From 5c61ad74b81b9d5fb5fa9774db478f4179610c76 Mon Sep 17 00:00:00 2001 From: TomRyan-321 <25472582+TomRyan-321@users.noreply.github.com> Date: Wed, 16 Oct 2024 17:36:00 +1100 Subject: [PATCH] add options to support running kac using hostNetwork and fix watcherPort --- .../templates/deployment_webhook.yaml | 14 +++++++--- helm-charts/falcon-kac/values.schema.json | 26 ++++++++++++++++++- helm-charts/falcon-kac/values.yaml | 10 +++++++ 3 files changed, 46 insertions(+), 4 deletions(-) diff --git a/helm-charts/falcon-kac/templates/deployment_webhook.yaml b/helm-charts/falcon-kac/templates/deployment_webhook.yaml index c6aca550..6f05a246 100644 --- a/helm-charts/falcon-kac/templates/deployment_webhook.yaml +++ b/helm-charts/falcon-kac/templates/deployment_webhook.yaml @@ -108,6 +108,7 @@ spec: containers: - args: - client + - "-port={{ .Values.webhookPort }}" env: - name: __CS_POD_NAMESPACE valueFrom: @@ -171,6 +172,7 @@ spec: - args: - "client" - "-app=watcher" + - "-http-port={{ .Values.watcherPort }}" env: - name: __CS_POD_NAMESPACE valueFrom: @@ -197,14 +199,14 @@ spec: failureThreshold: 3 httpGet: path: /livez - port: 4080 + port: {{ .Values.watcherPort }} scheme: HTTP periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 name: falcon-watcher ports: - - containerPort: 4080 + - containerPort: {{ .Values.watcherPort }} name: healthcheck resources: {{- toYaml .Values.falconWatcherResources | nindent 10 }} @@ -219,7 +221,7 @@ spec: failureThreshold: 30 httpGet: path: /startz - port: 4080 + port: {{ .Values.watcherPort }} scheme: HTTP periodSeconds: 2 successThreshold: 1 @@ -287,6 +289,12 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.hostNetwork }} + hostNetwork: true + dnsPolicy: {{ default "ClusterFirstWithHostNet" .Values.dnsPolicy }} + {{- else if .Values.dnsPolicy}} + dnsPolicy: {{ .Values.dnsPolicy }} + {{- end }} volumes: - name: {{ include "falcon-kac.name" . }}-tls-certs secret: diff --git a/helm-charts/falcon-kac/values.schema.json b/helm-charts/falcon-kac/values.schema.json index 44fe2ded..fe14411d 100644 --- a/helm-charts/falcon-kac/values.schema.json +++ b/helm-charts/falcon-kac/values.schema.json @@ -48,11 +48,17 @@ "default": 1, "minimum": 1 }, + "watcherPort": { + "type": "integer", + "default": "4080", + "minimum": 1024, + "maximum": 65535 + }, "webhookPort": { "type": "integer", "default": "4433", "minimum": 1024, - "maximum": 32767 + "maximum": 65535 }, "autoCertificateUpdate": { "type": "boolean", @@ -320,6 +326,24 @@ "string" ] }, + "hostNetwork": { + "type": "boolean", + "default": "false" + }, + "dnsPolicy": { + "type": [ + "null", + "string" + ], + "default": null, + "enum": [ + null, + "ClusterFirst", + "ClusterFirstWithHostNet", + "Default", + "None" + ] + }, "webhook": { "type": "object", "properties": { diff --git a/helm-charts/falcon-kac/values.yaml b/helm-charts/falcon-kac/values.yaml index 3809d6a4..8e27cdb6 100644 --- a/helm-charts/falcon-kac/values.yaml +++ b/helm-charts/falcon-kac/values.yaml @@ -29,6 +29,9 @@ replicas: 1 # Configure the webhook Port webhookPort: 4443 +# Configure the watcher Port +watcherPort: 4080 + # Auto update the certificates every time there is an update autoCertificateUpdate: true @@ -147,6 +150,13 @@ webhook: # Comma sparated list of namespaces in which we need to disable validation e.g test1,test2 disableNamespaces: +# Specifies if Falcon KAC should use hostNetwork mode. This is required in some scenarios such as when a +# custom CNI is in use where control plane nodes cannot establish network communication with pods. +hostNetwork: false + +# Define Falcon KAC POD DNS Policy, follows cluster default when not set and sets "ClusterFirstWithHostNet" when hostNetwork = true unless overriden +dnsPolicy: + # Number of pods for resourceQuota object resourceQuota: pods: 2