resource "kubernetes_namespace" "descheduler" { metadata { name = "descheduler" } } resource "kubernetes_cluster_role" "descheduler" { metadata { name = "descheduler-cluster-role" } rule { api_groups = [""] resources = ["events"] verbs = ["create", "update"] } rule { api_groups = [""] resources = ["nodes"] verbs = ["get", "watch", "list"] } rule { api_groups = [""] resources = ["namespaces"] verbs = ["get", "list", "watch"] } rule { api_groups = [""] resources = ["pods"] verbs = ["get", "watch", "list", "delete"] } rule { api_groups = [""] resources = ["pods/eviction"] verbs = ["create"] } rule { api_groups = [""] resources = ["scheduling.k8s.io"] verbs = ["get", "watch", "list"] } rule { api_groups = ["scheduling.k8s.io"] resources = ["priorityclasses"] verbs = ["get", "list", "watch"] } rule { api_groups = ["policy"] resources = ["poddisruptionbudgets"] verbs = ["get", "list", "watch"] } } resource "kubernetes_service_account" "descheduler" { metadata { name = "descheduler-sa" namespace = "descheduler" } } resource "kubernetes_cluster_role_binding" "descheduler" { metadata { name = "descheduler-cluster-role-binding" } role_ref { api_group = "rbac.authorization.k8s.io" kind = "ClusterRole" name = "descheduler-cluster-role" } subject { name = "descheduler-sa" kind = "ServiceAccount" namespace = "descheduler" } } resource "kubernetes_config_map" "policy" { metadata { namespace = "descheduler" name = "policy-configmap" } data = { # "policy.yaml" = <<-EOF # apiVersion: "descheduler/v1alpha1" # maxNoOfPodsToEvictPerNode: 20 # kind: "DeschedulerPolicy" # strategies: # "RemoveDuplicates": # enabled: true # "RemovePodsViolatingInterPodAntiAffinity": # enabled: true # "LowNodeUtilization": # enabled: true # params: # nodeResourceUtilizationThresholds: # thresholds: # "cpu" : 50 # "memory": 30 # "pods": 20 # targetThresholds: # "cpu" : 70 # "memory": 30 # "pods": 50 # "HighNodeUtilization": # enabled: true # params: # nodeResourceUtilizationThresholds: # thresholds: # "cpu" : 20 # "memory": 80 # "pods": 20 # "PodLifeTime": # enabled: true # params: # podLifeTime: # maxPodLifeTimeSeconds: 604800 # namespaces: # exclude: # - "monitoring" # - "kube-system" # EOF "policy.yaml" = <<-EOF capiVersion: "descheduler/v1alpha2" kind: "DeschedulerPolicy" profiles: - name: ProfileName pluginConfig: - name: "LowNodeUtilization" args: thresholds: "cpu" : 20 "memory": 20 "pods": 20 targetThresholds: "cpu" : 20 "memory": 20 "pods": 20 metricsUtilization: metricsServer: true plugins: balance: enabled: - "LowNodeUtilization" EOF } } resource "kubernetes_cron_job_v1" "descheduler" { metadata { name = "descheduler" namespace = "descheduler" } spec { schedule = "0 0 * * *" concurrency_policy = "Forbid" job_template { metadata { name = "descheduler" } spec { template { metadata { name = "descheduler" } spec { priority_class_name = "system-cluster-critical" container { name = "descheduler" image = "k8s.gcr.io/descheduler/descheduler:v0.28.0" volume_mount { mount_path = "/policy-dir" name = "policy-volume" } command = ["/bin/descheduler"] args = ["--policy-config-file", "/policy-dir/policy.yaml", "--v", "4"] } restart_policy = "Never" service_account_name = "descheduler-sa" volume { name = "policy-volume" config_map { name = "policy-configmap" } } } } } } } }