apiVersion: apps/v1
kind: DaemonSet
metadata:
name: metrics
namespace: exporter
labels:
app: metrics-exporter
# Apparently ICT don't work on daemonsets, although docs say they should.
#annotations:
# image.openshift.io/triggers: '[{"from":{"kind":"ImageStreamTag","name":"collector-sysstat:latest"},"fieldPath":"spec.template.spec.containers[?(@.name==\"collector-sysstat\")].image"},{"from":{"kind":"ImageStreamTag","name":"collector-psacct:latest"},"fieldPath":"spec.template.spec.containers[?(@.name==\"collector-psacct\")].image"},{"from":{"kind":"ImageStreamTag","name":"metrics-exporter:latest"},"fieldPath":"spec.template.spec.containers[?(@.name==\"metrics-exporter\")].image"}]'
spec:
minReadySeconds: 15
selector:
matchLabels:
app: metrics-exporter
type: daemonset
project: exporter
updateStrategy:
type: RollingUpdate
#rollingUpdate:
# # This shit is either/or?
# maxSurge: 25%
# maxUnavailable: 25%
template:
metadata:
labels:
app: metrics-exporter
type: daemonset
project: exporter
spec:
containers:
- name: collector-sysstat
image: quay.io/benko/ocp-collector-sysstat:latest
env:
- name: PERIOD
value: "15"
- name: STARTUP_SCRATCH
value: "1"
- name: STARTUP_ROTATE
value: "0"
#livenessProbe: {}
# something like /var/log/sa/sysstat-dump.json not being older than ${PERIOD}
#readinessProbe: {}
# /var/log/sa/sysstat-dump.json exists
resources: {}
# TBD
securityContext:
allowPrivilegeEscalation: true
capabilities: {}
# none
privileged: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
volumeMounts:
- name: metrics-shared-volume
mountPath: /var/log/sa
readOnly: false
- name: collector-psacct
image: quay.io/benko/ocp-collector-psacct:latest
env:
- name: PERIOD
value: "15"
- name: CUMULATIVE
value: "0"
- name: STARTUP_SCRATCH
value: "1"
#livenessProbe: {}
# something like /var/account/psacct-dump-raw not being older than ${PERIOD}
#readinessProbe: {}
# /var/account/psacct-dump-raw exists
resources: {}
# TBD
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- CAP_SYS_PACCT
privileged: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
volumeMounts:
- name: metrics-shared-volume
mountPath: /var/account
readOnly: false
- name: metrics-exporter
image: quay.io/benko/ocp-metrics-exporter:latest
env:
- name: QUARKUS_HTTP_PORT
value: "28080"
ports:
- name: http
protocol: TCP
# Must be the same as hostPort with hostNetwork==true.
containerPort: 28080
# Need some host port because hostNetwork==true.
hostPort: 28080
#livenessProbe: {}
# /q/metrics returning 200?
#readinessProbe: {}
# /metrics/version returning 200?
resources: {}
# TBD
# No special privileges for this one.
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
privileged: false
runAsNonRoot: true
#runAsUser: namespace-assigned
volumeMounts:
- name: metrics-shared-volume
mountPath: /metrics
readOnly: false
# Must cover all the nodes.
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/master
operator: Exists
- matchExpressions:
- key: node-role.kubernetes.io/worker
operator: Exists
# We have affinity settings.
nodeSelector: {}
# VERY important, these three!
hostIPC: true
hostNetwork: true
hostPID: true
# Gives us the best possible chance of not being evicted.
priorityClassName: system-node-critical
# VERY important, these two!
securityContext:
# Sets a default that can be overridden by container.
runAsNonRoot: false
# Need to make sure even unprivileged exporter can write.
supplementalGroups:
- 0
serviceAccountName: exporter
# Make that somewhere around $PERIOD, but larger.
terminationGracePeriodSeconds: 15
# Need to adjust this whenever there are dedicated control plane or
# other tainted nodes.
tolerations: []
volumes:
- name: metrics-shared-volume
emptyDir: {}