From 51ea0e826ea1c44376ceb42fc35bfd1aacc149d5 Mon Sep 17 00:00:00 2001 From: Josh Anderson Date: Fri, 10 May 2024 14:57:55 +0100 Subject: [PATCH] Allow configuration of the initContainer resources --- .../build/templates/overlays/deployment.yaml | 8 +++++ manifests/helm/values.yaml | 9 ++++++ .../Injecting/Patching/PodPatcher.cs | 8 ++--- .../Modules/OptionsModule.cs | 32 ++++++++++++++++++- .../Options/OperatorOptions.cs | 2 ++ 5 files changed, 54 insertions(+), 5 deletions(-) diff --git a/manifests/helm/build/templates/overlays/deployment.yaml b/manifests/helm/build/templates/overlays/deployment.yaml index 2b5ecd9f..2d32a02f 100644 --- a/manifests/helm/build/templates/overlays/deployment.yaml +++ b/manifests/helm/build/templates/overlays/deployment.yaml @@ -27,3 +27,11 @@ spec: value: '{{ .Values.operator.enableEarlyChaining }}' - name: CONTRAST_INSTALL_SOURCE value: helm + - name: CONTRAST_INITCONTAINER_CPU_REQUEST + value: '{{ .Values.operator.initContainer.resources.requests.cpu }}' + - name: CONTRAST_INITCONTAINER_CPU_LIMIT + value: '{{ .Values.operator.initContainer.resources.limits.cpu }}' + - name: CONTRAST_INITCONTAINER_MEMORY_REQUEST + value: '{{ .Values.operator.initContainer.resources.requests.memory }}' + - name: CONTRAST_INITCONTAINER_MEMORY_LIMIT + value: '{{ .Values.operator.initContainer.resources.limits.memory }}' \ No newline at end of file diff --git a/manifests/helm/values.yaml b/manifests/helm/values.yaml index 669490f5..22f619bb 100644 --- a/manifests/helm/values.yaml +++ b/manifests/helm/values.yaml @@ -42,6 +42,15 @@ operator: webhookConfiguration: contrast-web-hook-configuration # Enable early chaining. Should normally be disabled unless DynaKube is used in classicStack mode. enableEarlyChaining: false + # Resource management for the agent initContainers + initContainer: + resources: + limits: + cpu: 100m + memory: 64Mi + requests: + cpu: 100m + memory: 64Mi clusterDefaults: # If enabled, configure cluster-wide defaults. diff --git a/src/Contrast.K8s.AgentOperator/Core/Reactions/Injecting/Patching/PodPatcher.cs b/src/Contrast.K8s.AgentOperator/Core/Reactions/Injecting/Patching/PodPatcher.cs index bfe5c402..50cfdeea 100644 --- a/src/Contrast.K8s.AgentOperator/Core/Reactions/Injecting/Patching/PodPatcher.cs +++ b/src/Contrast.K8s.AgentOperator/Core/Reactions/Injecting/Patching/PodPatcher.cs @@ -186,14 +186,14 @@ private V1Container CreateInitContainer(PatchingContext context, securityContent.Capabilities.Drop ??= MergeDropCapabilities(containerSecurityContext); // https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-requests-and-limits-of-pod-and-container - const string cpuLimit = "100m"; - const string memoryLimit = "64Mi"; + var (cpuRequest, memoryRequest) = _operatorOptions.initRequests; + var (cpuLimit, memoryLimit) = _operatorOptions.initLimits; var resources = new V1ResourceRequirements(); resources.Requests ??= new Dictionary(StringComparer.Ordinal); - resources.Requests.TryAdd("cpu", new ResourceQuantity(cpuLimit)); - resources.Requests.TryAdd("memory", new ResourceQuantity(memoryLimit)); + resources.Requests.TryAdd("cpu", new ResourceQuantity(cpuRequest)); + resources.Requests.TryAdd("memory", new ResourceQuantity(memoryRequest)); resources.Limits ??= new Dictionary(StringComparer.Ordinal); resources.Limits.TryAdd("cpu", new ResourceQuantity(cpuLimit)); diff --git a/src/Contrast.K8s.AgentOperator/Modules/OptionsModule.cs b/src/Contrast.K8s.AgentOperator/Modules/OptionsModule.cs index 51976258..1b0cfca8 100644 --- a/src/Contrast.K8s.AgentOperator/Modules/OptionsModule.cs +++ b/src/Contrast.K8s.AgentOperator/Modules/OptionsModule.cs @@ -91,6 +91,34 @@ protected override void Load(ContainerBuilder builder) chaosPercent = parsedChaosPercent; } + var @cpuRequest = "100m"; + var @cpuLimit = "100m"; + if (GetEnvironmentVariableAsString("CONTRAST_INITCONTAINER_CPU_REQUEST", out var cpuRequestStr)) + { + logger.LogOptionValue("initcontainer-cpu-request", @cpuRequest, cpuRequestStr); + @cpuRequest = cpuRequestStr; + } + + if (GetEnvironmentVariableAsString("CONTRAST_INITCONTAINER_CPU_LIMIT", out var cpuLimitStr)) + { + logger.LogOptionValue("initcontainer-cpu-limit", @cpuLimit, cpuLimitStr); + @cpuLimit = cpuLimitStr; + } + + var @memoryLimit = "64Mi"; + var @memoryRequest = "64Mi"; + if (GetEnvironmentVariableAsString("CONTRAST_INITCONTAINER_MEMORY_REQUEST", out var memoryRequestStr)) + { + logger.LogOptionValue("initcontainer-memory-request", @memoryRequest, memoryRequestStr); + @memoryRequest = memoryRequestStr; + } + + if (GetEnvironmentVariableAsString("CONTRAST_INITCONTAINER_MEMORY_LIMIT", out var memoryLimitStr)) + { + logger.LogOptionValue("initcontainer-memory-limit", @memoryLimit, memoryLimitStr); + @memoryLimit = memoryLimitStr; + } + return new OperatorOptions( @namespace, settleDuration, @@ -99,7 +127,9 @@ protected override void Load(ContainerBuilder builder) eventQueueMergeWindowSeconds, runInitContainersAsNonRoot, suppressSeccompProfile, - chaosPercent / 100m + chaosPercent / 100m, + (cpuRequest, memoryRequest), + (cpuLimit, memoryLimit) ); }).SingleInstance(); diff --git a/src/Contrast.K8s.AgentOperator/Options/OperatorOptions.cs b/src/Contrast.K8s.AgentOperator/Options/OperatorOptions.cs index 98652984..d2736b63 100644 --- a/src/Contrast.K8s.AgentOperator/Options/OperatorOptions.cs +++ b/src/Contrast.K8s.AgentOperator/Options/OperatorOptions.cs @@ -13,4 +13,6 @@ public record OperatorOptions(string Namespace, bool RunInitContainersAsNonRoot, bool SuppressSeccompProfile, decimal ChaosRatio, + (string cpuRequest, string memoryRequest) initRequests, + (string cpuLimit, string memoryLimit) initLimits, string FieldManagerName = "agents.contrastsecurity.com");