diff --git a/.gitlab/lint.yaml b/.gitlab/lint.yaml
index 21b3c657a75619e34f5e2d958092a1cb5c98c7cb..260964a7793ab661e6894b85856c1fed403c8270 100644
--- a/.gitlab/lint.yaml
+++ b/.gitlab/lint.yaml
@@ -8,7 +8,8 @@ yamllint:
script:
- yamllint .
rules:
- - if: >-
+ - &renovateGuard
+ if: >-
$CI_PIPELINE_SOURCE !~ /^(?:push|merge_request_event|schedule|pipeline)$/ &&
$RENOVATE == "true"
when: never
@@ -26,10 +27,7 @@ markdownlint:
script:
- mdl --warnings .
rules:
- - if: >-
- $CI_PIPELINE_SOURCE !~ /^(?:push|merge_request_event|schedule|pipeline)$/ &&
- $RENOVATE == "true"
- when: never
+ - *renovateGuard
- changes:
paths:
- .gitlab/lint.yaml
@@ -46,10 +44,7 @@ hadolint:
script:
- find -name 'Dockerfile*' -print0 | xargs -0 hadolint
rules:
- - if: >-
- $CI_PIPELINE_SOURCE !~ /^(?:push|merge_request_event|schedule|pipeline)$/ &&
- $RENOVATE == "true"
- when: never
+ - *renovateGuard
- changes:
paths:
- Dockerfile*
@@ -62,20 +57,12 @@ iperf-kube-lint:
image: registry.gitlab.com/ethz-hpc/pipelines/kube-linter:latest@sha256:f0f8fbe21a03b5f9b6553917815771ed7ab63fcb42125c0057c57e46dd474641
stage: lint
script:
- - set -eo pipefail
- - cd charts/iperf
- - >-
- helm template iperf-server . |
- awk -v o=/dev/stderr '/^(apiVersion:|---)/ { o="/dev/stdout" } { print >o }' |
- tee /dev/stderr |
- kube-linter lint --fail-if-no-objects-found --fail-on-invalid-resource -
+ - make -C charts/iperf lint
rules:
- - if: >-
- $CI_PIPELINE_SOURCE !~ /^(?:push|merge_request_event|schedule|pipeline)$/ &&
- $RENOVATE == "true"
- when: never
+ - *renovateGuard
- changes:
paths:
- .gitlab-ci.yaml
- .gitlab/lint.yaml
- charts/**/*.yaml
+ - .kube-linter.yaml
diff --git a/charts/iperf/.kube-linter.yaml b/charts/iperf/.kube-linter.yaml
index d7327abf548da58758f93d3da21319134ca1913c..5fed7cf48029a39dbfd6aa1d17817a31a64bd45a 100644
--- a/charts/iperf/.kube-linter.yaml
+++ b/charts/iperf/.kube-linter.yaml
@@ -3,3 +3,5 @@ checks:
exclude:
- latest-tag
- drop-net-raw-capability
+ - unset-cpu-requirements
+ - run-as-non-root
diff --git a/charts/iperf/templates/deployment.yaml b/charts/iperf/templates/deployment.yaml
index 21795fa4f37010afef6bf14108c261b5af1e75fc..71ed3081bd4be1d650067c1379d619065c7c10d7 100644
--- a/charts/iperf/templates/deployment.yaml
+++ b/charts/iperf/templates/deployment.yaml
@@ -42,7 +42,6 @@ spec:
protocol: TCP
resources:
limits:
- cpu: 2
ephemeral-storage: 64Mi
memory: 512Mi
requests:
diff --git a/charts/iperf/templates/networkpolicy.yaml b/charts/iperf/templates/networkpolicy.yaml
index 86c4ee764cc240e8ad3728d08d54dd9a78a6f2f0..507d4ed3f2cc59d3de1ffd09c51490c26b66cc32 100644
--- a/charts/iperf/templates/networkpolicy.yaml
+++ b/charts/iperf/templates/networkpolicy.yaml
@@ -24,4 +24,28 @@ spec:
app.kubernetes.io/part-of: iperf-server
policyTypes:
- Ingress
+{{- if and (.Values.networkPolicy.hostNetwork | default false) (.Values.hostNetwork) }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+ name: iperf-hostns
+spec:
+ description: |
+ Allow iperf pods on the host network to communicate
+ ingress:
+ - fromEntities:
+ - remote-node
+ - host
+ - health
+ toPorts:
+ - ports:
+ - port: "{{ .Values.server.port | default 5201 }}"
+ protocol: TCP
+ - port: "{{ .Values.server.port | default 5201 }}"
+ protocol: UDP
+ nodeSelector:
+ matchLabels:
+ node-role.kubernetes.io/compute: "true"
+{{- end }}
{{- end }}
diff --git a/charts/iperf/values.yaml b/charts/iperf/values.yaml
index ca10b3c08a91020a0b74f2601a3bd10ed3dbbfff..e8ba03410d9d84e47e575dfe6a4ff7e9729d3730 100644
--- a/charts/iperf/values.yaml
+++ b/charts/iperf/values.yaml
@@ -20,10 +20,12 @@ server:
port: 5201
networkPolicy:
enabled: false
+ # deploy CiliumClusterWideNetworkPolicy
+ hostNetwork: false
ingress:
CIDRs: []
tolerations: []
# - key: hpc.ethz.ch/uses_http_proxy
# effect: NoSchedule
# operator: Exists
-runAsRoot: false
+runAsRoot: true