Documentation
¶
Index ¶
- Constants
- Variables
- func AWSAuthMapRoles(nodeRoleARN, fargateRoleARN string) []...
- func GlobalSettings(opts Opts) *corev1.ConfigMap
- func P[T any](t T) *T
- type Controller
- type CustomResourceDefinitions
- type FargateProfile
- type IAMRole
- type Infra
- type InfraOpts
- type InstanceProfile
- type Karpenter
- type NodeTerminationQueue
- type Opts
- type Provisioners
- type ProvisionersOpts
Constants ¶
View Source
const ( AppName = "karpenter" Namespace = "karpenter" Version = "0.25.0" )
Variables ¶
View Source
var AdminCr = &rbacv1.ClusterRole{ TypeMeta: kubeutil.TypeClusterRoleV1, ObjectMeta: metav1.ObjectMeta{ Name: "karpenter-admin", Labels: appendCommonLabels( map[string]string{ "rbac.authorization.k8s.io/aggregate-to-admin": "true", }, ), }, Rules: []rbacv1.PolicyRule{ { Verbs: []string{ "get", "list", "watch", "create", "delete", "patch", }, APIGroups: []string{"karpenter.sh"}, Resources: []string{"provisioners", "provisioners/status"}, }, { Verbs: []string{ "get", "list", "watch", "create", "delete", "patch", }, APIGroups: []string{"karpenter.k8s.aws"}, Resources: []string{"awsnodetemplates"}, }, }, }
View Source
var CanUpdateWebhooks = &rbacv1.ClusterRole{ TypeMeta: metav1.TypeMeta{ Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1", }, ObjectMeta: metav1.ObjectMeta{ Name: "karpenter", Labels: commonLabels, }, Rules: []rbacv1.PolicyRule{ { Verbs: []string{ "get", "list", "watch", }, APIGroups: []string{"karpenter.k8s.aws"}, Resources: []string{"awsnodetemplates"}, }, { Verbs: []string{"update"}, APIGroups: []string{"admissionregistration.k8s.io"}, Resources: []string{"validatingwebhookconfigurations"}, ResourceNames: []string{"validation.webhook.karpenter.k8s.aws"}, }, { Verbs: []string{"update"}, APIGroups: []string{"admissionregistration.k8s.io"}, Resources: []string{"mutatingwebhookconfigurations"}, ResourceNames: []string{"defaulting.webhook.karpenter.k8s.aws"}, }, { Verbs: []string{"patch", "update"}, APIGroups: []string{"karpenter.k8s.aws"}, Resources: []string{"awsnodetemplates/status"}, }, }, }
View Source
var CertSecret = &corev1.Secret{ TypeMeta: metav1.TypeMeta{ Kind: "Secret", APIVersion: "v1", }, ObjectMeta: metav1.ObjectMeta{ Name: "karpenter-cert", Namespace: "karpenter", Labels: commonLabels, }, Data: map[string][]uint8{}, }
View Source
var ContainerPorts = []corev1.ContainerPort{ { Name: "http-metrics", ContainerPort: 8080, Protocol: corev1.Protocol("TCP"), }, { Name: "http", ContainerPort: 8081, Protocol: corev1.Protocol("TCP"), }, { Name: "https-webhook", ContainerPort: 8443, Protocol: corev1.Protocol("TCP"), }, }
View Source
var CoreCr = &rbacv1.ClusterRole{ TypeMeta: kubeutil.TypeClusterRoleV1, ObjectMeta: metav1.ObjectMeta{ Name: "karpenter-core", Labels: commonLabels, }, Rules: []rbacv1.PolicyRule{ { APIGroups: []string{"karpenter.sh"}, Resources: []string{ "provisioners", "provisioners/status", "machines", "machines/status", }, Verbs: []string{"get", "list", "watch"}, }, { APIGroups: []string{""}, Resources: []string{ "pods", "nodes", "persistentvolumes", "persistentvolumeclaims", "replicationcontrollers", "namespaces", }, Verbs: []string{"get", "list", "watch"}, }, { APIGroups: []string{"storage.k8s.io"}, Resources: []string{"storageclasses", "csinodes"}, Verbs: []string{"get", "watch", "list"}, }, { APIGroups: []string{"apps"}, Resources: []string{ "daemonsets", "deployments", "replicasets", "statefulsets", }, Verbs: []string{"list", "watch"}, }, { APIGroups: []string{"admissionregistration.k8s.io"}, Resources: []string{ "validatingwebhookconfigurations", "mutatingwebhookconfigurations", }, Verbs: []string{"get", "watch", "list"}, }, { APIGroups: []string{"policy"}, Resources: []string{"poddisruptionbudgets"}, Verbs: []string{"get", "list", "watch"}, }, { APIGroups: []string{"karpenter.sh"}, Resources: []string{ "provisioners/status", "machines", "machines/status", }, Verbs: []string{"create", "delete", "patch"}, }, { APIGroups: []string{""}, Resources: []string{"events"}, Verbs: []string{"create", "patch"}, }, { APIGroups: []string{""}, Resources: []string{"nodes"}, Verbs: []string{"create", "patch", "delete"}, }, { APIGroups: []string{""}, Resources: []string{"pods/eviction"}, Verbs: []string{"create"}, }, { APIGroups: []string{"admissionregistration.k8s.io"}, ResourceNames: []string{ "validation.webhook.karpenter.sh", "validation.webhook.config.karpenter.sh", }, Resources: []string{"validatingwebhookconfigurations"}, Verbs: []string{"update"}, }, { APIGroups: []string{"admissionregistration.k8s.io"}, ResourceNames: []string{"defaulting.webhook.karpenter.sh"}, Resources: []string{"mutatingwebhookconfigurations"}, Verbs: []string{"update"}, }, }, }
View Source
var Deploy = &appsv1.Deployment{ TypeMeta: kubeutil.TypeDeploymentV1, ObjectMeta: metav1.ObjectMeta{ Name: "karpenter", Namespace: "karpenter", Labels: commonLabels, }, Spec: appsv1.DeploymentSpec{ Replicas: P(int32(2)), Selector: &metav1.LabelSelector{ MatchLabels: matchLabels, }, Template: corev1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ Labels: matchLabels, }, Spec: corev1.PodSpec{ Containers: []corev1.Container{ { Name: "controller", Image: "public.ecr.aws/karpenter/controller:v" + Version, Ports: ContainerPorts, Env: Environment, Resources: corev1.ResourceRequirements{ Limits: corev1.ResourceList{ corev1.ResourceName("cpu"): resource.MustParse("1"), corev1.ResourceName("memory"): resource.MustParse("1Gi"), }, Requests: corev1.ResourceList{ corev1.ResourceName("cpu"): resource.MustParse("1"), corev1.ResourceName("memory"): resource.MustParse("1Gi"), }, }, LivenessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ Path: "/healthz", Port: intstr.IntOrString{ Type: intstr.Type(1), StrVal: "http", }, }, }, InitialDelaySeconds: 30, TimeoutSeconds: 30, }, ReadinessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ Path: "/readyz", Port: intstr.IntOrString{ Type: intstr.Type(1), StrVal: "http", }, }, }, TimeoutSeconds: 30, }, ImagePullPolicy: corev1.PullPolicy("IfNotPresent"), }, }, DNSPolicy: corev1.DNSPolicy("Default"), NodeSelector: map[string]string{"kubernetes.io/os": "linux"}, ServiceAccountName: "karpenter", SecurityContext: &corev1.PodSecurityContext{FSGroup: P(int64(1000))}, Affinity: SetNodeAffinity, Tolerations: []corev1.Toleration{ { Key: "CriticalAddonsOnly", Operator: corev1.TolerationOperator("Exists"), }, }, PriorityClassName: "system-cluster-critical", TopologySpreadConstraints: []corev1.TopologySpreadConstraint{ { MaxSkew: 1, TopologyKey: "topology.kubernetes.io/zone", WhenUnsatisfiable: corev1.UnsatisfiableConstraintAction("ScheduleAnyway"), LabelSelector: &metav1.LabelSelector{ MatchLabels: matchLabels, }, }, }, }, }, Strategy: appsv1.DeploymentStrategy{RollingUpdate: &appsv1.RollingUpdateDeployment{MaxUnavailable: &intstr.IntOrString{IntVal: 1}}}, RevisionHistoryLimit: P(int32(10)), }, }
View Source
var DnsRole = &rbacv1.Role{ TypeMeta: kubeutil.TypeRoleV1, ObjectMeta: metav1.ObjectMeta{ Name: "karpenter-dns", Namespace: "kube-system", Labels: commonLabels, }, Rules: []rbacv1.PolicyRule{ { Verbs: []string{"get"}, APIGroups: []string{""}, Resources: []string{"services"}, ResourceNames: []string{"kube-dns"}, }, }, }
View Source
var DnsRoleBinding = &rbacv1.RoleBinding{ TypeMeta: kubeutil.TypeRoleBindingV1, ObjectMeta: metav1.ObjectMeta{ Name: "karpenter-dns", Namespace: "kube-system", Labels: commonLabels, }, Subjects: kubeutil.RoleSubject("karpenter", "karpenter"), RoleRef: kubeutil.RoleRef("karpenter-dns"), }
View Source
