-
-
Save kd7lxl/1997a4d162bd49d4dbdb8f69506a1e01 to your computer and use it in GitHub Desktop.
Proof of concept demonstrating that a mutating admission controller could inject an initContainer into a pod, causing it to delay startup until the pod is labeled by the controller with its node's topology.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: topology-aware-demo | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| name: topology-aware-demo | |
| rules: | |
| - apiGroups: | |
| - '' | |
| resources: | |
| - nodes | |
| - pods | |
| verbs: | |
| - get | |
| - patch | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: topology-aware-demo | |
| subjects: | |
| - kind: ServiceAccount | |
| name: topology-aware-demo | |
| namespace: thayward | |
| roleRef: | |
| kind: ClusterRole | |
| apiGroup: rbac.authorization.k8s.io | |
| name: topology-aware-demo | |
| --- | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| labels: | |
| app: topology-aware-demo | |
| name: topology-aware-demo | |
| spec: | |
| replicas: 1 | |
| selector: | |
| matchLabels: | |
| app: topology-aware-demo | |
| strategy: {} | |
| template: | |
| metadata: | |
| labels: | |
| app: topology-aware-demo | |
| spec: | |
| serviceAccountName: topology-aware-demo | |
| initContainers: | |
| - # by moving these opeartions into a controller, the pod would no longer need to be privileged. | |
| name: fake-controller | |
| image: kindest/node:v1.22.5 | |
| command: | |
| - sh | |
| - -c | |
| args: | |
| - | | |
| ZONE=$(kubectl get node $MY_NODE_NAME -o jsonpath="{.metadata.labels['topology\.kubernetes\.io/zone']}") | |
| kubectl label pods $MY_POD_NAME 'topology.kubernetes.io/zone'=$ZONE | |
| env: | |
| - name: MY_NODE_NAME | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: spec.nodeName | |
| - name: MY_POD_NAME | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: metadata.name | |
| - # a mutating admission controller could inject this initContainer | |
| name: wait-for-label | |
| image: k8s.gcr.io/busybox | |
| command: | |
| - sh | |
| - -c | |
| args: | |
| - | | |
| until grep 'topology.kubernetes.io/zone=' /downward-volume/labels | |
| do | |
| echo "waiting for label..." | |
| sleep 1 | |
| done | |
| volumeMounts: | |
| - name: downward-volume | |
| mountPath: /downward-volume | |
| containers: | |
| - image: k8s.gcr.io/busybox | |
| name: topology-aware-demo | |
| command: | |
| - sh | |
| - -c | |
| args: | |
| - | | |
| while true | |
| do | |
| echo "I am in $ZONE" | |
| sleep 10 | |
| done | |
| env: | |
| - # injected by controller | |
| name: ZONE | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: metadata.labels['topology.kubernetes.io/zone'] | |
| resources: {} | |
| volumes: | |
| - # injected by controller | |
| name: downward-volume | |
| downwardAPI: | |
| items: | |
| - path: labels | |
| fieldRef: | |
| fieldPath: metadata.labels |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment