From d5a644cf972df439fa7fe48d723a5a5f5378a099 Mon Sep 17 00:00:00 2001 From: Muhammad Hamza Zaib Date: Thu, 30 Mar 2023 18:12:40 +0500 Subject: [PATCH 1/8] Set namespace for auth-reader rb to kube-system --- charts/metrics-server/templates/rolebinding.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/metrics-server/templates/rolebinding.yaml b/charts/metrics-server/templates/rolebinding.yaml index be6fccf9d..3fda74337 100644 --- a/charts/metrics-server/templates/rolebinding.yaml +++ b/charts/metrics-server/templates/rolebinding.yaml @@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ printf "%s-auth-reader" (include "metrics-server.fullname" .) }} - namespace: {{ .Release.Namespace }} + namespace: kube-system labels: {{- include "metrics-server.labels" . | nindent 4 }} roleRef: From b0eac7f1d32ab9762cb4807d9a00bd8e47404438 Mon Sep 17 00:00:00 2001 From: Calvin Bui <3604363+calvinbui@users.noreply.github.com> Date: Fri, 31 Mar 2023 12:22:04 +1100 Subject: [PATCH 2/8] add configMap volume for addon resizer Signed-off-by: Calvin Bui <3604363+calvinbui@users.noreply.github.com> --- charts/metrics-server/templates/_helpers.tpl | 7 +++++++ charts/metrics-server/templates/configmaps-nanny.yaml | 2 +- charts/metrics-server/templates/deployment.yaml | 5 +++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/charts/metrics-server/templates/_helpers.tpl b/charts/metrics-server/templates/_helpers.tpl index 2c8a47ca6..1dfb91e68 100644 --- a/charts/metrics-server/templates/_helpers.tpl +++ b/charts/metrics-server/templates/_helpers.tpl @@ -78,6 +78,13 @@ The image to use for the addon resizer {{- printf "%s:%s" .Values.addonResizer.image.repository .Values.addonResizer.image.tag }} {{- end }} +{{/* +ConfigMap name of addon resizer +*/}} +{{- define "metrics-server.addonResizer.configMap" -}} +{{- printf "%s-%s" (include "metrics-server.fullname" .) "nanny-config" }} +{{- end }} + {{/* Get PodDisruptionBudget API Version */}} {{- define "metrics-server.pdb.apiVersion" -}} {{- if and (.Capabilities.APIVersions.Has "policy/v1") (semverCompare ">= 1.21-0" .Capabilities.KubeVersion.Version) -}} diff --git a/charts/metrics-server/templates/configmaps-nanny.yaml b/charts/metrics-server/templates/configmaps-nanny.yaml index 10164820a..c25005ec2 100644 --- a/charts/metrics-server/templates/configmaps-nanny.yaml +++ b/charts/metrics-server/templates/configmaps-nanny.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "metrics-server.fullname" .}}-nanny-config + name: {{ include "metrics-server.addonResizer.configMap" . }} namespace: {{ .Release.Namespace }} labels: {{- include "metrics-server.labels" . | nindent 4 }} diff --git a/charts/metrics-server/templates/deployment.yaml b/charts/metrics-server/templates/deployment.yaml index 2bd591784..9f44be441 100644 --- a/charts/metrics-server/templates/deployment.yaml +++ b/charts/metrics-server/templates/deployment.yaml @@ -121,6 +121,11 @@ spec: volumes: - name: tmp emptyDir: {} + {{- if .Values.addonResizer.enabled }} + - name: nanny-config-volume + configMap: + name: {{ include "metrics-server.addonResizer.configMap" . }} + {{- end }} {{- with .Values.extraVolumes }} {{- toYaml . | nindent 8 }} {{- end }} From 154a93a4eae2a649d93fa41d0a78529cd09641de Mon Sep 17 00:00:00 2001 From: Calvin Bui <3604363+calvinbui@users.noreply.github.com> Date: Fri, 31 Mar 2023 12:22:25 +1100 Subject: [PATCH 3/8] fix addon resizer rolebinding Signed-off-by: Calvin Bui <3604363+calvinbui@users.noreply.github.com> --- charts/metrics-server/templates/_helpers.tpl | 7 +++++++ charts/metrics-server/templates/role-nanny.yaml | 4 ++-- charts/metrics-server/templates/rolebinding-nanny.yaml | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/charts/metrics-server/templates/_helpers.tpl b/charts/metrics-server/templates/_helpers.tpl index 1dfb91e68..9b87f118f 100644 --- a/charts/metrics-server/templates/_helpers.tpl +++ b/charts/metrics-server/templates/_helpers.tpl @@ -85,6 +85,13 @@ ConfigMap name of addon resizer {{- printf "%s-%s" (include "metrics-server.fullname" .) "nanny-config" }} {{- end }} +{{/* +Role name of addon resizer +*/}} +{{- define "metrics-server.addonResizer.role" -}} +{{ printf "system:%s-nanny" (include "metrics-server.fullname" .) }} +{{- end }} + {{/* Get PodDisruptionBudget API Version */}} {{- define "metrics-server.pdb.apiVersion" -}} {{- if and (.Capabilities.APIVersions.Has "policy/v1") (semverCompare ">= 1.21-0" .Capabilities.KubeVersion.Version) -}} diff --git a/charts/metrics-server/templates/role-nanny.yaml b/charts/metrics-server/templates/role-nanny.yaml index 8551b3713..f0bf8fceb 100644 --- a/charts/metrics-server/templates/role-nanny.yaml +++ b/charts/metrics-server/templates/role-nanny.yaml @@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ printf "system:%s-nanny" (include "metrics-server.fullname" .) }} + name: {{ include "metrics-server.addonResizer.role" . }} namespace: {{ .Release.Namespace }} labels: {{- include "metrics-server.labels" . | nindent 4 }} @@ -19,7 +19,7 @@ rules: resources: - deployments resourceNames: - - metrics-server + - {{ include "metrics-server.fullname" . }} verbs: - get - patch diff --git a/charts/metrics-server/templates/rolebinding-nanny.yaml b/charts/metrics-server/templates/rolebinding-nanny.yaml index 99570ac62..73bfaaffe 100644 --- a/charts/metrics-server/templates/rolebinding-nanny.yaml +++ b/charts/metrics-server/templates/rolebinding-nanny.yaml @@ -10,7 +10,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: metrics-server-nanny + name: {{ include "metrics-server.addonResizer.role" . }} subjects: - kind: ServiceAccount name: {{ include "metrics-server.serviceAccountName" . }} From ee6ac34242437d20d52ca57876880bfc8142a571 Mon Sep 17 00:00:00 2001 From: Calvin Bui <3604363+calvinbui@users.noreply.github.com> Date: Fri, 31 Mar 2023 12:22:34 +1100 Subject: [PATCH 4/8] bump chart version Signed-off-by: Calvin Bui <3604363+calvinbui@users.noreply.github.com> --- charts/metrics-server/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/metrics-server/Chart.yaml b/charts/metrics-server/Chart.yaml index 3fe95c010..e01265425 100644 --- a/charts/metrics-server/Chart.yaml +++ b/charts/metrics-server/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: metrics-server description: Metrics Server is a scalable, efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines. type: application -version: 3.9.0 +version: 3.9.1 appVersion: 0.6.3 keywords: - kubernetes From 79401704412f6b75dfd6ff71e03ac2d892a69d70 Mon Sep 17 00:00:00 2001 From: Calvin Bui <3604363+calvinbui@users.noreply.github.com> Date: Tue, 4 Apr 2023 09:17:34 +1000 Subject: [PATCH 5/8] undo chart.yaml change Signed-off-by: Calvin Bui <3604363+calvinbui@users.noreply.github.com> --- charts/metrics-server/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/metrics-server/Chart.yaml b/charts/metrics-server/Chart.yaml index e01265425..3fe95c010 100644 --- a/charts/metrics-server/Chart.yaml +++ b/charts/metrics-server/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: metrics-server description: Metrics Server is a scalable, efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines. type: application -version: 3.9.1 +version: 3.9.0 appVersion: 0.6.3 keywords: - kubernetes From 55b9b0b5036fbda5d1ff8f0dd9246953a5c3486c Mon Sep 17 00:00:00 2001 From: Pat Riehecky Date: Wed, 5 Apr 2023 15:42:49 -0500 Subject: [PATCH 6/8] Permit running under PodSecurity restricted Signed-off-by: Pat Riehecky --- charts/metrics-server/values.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/charts/metrics-server/values.yaml b/charts/metrics-server/values.yaml index 9741208b8..9b4fc16c4 100644 --- a/charts/metrics-server/values.yaml +++ b/charts/metrics-server/values.yaml @@ -56,6 +56,11 @@ securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL priorityClassName: system-cluster-critical From 1f98fd5cf7028d02381de0d93727e6c17802fde2 Mon Sep 17 00:00:00 2001 From: Steve Hipwell Date: Wed, 12 Apr 2023 17:08:50 +0100 Subject: [PATCH 7/8] fix(chart): Updated container port to correct default Signed-off-by: Steve Hipwell --- charts/metrics-server/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/metrics-server/values.yaml b/charts/metrics-server/values.yaml index 9b4fc16c4..7520a947b 100644 --- a/charts/metrics-server/values.yaml +++ b/charts/metrics-server/values.yaml @@ -64,7 +64,7 @@ securityContext: priorityClassName: system-cluster-critical -containerPort: 4443 +containerPort: 10250 hostNetwork: # Specifies if metrics-server should be started in hostNetwork mode. From ecf98e97a4b30cccc561608c5491e06c1ae3e2a8 Mon Sep 17 00:00:00 2001 From: Steve Hipwell Date: Wed, 12 Apr 2023 17:12:54 +0100 Subject: [PATCH 8/8] feat(chart): Released v3.10.0 Signed-off-by: Steve Hipwell --- charts/metrics-server/Chart.yaml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/charts/metrics-server/Chart.yaml b/charts/metrics-server/Chart.yaml index 3fe95c010..996f21301 100644 --- a/charts/metrics-server/Chart.yaml +++ b/charts/metrics-server/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: metrics-server description: Metrics Server is a scalable, efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines. type: application -version: 3.9.0 +version: 3.10.0 appVersion: 0.6.3 keywords: - kubernetes @@ -21,9 +21,11 @@ maintainers: url: https://github.com/endrec annotations: artifacthub.io/changes: | + - kind: fixed + description: "Fixed auth-reader role binding namespace to always use kube-system." + - kind: fixed + description: "Fixed addon resizer configuration." - kind: added - description: "Added autoscaling support via the addon-resizer." - - kind: changed - description: "Updated the Metrics Server OCI image to v0.6.3." + description: "Added support for running under PodSecurity restricted." - kind: fixed - description: "Fixed service labels/annotations." + description: "Fixed container port default not having been updated to 10250."