var Environment = []corev1.EnvVar{ { Name: "KUBERNETES_MIN_VERSION", Value: "1.19.0-0", }, { Name: "KARPENTER_SERVICE", Value: "karpenter", }, {Name: "WEBHOOK_PORT", Value: "8443"}, {Name: "METRICS_PORT", Value: "8080"}, { Name: "HEALTH_PROBE_PORT", Value: "8081", }, { Name: "SYSTEM_NAMESPACE", ValueFrom: &corev1.EnvVarSource{FieldRef: &corev1.ObjectFieldSelector{FieldPath: "metadata.namespace"}}, }, { Name: "MEMORY_LIMIT", ValueFrom: &corev1.EnvVarSource{ ResourceFieldRef: &corev1.ResourceFieldSelector{ ContainerName: "controller", Resource: "limits.memory", Divisor: resource.MustParse("0"), }, }, }, }
View Source
var LoggingConfig = &corev1.ConfigMap{ TypeMeta: kubeutil.TypeConfigMapV1, ObjectMeta: metav1.ObjectMeta{ Name: "config-logging", Namespace: "karpenter", Labels: commonLabels, }, Data: map[string]string{ "loglevel.webhook": "error", "zap-logger-config": ZapLoggerConfig, }, }
View Source
var Pdb = &policyv1.PodDisruptionBudget{ TypeMeta: metav1.TypeMeta{ Kind: "PodDisruptionBudget", APIVersion: "policy/v1", }, ObjectMeta: metav1.ObjectMeta{Name: "karpenter", Namespace: "karpenter"}, Spec: policyv1.PodDisruptionBudgetSpec{ Selector: &metav1.LabelSelector{ MatchLabels: map[string]string{ "app.kubernetes.io/instance": "karpenter", "app.kubernetes.io/name": "karpenter", }, }, MaxUnavailable: &intstr.IntOrString{IntVal: 1}, }, }
View Source
var Role = &rbacv1.Role{ TypeMeta: kubeutil.TypeRoleV1, ObjectMeta: metav1.ObjectMeta{ Name: "karpenter", Namespace: "karpenter", Labels: commonLabels, }, Rules: []rbacv1.PolicyRule{ { Verbs: []string{"get", "watch"}, APIGroups: []string{"coordination.k8s.io"}, Resources: []string{"leases"}, }, { Verbs: []string{"get", "list", "watch"}, APIGroups: []string{""}, Resources: []string{"configmaps", "namespaces", "secrets"}, }, { Verbs: []string{"update"}, APIGroups: []string{""}, Resources: []string{"secrets"}, ResourceNames: []string{"karpenter-cert"}, }, { Verbs: []string{"update", "patch", "delete"}, APIGroups: []string{""}, Resources: []string{"configmaps"}, ResourceNames: []string{ "karpenter-global-settings", "config-logging", }, }, { Verbs: []string{"patch", "update"}, APIGroups: []string{"coordination.k8s.io"}, Resources: []string{"leases"}, ResourceNames: []string{ "karpenter-leader-election", "webhook.configmapwebhook.00-of-01", "webhook.defaultingwebhook.00-of-01", "webhook.validationwebhook.00-of-01", "webhook.webhookcertificates.00-of-01", }, }, { Verbs: []string{"create"}, APIGroups: []string{"coordination.k8s.io"}, Resources: []string{"leases"}, }, { Verbs: []string{"create"}, APIGroups: []string{""}, Resources: []string{"configmaps"}, }, }, }
View Source
var S = terra.String
View Source
var SetNodeAffinity = &corev1.Affinity{ NodeAffinity: &corev1.NodeAffinity{ RequiredDuringSchedulingIgnoredDuringExecution: &corev1.NodeSelector{ NodeSelectorTerms: []corev1.NodeSelectorTerm{ { MatchExpressions: []corev1.NodeSelectorRequirement{ { Key: "karpenter.sh/provisioner-name", Operator: corev1.NodeSelectorOperator("DoesNotExist"), }, }, }, }, }, }, }
View Source
var Svc = &corev1.Service{ TypeMeta: kubeutil.TypeServiceV1, ObjectMeta: metav1.ObjectMeta{ Name: "karpenter", Namespace: "karpenter", Labels: commonLabels, }, Spec: corev1.ServiceSpec{ Type: corev1.ServiceType("ClusterIP"), Selector: matchLabels, Ports: []corev1.ServicePort{ { Name: "http-metrics", Protocol: corev1.ProtocolTCP, Port: 8080, TargetPort: intstr.IntOrString{ Type: intstr.Type(1), StrVal: "http-metrics", }, }, { Name: "https-webhook", Protocol: corev1.ProtocolTCP, Port: 443, TargetPort: intstr.IntOrString{ Type: intstr.Type(1), StrVal: "https-webhook", }, }, }, }, }
View Source
var WebhookMutatingKarpenter = &ar.MutatingWebhookConfiguration{ TypeMeta: kubeutil.TypeMutatingWebhookConfigurationV1, ObjectMeta: metav1.ObjectMeta{ Name: "defaulting.webhook.karpenter.sh", Labels: commonLabels, }, Webhooks: []ar.MutatingWebhook{ { Name: "defaulting.webhook.karpenter.sh", ClientConfig: webHookClientConfig, Rules: []ar.RuleWithOperations{ karpenterRuleWithNoDeleteOp, }, FailurePolicy: P(ar.Fail), SideEffects: P(ar.SideEffectClassNone), AdmissionReviewVersions: []string{"v1"}, }, }, }
View Source
var WebhookMutatingKarpenterAws = &ar.MutatingWebhookConfiguration{ TypeMeta: kubeutil.TypeMutatingWebhookConfigurationV1, ObjectMeta: metav1.ObjectMeta{ Name: "defaulting.webhook.karpenter.k8s.aws", Labels: commonLabels, }, Webhooks: []ar.MutatingWebhook{ { Name: "defaulting.webhook.karpenter.k8s.aws", ClientConfig: webHookClientConfig, Rules: []ar.RuleWithOperations{ awsRuleWithNoDeleteOp, karpenterRuleWithNoDeleteOp, }, FailurePolicy: P(ar.Fail), SideEffects: P(ar.SideEffectClassNone), AdmissionReviewVersions: []string{"v1"}, }, }, }
View Source
var WebhookValidationKarpenter = &ar.ValidatingWebhookConfiguration{ TypeMeta: kubeutil.TypeValidatingWebhookConfigurationV1, ObjectMeta: metav1.ObjectMeta{ Name: "validation.webhook.karpenter.sh", Labels: commonLabels, }, Webhooks: []ar.ValidatingWebhook{ { Name: "validation.webhook.karpenter.sh", ClientConfig: webHookClientConfig, Rules: []ar.RuleWithOperations{ { Operations: createUpdateOps, Rule: provisionersRule, }, }, FailurePolicy: P(ar.Fail), SideEffects: P(ar.SideEffectClassNone), AdmissionReviewVersions: []string{"v1"}, }, }, }
View Source
var WebhookValidationKarpenterAWS = &ar.ValidatingWebhookConfiguration{ TypeMeta: metav1.TypeMeta{ APIVersion: "admissionregistration.k8s.io/v1", Kind: "ValidatingWebhookConfiguration", }, ObjectMeta: metav1.ObjectMeta{ Name: "validation.webhook.karpenter.k8s.aws", Labels: commonLabels, }, Webhooks: []ar.ValidatingWebhook{ { AdmissionReviewVersions: []string{"v1"}, ClientConfig: ar.WebhookClientConfig{ Service: &ar.ServiceReference{ Name: "karpenter", Namespace: "karpenter", }, }, FailurePolicy: P(ar.FailurePolicyType("Fail")), Name: "validation.webhook.karpenter.k8s.aws", Rules: []ar.RuleWithOperations{ { Operations: []ar.OperationType{ ar.OperationType("CREATE"), ar.OperationType("UPDATE"), }, Rule: ar.Rule{ APIGroups: []string{"karpenter.k8s.aws"}, APIVersions: []string{"v1alpha1"}, Resources: []string{ "awsnodetemplates", "awsnodetemplates/status", }, Scope: P(ar.ScopeType("*")), }, }, { Operations: []ar.OperationType{ ar.OperationType("CREATE"), ar.OperationType("UPDATE"), }, Rule: ar.Rule{ APIGroups: []string{"karpenter.sh"}, APIVersions: []string{"v1alpha5"}, Resources: []string{ "provisioners", "provisioners/status", }, }, }, }, SideEffects: P(ar.SideEffectClass("None")), }, }, }
View Source
var WebhookValidationKarpenterConfig = &ar.ValidatingWebhookConfiguration{ TypeMeta: kubeutil.TypeValidatingWebhookConfigurationV1, ObjectMeta: metav1.ObjectMeta{ Name: "validation.webhook.config.karpenter.sh", Labels: commonLabels, }, Webhooks: []ar.ValidatingWebhook{ { Name: "validation.webhook.config.karpenter.sh", ClientConfig: webHookClientConfig, ObjectSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"app.kubernetes.io/part-of": "karpenter"}}, FailurePolicy: P(ar.Fail), SideEffects: P(ar.SideEffectClassNone), AdmissionReviewVersions: []string{"v1"}, }, }, }
View Source
var ZapLoggerConfig = `` /* 502-byte string literal not displayed */
Functions ¶
func AWSAuthMapRoles ¶
func GlobalSettings ¶
Types ¶
type Controller ¶
type Controller struct {
NodeTerminationQueue
IAMRole
}
Controller contains all the resources for the Karpenter controller. This includes the IAM role used to manage EC2 nodes (and more) via IRSA (IAM Roles for ServiceAccounts) and the SQS (Simple Queue Service) for being notified about nodes being terminated (typically spot instances).
