Merge branch 'hostnetpol' into 'main'

ditch cpu limits See merge request !11

Merge branch 'hostnetpol' into 'main'
ditch cpu limits See merge request !11
0956c0c5 · mminar · da07a13f · 784ad4f2 · 0956c0c5 · 0956c0c5
Commit 0956c0c5 authored 6 months ago by mminar
--- a/.gitlab/lint.yaml
+++ b/.gitlab/lint.yaml
@@ -8,7 +8,8 @@ yamllint:
  script:
    - yamllint .
  rules:
-    - if: >-
+    - &renovateGuard
+      if: >-
        $CI_PIPELINE_SOURCE !~ /^(?:push|merge_request_event|schedule|pipeline)$/ &&
        $RENOVATE == "true"
      when: never
@@ -26,10 +27,7 @@ markdownlint:
  script:
    - mdl --warnings .
  rules:
-    - if: >-
-        $CI_PIPELINE_SOURCE !~ /^(?:push|merge_request_event|schedule|pipeline)$/ &&
-        $RENOVATE == "true"
-      when: never
+    - *renovateGuard
    - changes:
        paths:
          - .gitlab/lint.yaml
@@ -46,10 +44,7 @@ hadolint:
  script:
    - find -name 'Dockerfile*' -print0 | xargs -0 hadolint
  rules:
-    - if: >-
-        $CI_PIPELINE_SOURCE !~ /^(?:push|merge_request_event|schedule|pipeline)$/ &&
-        $RENOVATE == "true"
-      when: never
+    - *renovateGuard
    - changes:
        paths:
          - Dockerfile*
@@ -62,20 +57,12 @@ iperf-kube-lint:
  image: registry.gitlab.com/ethz-hpc/pipelines/kube-linter:latest@sha256:f0f8fbe21a03b5f9b6553917815771ed7ab63fcb42125c0057c57e46dd474641
  stage: lint
  script:
-    - set -eo pipefail
-    - cd charts/iperf
-    - >-
-      helm template iperf-server . |
-        awk -v o=/dev/stderr '/^(apiVersion:|---)/ { o="/dev/stdout" } { print >o }' |
-        tee /dev/stderr |
-        kube-linter lint --fail-if-no-objects-found --fail-on-invalid-resource -
+    - make -C charts/iperf lint
  rules:
-    - if: >-
-        $CI_PIPELINE_SOURCE !~ /^(?:push|merge_request_event|schedule|pipeline)$/ &&
-        $RENOVATE == "true"
-      when: never
+    - *renovateGuard
    - changes:
        paths:
          - .gitlab-ci.yaml
          - .gitlab/lint.yaml
          - charts/**/*.yaml
+          - .kube-linter.yaml
--- a/charts/iperf/.kube-linter.yaml
+++ b/charts/iperf/.kube-linter.yaml
@@ -3,3 +3,5 @@ checks:
  exclude:
    - latest-tag
    - drop-net-raw-capability
+    - unset-cpu-requirements
+    - run-as-non-root
--- a/charts/iperf/templates/deployment.yaml
+++ b/charts/iperf/templates/deployment.yaml
@@ -42,7 +42,6 @@ spec:
              protocol: TCP
          resources:
            limits:
-              cpu: 2
              ephemeral-storage: 64Mi
              memory: 512Mi
            requests:

--- a/charts/iperf/templates/networkpolicy.yaml
+++ b/charts/iperf/templates/networkpolicy.yaml
@@ -24,4 +24,28 @@ spec:
      app.kubernetes.io/part-of: iperf-server
  policyTypes:
    - Ingress
+{{- if and (.Values.networkPolicy.hostNetwork | default false) (.Values.hostNetwork) }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: iperf-hostns
+spec:
+  description: |
+    Allow iperf pods on the host network to communicate
+  ingress:
+    - fromEntities:
+        - remote-node
+        - host
+        - health
+      toPorts:
+        - ports:
+            - port: "{{ .Values.server.port | default 5201 }}"
+              protocol: TCP
+            - port: "{{ .Values.server.port | default 5201 }}"
+              protocol: UDP
+  nodeSelector:
+    matchLabels:
+      node-role.kubernetes.io/compute: "true"
+{{- end }}
 {{- end }}
--- a/charts/iperf/values.yaml
+++ b/charts/iperf/values.yaml
@@ -20,10 +20,12 @@ server:
  port: 5201
 networkPolicy:
  enabled: false
+  # deploy CiliumClusterWideNetworkPolicy
+  hostNetwork: false
  ingress:
    CIDRs: []
 tolerations: []
 #  - key: hpc.ethz.ch/uses_http_proxy
 #    effect: NoSchedule
 #    operator: Exists
-runAsRoot: false
+runAsRoot: true