Allow configuration of the initContainer resources

Contrast-Security-OSS · May 10, 2024 · 51ea0e8 · 51ea0e8
1 parent 4ba1048
commit 51ea0e8
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 5 deletions.
diff --git a/manifests/helm/build/templates/overlays/deployment.yaml b/manifests/helm/build/templates/overlays/deployment.yaml
@@ -27,3 +27,11 @@ spec:
               value: '{{ .Values.operator.enableEarlyChaining }}'
             - name: CONTRAST_INSTALL_SOURCE
               value: helm
+            - name: CONTRAST_INITCONTAINER_CPU_REQUEST
+              value: '{{ .Values.operator.initContainer.resources.requests.cpu }}'
+            - name: CONTRAST_INITCONTAINER_CPU_LIMIT
+              value: '{{ .Values.operator.initContainer.resources.limits.cpu }}'
+            - name: CONTRAST_INITCONTAINER_MEMORY_REQUEST
+              value: '{{ .Values.operator.initContainer.resources.requests.memory }}'
+            - name: CONTRAST_INITCONTAINER_MEMORY_LIMIT
+              value: '{{ .Values.operator.initContainer.resources.limits.memory }}'
diff --git a/manifests/helm/values.yaml b/manifests/helm/values.yaml
@@ -42,6 +42,15 @@ operator:
   webhookConfiguration: contrast-web-hook-configuration
   # Enable early chaining. Should normally be disabled unless DynaKube is used in classicStack mode.
   enableEarlyChaining: false
+  # Resource management for the agent initContainers
+  initContainer:
+    resources:
+      limits:
+        cpu: 100m
+        memory: 64Mi
+      requests:
+        cpu: 100m
+        memory: 64Mi
 
 clusterDefaults:
   # If enabled, configure cluster-wide defaults.

diff --git a/src/Contrast.K8s.AgentOperator/Core/Reactions/Injecting/Patching/PodPatcher.cs b/src/Contrast.K8s.AgentOperator/Core/Reactions/Injecting/Patching/PodPatcher.cs
@@ -186,14 +186,14 @@ private V1Container CreateInitContainer(PatchingContext context,
         securityContent.Capabilities.Drop ??= MergeDropCapabilities(containerSecurityContext);
 
         // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-requests-and-limits-of-pod-and-container
-        const string cpuLimit = "100m";
-        const string memoryLimit = "64Mi";
+        var (cpuRequest, memoryRequest) = _operatorOptions.initRequests;
+        var (cpuLimit, memoryLimit) = _operatorOptions.initLimits;
 
         var resources = new V1ResourceRequirements();
 
         resources.Requests ??= new Dictionary<string, ResourceQuantity>(StringComparer.Ordinal);
-        resources.Requests.TryAdd("cpu", new ResourceQuantity(cpuLimit));
-        resources.Requests.TryAdd("memory", new ResourceQuantity(memoryLimit));
+        resources.Requests.TryAdd("cpu", new ResourceQuantity(cpuRequest));
+        resources.Requests.TryAdd("memory", new ResourceQuantity(memoryRequest));
 
         resources.Limits ??= new Dictionary<string, ResourceQuantity>(StringComparer.Ordinal);
         resources.Limits.TryAdd("cpu", new ResourceQuantity(cpuLimit));

diff --git a/src/Contrast.K8s.AgentOperator/Modules/OptionsModule.cs b/src/Contrast.K8s.AgentOperator/Modules/OptionsModule.cs
@@ -91,6 +91,34 @@ protected override void Load(ContainerBuilder builder)
                 chaosPercent = parsedChaosPercent;
             }
 
+            var @cpuRequest = "100m";
+            var @cpuLimit = "100m";
+            if (GetEnvironmentVariableAsString("CONTRAST_INITCONTAINER_CPU_REQUEST", out var cpuRequestStr))
+            {
+                logger.LogOptionValue("initcontainer-cpu-request", @cpuRequest, cpuRequestStr);
+                @cpuRequest = cpuRequestStr;
+            }
+
+            if (GetEnvironmentVariableAsString("CONTRAST_INITCONTAINER_CPU_LIMIT", out var cpuLimitStr))
+            {
+                logger.LogOptionValue("initcontainer-cpu-limit", @cpuLimit, cpuLimitStr);
+                @cpuLimit = cpuLimitStr;
+            }
+
+            var @memoryLimit = "64Mi";
+            var @memoryRequest = "64Mi";
+            if (GetEnvironmentVariableAsString("CONTRAST_INITCONTAINER_MEMORY_REQUEST", out var memoryRequestStr))
+            {
+                logger.LogOptionValue("initcontainer-memory-request", @memoryRequest, memoryRequestStr);
+                @memoryRequest = memoryRequestStr;
+            }
+
+            if (GetEnvironmentVariableAsString("CONTRAST_INITCONTAINER_MEMORY_LIMIT", out var memoryLimitStr))
+            {
+                logger.LogOptionValue("initcontainer-memory-limit", @memoryLimit, memoryLimitStr);
+                @memoryLimit = memoryLimitStr;
+            }
+
             return new OperatorOptions(
                 @namespace,
                 settleDuration,
@@ -99,7 +127,9 @@ protected override void Load(ContainerBuilder builder)
                 eventQueueMergeWindowSeconds,
                 runInitContainersAsNonRoot,
                 suppressSeccompProfile,
-                chaosPercent / 100m
+                chaosPercent / 100m,
+                (cpuRequest, memoryRequest),
+                (cpuLimit, memoryLimit)
             );
         }).SingleInstance();
 

diff --git a/src/Contrast.K8s.AgentOperator/Options/OperatorOptions.cs b/src/Contrast.K8s.AgentOperator/Options/OperatorOptions.cs
@@ -13,4 +13,6 @@ public record OperatorOptions(string Namespace,
                               bool RunInitContainersAsNonRoot,
                               bool SuppressSeccompProfile,
                               decimal ChaosRatio,
+                              (string cpuRequest, string memoryRequest) initRequests,
+                              (string cpuLimit, string memoryLimit) initLimits,
                               string FieldManagerName = "agents.contrastsecurity.com");