type CustomResourceDefinitions ¶
type CustomResourceDefinitions struct {
AWSNodeTemplates *apiextensionsv1.CustomResourceDefinition
Provisioner *apiextensionsv1.CustomResourceDefinition
}
type FargateProfile ¶
type FargateProfile struct {
FargateProfile *aws.EksFargateProfile `validate:"required"`
IAMRole *aws.IamRole `validate:"required"`
AssumeRole *aws.DataIamPolicyDocument `validate:"required"`
PolicyAttachments []*aws.IamRolePolicyAttachment `validate:"required,dive,required"`
}
FargateProfile is the AWS EKS Fargate profile for the Karpenter pods to run on
type IAMRole ¶
type IAMRole struct {
AssumeRolePolicy *aws.DataIamPolicyDocument `validate:"required"`
Role *aws.IamRole `validate:"required"`
RolePolicy *aws.DataIamPolicyDocument `validate:"required"`
}
type Infra ¶
type Infra struct {
FargateProfile
InstanceProfile
Controller
}
Infra is all the cloud resources for Karpenter to run on a pre-existing EKS cluster with an OIDC provider
type InstanceProfile ¶
type InstanceProfile struct {
InstanceProfile *aws.IamInstanceProfile `validate:"required"`
IAMRole *aws.IamRole `validate:"required"`
AssumeRole *aws.DataIamPolicyDocument `validate:"required"`
PolicyAttachments []*aws.IamRolePolicyAttachment `validate:"required,dive,required"`
}
InstanceProfile is the AWS EC2 Instance Profile for the nodes provisioned by Karpenter to use.
type Karpenter ¶
type Karpenter struct {
kube.App
CustomResourceDefinitions
Ns *corev1.Namespace
// Configuration
CertSecret *corev1.Secret
Settings *corev1.ConfigMap
// LoggingConfig is not mounted but can be modified thanks to Role
LoggingConfig *corev1.ConfigMap
// Application
Deploy *appsv1.Deployment
Svc *corev1.Service
Pdb *policyv1.PodDisruptionBudget
// IAM
SA *corev1.ServiceAccount
DNSRole *rbacv1.Role
DNSRb *rbacv1.RoleBinding
Role *rbacv1.Role
Rb *rbacv1.RoleBinding
// IAM cluster
CR *rbacv1.ClusterRole
CRB *rbacv1.ClusterRoleBinding
CoreCR *rbacv1.ClusterRole
CoreCRB *rbacv1.ClusterRoleBinding
AdminCR *rbacv1.ClusterRole
// Webhooks
WHValidation *ar.ValidatingWebhookConfiguration
WHValidationAWS *ar.ValidatingWebhookConfiguration
WHValidationConfig *ar.ValidatingWebhookConfiguration
WHMutation *ar.MutatingWebhookConfiguration
WHMutationAWS *ar.MutatingWebhookConfiguration
}
type NodeTerminationQueue ¶
type NodeTerminationQueue struct {
SimpleQueue *aws.SqsQueue `validate:"required"`
QueuePolicy *aws.SqsQueuePolicy `validate:"required"`
QueuePolicyDocument *aws.DataIamPolicyDocument `validate:"required"`
}
type Provisioners ¶
type Provisioners struct {
kube.App
AWSNodeTemplate *v1alpha1.AWSNodeTemplate
Default *v1alpha5.Provisioner
}
func NewProvisioners ¶
func NewProvisioners( opts ProvisionersOpts, ) Provisioners
type ProvisionersOpts ¶
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.