diff --git a/_apps/vertical-pod-autoscaler.yaml b/_apps/vertical-pod-autoscaler.yaml new file mode 100644 index 0000000..184cac0 --- /dev/null +++ b/_apps/vertical-pod-autoscaler.yaml @@ -0,0 +1,17 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vertical-pod-autoscaler + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: kube-system + server: https://kubernetes.default.svc + project: default + source: + path: kube-system/vertical-pod-autoscaler + repoURL: https://git.tbrnt.ch/tobru/gitops-tbrnt.git + targetRevision: HEAD + diff --git a/kube-system/vertical-pod-autoscaler/README.md b/kube-system/vertical-pod-autoscaler/README.md new file mode 100644 index 0000000..effaaad --- /dev/null +++ b/kube-system/vertical-pod-autoscaler/README.md @@ -0,0 +1,9 @@ +# VPA + +This one runs in `kube-system` + +## YAMLs + +wget https://raw.githubusercontent.com/kubernetes/autoscaler/master/vertical-pod-autoscaler/deploy/recommender-deployment.yaml +wget https://raw.githubusercontent.com/kubernetes/autoscaler/master/vertical-pod-autoscaler/deploy/vpa-beta2-crd.yaml +wget https://raw.githubusercontent.com/kubernetes/autoscaler/master/vertical-pod-autoscaler/deploy/vpa-rbac.yaml diff --git a/kube-system/vertical-pod-autoscaler/recommender-deployment.yaml b/kube-system/vertical-pod-autoscaler/recommender-deployment.yaml new file mode 100644 index 0000000..8a41516 --- /dev/null +++ b/kube-system/vertical-pod-autoscaler/recommender-deployment.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vpa-recommender + namespace: kube-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vpa-recommender + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: vpa-recommender + template: + metadata: + labels: + app: vpa-recommender + spec: + serviceAccountName: vpa-recommender + securityContext: + runAsNonRoot: true + runAsUser: 65534 # nobody + containers: + - name: recommender + image: us.gcr.io/k8s-artifacts-prod/autoscaling/vpa-recommender:0.8.0 + imagePullPolicy: Always + resources: + limits: + cpu: 200m + memory: 1000Mi + requests: + cpu: 50m + memory: 500Mi + ports: + - containerPort: 8080 diff --git a/kube-system/vertical-pod-autoscaler/vpa-beta2-crd.yaml b/kube-system/vertical-pod-autoscaler/vpa-beta2-crd.yaml new file mode 100644 index 0000000..7add6cc --- /dev/null +++ b/kube-system/vertical-pod-autoscaler/vpa-beta2-crd.yaml @@ -0,0 +1,67 @@ +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: verticalpodautoscalers.autoscaling.k8s.io +spec: + group: autoscaling.k8s.io + scope: Namespaced + names: + plural: verticalpodautoscalers + singular: verticalpodautoscaler + kind: VerticalPodAutoscaler + shortNames: + - vpa + version: v1beta1 + versions: + - name: v1beta1 + served: true + storage: false + - name: v1beta2 + served: true + storage: true + validation: + # openAPIV3Schema is the schema for validating custom objects. + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: [] + properties: + targetRef: + type: object + updatePolicy: + type: object + properties: + updateMode: + type: string + resourcePolicy: + type: object + properties: + containerPolicies: + type: array + items: + type: object +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: verticalpodautoscalercheckpoints.autoscaling.k8s.io +spec: + group: autoscaling.k8s.io + scope: Namespaced + names: + plural: verticalpodautoscalercheckpoints + singular: verticalpodautoscalercheckpoint + kind: VerticalPodAutoscalerCheckpoint + shortNames: + - vpacheckpoint + version: v1beta1 + versions: + - name: v1beta1 + served: true + storage: false + - name: v1beta2 + served: true + storage: true diff --git a/kube-system/vertical-pod-autoscaler/vpa-rbac.yaml b/kube-system/vertical-pod-autoscaler/vpa-rbac.yaml new file mode 100644 index 0000000..dd54f25 --- /dev/null +++ b/kube-system/vertical-pod-autoscaler/vpa-rbac.yaml @@ -0,0 +1,323 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:metrics-reader +rules: + - apiGroups: + - "metrics.k8s.io" + resources: + - pods + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:vpa-actor +rules: + - apiGroups: + - "" + resources: + - pods + - nodes + - limitranges + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - get + - list + - watch + - create + - apiGroups: + - "poc.autoscaling.k8s.io" + resources: + - verticalpodautoscalers + verbs: + - get + - list + - watch + - patch + - apiGroups: + - "autoscaling.k8s.io" + resources: + - verticalpodautoscalers + verbs: + - get + - list + - watch + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:vpa-checkpoint-actor +rules: + - apiGroups: + - "poc.autoscaling.k8s.io" + resources: + - verticalpodautoscalercheckpoints + verbs: + - get + - list + - watch + - create + - patch + - delete + - apiGroups: + - "autoscaling.k8s.io" + resources: + - verticalpodautoscalercheckpoints + verbs: + - get + - list + - watch + - create + - patch + - delete + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:evictioner +rules: + - apiGroups: + - "apps" + - "extensions" + resources: + - replicasets + verbs: + - get + - apiGroups: + - "" + resources: + - pods/eviction + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:metrics-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:metrics-reader +subjects: + - kind: ServiceAccount + name: vpa-recommender + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:vpa-actor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:vpa-actor +subjects: + - kind: ServiceAccount + name: vpa-recommender + namespace: kube-system + - kind: ServiceAccount + name: vpa-updater + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:vpa-checkpoint-actor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:vpa-checkpoint-actor +subjects: + - kind: ServiceAccount + name: vpa-recommender + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:vpa-target-reader +rules: + - apiGroups: + - '*' + resources: + - '*/scale' + verbs: + - get + - watch + - apiGroups: + - "" + resources: + - replicationcontrollers + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:vpa-target-reader-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:vpa-target-reader +subjects: + - kind: ServiceAccount + name: vpa-recommender + namespace: kube-system + - kind: ServiceAccount + name: vpa-admission-controller + namespace: kube-system + - kind: ServiceAccount + name: vpa-updater + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:vpa-evictionter-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:evictioner +subjects: + - kind: ServiceAccount + name: vpa-updater + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vpa-admission-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:vpa-admission-controller +rules: + - apiGroups: + - "" + resources: + - pods + - configmaps + - nodes + - limitranges + verbs: + - get + - list + - watch + - apiGroups: + - "admissionregistration.k8s.io" + resources: + - mutatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - apiGroups: + - "poc.autoscaling.k8s.io" + resources: + - verticalpodautoscalers + verbs: + - get + - list + - watch + - apiGroups: + - "autoscaling.k8s.io" + resources: + - verticalpodautoscalers + verbs: + - get + - list + - watch + - apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - create + - update + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:vpa-admission-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:vpa-admission-controller +subjects: + - kind: ServiceAccount + name: vpa-admission-controller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:vpa-status-reader +rules: + - apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:vpa-status-reader-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:vpa-status-reader +subjects: + - kind: ServiceAccount + name: vpa-updater + namespace: kube-system