fleetlock: Deploy Zincati fleet lock manager

[fleetlock] is an implementation of the Zincati FleetLock reboot coordination protocol. It only works for machines that are Kubernetes nodes, but it does enable safe rolling updates for those machines. Specifically, when a node acquires a lock (backed by a Kubernetes Lease), it cordons that node and evicts pods from it. After the node has rebooted into the new version of Fedora CoreOS, it uncordons the node and releases the lock. [fleetlock]: https://github.com/poseidon/fleetlock
2024-05-28 14:54:16 -05:00
parent 365334cea7
commit fc66058251
4 changed files with 198 additions and 0 deletions
--- a/fleetlock/fleetlock.yaml
+++ b/fleetlock/fleetlock.yaml
@@ -0,0 +1,78 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: fleetlock
+  labels:
+    app.kubernetes.io/name: fleetlock
+    app.kubernetes.io/component: fleetlock
+    app.kubernetes.io/part-of: fleetlock
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: fleetlock
+    app.kubernetes.io/component: fleetlock
+  ports:
+  - name: http
+    port: 80
+    targetPort: 8080
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: fleetlock
+  labels:
+    app.kubernetes.io/name: fleetlock
+    app.kubernetes.io/component: fleetlock
+    app.kubernetes.io/part-of: fleetlock
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: fleetlock
+      app.kubernetes.io/component: fleetlock
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: fleetlock
+        app.kubernetes.io/component: fleetlock
+        app.kubernetes.io/part-of: fleetlock
+    spec:
+      serviceAccountName: fleetlock
+      containers:
+      - name: fleetlock
+        image: quay.io/poseidon/fleetlock:v0.4.0
+        env:
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        ports:
+        - name: http
+          containerPort: 8080
+        readinessProbe: &probe
+          httpGet:
+            port: 8080
+            path: /-/healthy
+          periodSeconds: 60
+          timeoutSeconds: 5
+          failureThreshold: 3
+          successThreshold: 1
+        startupProbe:
+          <<: *probe
+          periodSeconds: 1
+          timeoutSeconds: 1
+          failureThreshold: 30
+        resources:
+          requests:
+            cpu: 30m
+            memory: 30Mi
+          limits:
+            cpu: 50m
+            memory: 50Mi
+        securityContext:
+          readOnlyRootFilesystem: true
+      securityContext:
+        runAsUser: 842
+        runAsGroup: 842
+        runAsNonRoot: true
--- a/fleetlock/kustomization.yaml
+++ b/fleetlock/kustomization.yaml
@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: fleetlock
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: fleetlock
+
+resources:
+- rbac.yaml
+- fleetlock.yaml
+
+patches:
+- patch: |
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: fleetlock
+    spec:
+      clusterIP: 10.96.1.15
--- a/fleetlock/namespace.yaml
+++ b/fleetlock/namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: fleetlock
+  labels:
+    app.kubernetes.io/name: fleetlock
+    app.kubernetes.io/component: fleetlock
--- a/fleetlock/rbac.yaml
+++ b/fleetlock/rbac.yaml
@@ -0,0 +1,92 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: fleetlock
+  labels:
+    app.kubernetes.io/name: fleetlock
+    app.kubernetes.io/component: fleetlock
+    app.kubernetes.io/part-of: fleetlock
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: fleetlock
+  labels:
+    app.kubernetes.io/name: fleetlock
+    app.kubernetes.io/component: fleetlock
+    app.kubernetes.io/part-of: fleetlock
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - list
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: fleetlock
+  labels:
+    app.kubernetes.io/name: fleetlock
+    app.kubernetes.io/component: fleetlock
+    app.kubernetes.io/part-of: fleetlock
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: fleetlock
+subjects:
+- kind: ServiceAccount
+  name: fleetlock
+  namespace: default
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: fleetlock
+  labels:
+    app.kubernetes.io/name: fleetlock
+    app.kubernetes.io/component: fleetlock
+    app.kubernetes.io/part-of: fleetlock
+rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: fleetlock
+  labels:
+    app.kubernetes.io/name: fleetlock
+    app.kubernetes.io/component: fleetlock
+    app.kubernetes.io/part-of: fleetlock
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: fleetlock
+subjects:
+- kind: ServiceAccount
+  name: fleetlock