@ module "dbaas" { tls_secret_name = var.tls_secret_name } +module "descheduler" { + source = "./descheduler" +} + module "dnscrypt" { source = "./dnscrypt" }