use pod_nanny to set storage resources

Signed-off-by: Matthias Bertschy <[email protected]>

charts/kubescape-operator/templates/storage/clusterrole.yaml

@@ -8,7 +8,7 @@ metadata:
     {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }}
 rules:
 - apiGroups: [""]
-  resources: ["namespaces", "pods", "services"]
+  resources: ["namespaces", "nodes", "pods", "services"]
   verbs: [ "get", "watch", "list" ]
 - apiGroups: [ "admissionregistration.k8s.io" ]
   resources: [ "mutatingwebhookconfigurations", "validatingwebhookconfigurations" ]

charts/kubescape-operator/templates/storage/deployment.yaml

@@ -83,8 +83,38 @@ spec:
           - name: {{ .Values.global.cloudConfig }}
             mountPath: /etc/config
             readOnly: true
+      - name: pod-nanny
+        image: registry.k8s.io/autoscaling/addon-resizer:1.8.14
+        imagePullPolicy: IfNotPresent
         resources:
-{{ toYaml .Values.storage.resources | indent 12 }}
+          limits:
+            cpu: 40m
+            memory: 25Mi
+          requests:
+            cpu: 40m
+            memory: 25Mi
+        env:
+          - name: MY_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: MY_POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+        command:
+          - /pod_nanny
+          - --cpu=300m
+          - --extra-cpu=20m
+          - --memory=200Mi
+          - --extra-memory=10Mi
+          - --threshold=5
+          - --deployment=storage
+          - --container=apiserver
+          - --poll-period=300000
+          - --estimator=exponential
+          - --minClusterSize=10
+
       nodeSelector:
       {{- if .Values.storage.nodeSelector }}
       {{- toYaml .Values.storage.nodeSelector | nindent 8 }}

charts/kubescape-operator/templates/storage/role.yaml

@@ -0,0 +1,18 @@
+{{- $components := fromYaml (include "components" .) }}
+{{- if $components.storage.enabled }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Values.storage.name }}
+  namespace: {{ .Values.ksNamespace }}
+  labels:
+    {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    resourceNames: [{{ .Values.storage.name }}]
+    verbs: ["get", "patch"]
+{{- end }}

charts/kubescape-operator/templates/storage/rolebinding.yaml

@@ -2,6 +2,22 @@
 {{- if $components.storage.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
+metadata:
+  name: {{ .Values.storage.name }}
+  namespace: {{ .Values.ksNamespace }}
+  labels:
+    {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Values.storage.name }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.storage.name }}
+  namespace: {{ .Values.ksNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
 metadata:
   name: {{ include "storage.authReaderRoleBindingName" . | quote }}
   namespace: kube-system
@@ -13,7 +29,7 @@ roleRef:
   # This is a default role name provided by K8s and should not be templated or changed
   name: "extension-apiserver-authentication-reader"
 subjects:
-- kind: ServiceAccount
-  name: {{ .Values.storage.name }}
-  namespace: {{ .Values.ksNamespace }}
+  - kind: ServiceAccount
+    name: {{ .Values.storage.name }}
+    namespace: {{ .Values.ksNamespace }}
 {{- end }}