openshift
/
linux-metrics-exporter


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150
							apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: metrics
  namespace: exporter
  labels:
    app: metrics
  # Apparently ICT don't work on daemonsets, although docs say they should.
  #annotations:
  #  image.openshift.io/triggers: '[{"from":{"kind":"ImageStreamTag","name":"collector-sysstat:latest"},"fieldPath":"spec.template.spec.containers[?(@.name==\"collector-sysstat\")].image"},{"from":{"kind":"ImageStreamTag","name":"collector-psacct:latest"},"fieldPath":"spec.template.spec.containers[?(@.name==\"collector-psacct\")].image"},{"from":{"kind":"ImageStreamTag","name":"metrics-exporter:latest"},"fieldPath":"spec.template.spec.containers[?(@.name==\"metrics-exporter\")].image"}]'
spec:
  minReadySeconds: 15
  selector:
    matchLabels:
      app: metrics
      type: daemonset
      project: exporter
  updateStrategy:
    type: RollingUpdate
    #rollingUpdate:
    #  # This shit is either/or?
    #  maxSurge: 25%
    #  maxUnavailable: 25%
  template:
    metadata:
      labels:
        app: metrics
        type: daemonset
        project: exporter
    spec:
      containers:
        - name: collector-sysstat
          image: quay.io/benko/ocp-collector-sysstat:latest
          env:
            - name: PERIOD
              value: "15"
            - name: STARTUP_SCRATCH
              value: "1"
            - name: STARTUP_ROTATE
              value: "0"
          #livenessProbe: {}
          #   something like /var/log/sa/sysstat-dump.json not being older than ${PERIOD}
          #readinessProbe: {}
          #   /var/log/sa/sysstat-dump.json exists
          resources: {}
            # TBD
          securityContext:
            allowPrivilegeEscalation: true
            capabilities: {}
              # none
            privileged: true
            runAsGroup: 0
            runAsNonRoot: false
            runAsUser: 0
          volumeMounts:
            - name: metrics-shared-volume
              mountPath: /var/log/sa
              readOnly: false
        - name: collector-psacct
          image: quay.io/benko/ocp-collector-psacct:latest
          env:
            - name: PERIOD
              value: "15"
            - name: CUMULATIVE
              value: "0"
            - name: STARTUP_SCRATCH
              value: "1"
          #livenessProbe: {}
          #   something like /var/account/psacct-dump-raw not being older than ${PERIOD}
          #readinessProbe: {}
          #   /var/account/psacct-dump-raw exists
          resources: {}
            # TBD
          securityContext:
            allowPrivilegeEscalation: true
            capabilities:
              add:
                - CAP_SYS_PACCT
            privileged: true
            runAsGroup: 0
            runAsNonRoot: false
            runAsUser: 0
          volumeMounts:
            - name: metrics-shared-volume
              mountPath: /var/account
              readOnly: false
        - name: metrics-exporter
          image: quay.io/benko/ocp-metrics-exporter:latest
          env:
            - name: HOSTNAME_FROM_API
              value: "true"
          ports:
            - name: http
              protocol: TCP
              # Must be the same as hostPort with hostNetwork==true.
              containerPort: 28080
              # Need some host port because hostNetwork==true.
              hostPort: 28080
          #livenessProbe: {}
          #   /q/metrics returning 200?
          #readinessProbe: {}
          #   /metrics/version returning 200?
          resources: {}
            # TBD
          # No special privileges for this one.
          securityContext:
            allowPrivilegeEscalation: false
            capabilities: {}
            privileged: false
            runAsNonRoot: true
            #runAsUser: namespace-assigned
          volumeMounts:
            - name: metrics-shared-volume
              mountPath: /metrics
              readOnly: false
      # Must cover all the nodes.
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: node-role.kubernetes.io/master
                    operator: Exists
              - matchExpressions:
                  - key: node-role.kubernetes.io/worker
                    operator: Exists
      # We have affinity settings.
      nodeSelector: {}
      # VERY important, these three!
      hostIPC: true
      hostNetwork: true
      hostPID: true
      # Gives us the best possible chance of not being evicted.
      priorityClassName: system-node-critical
      # VERY important, these two!
      securityContext:
        # Sets a default that can be overridden by container.
        runAsNonRoot: false
        # Need to make sure even unprivileged exporter can write.
        supplementalGroups:
          - 0
      serviceAccountName: exporter
      # Make that somewhere around $PERIOD, but larger.
      terminationGracePeriodSeconds: 15
      # Need to adjust this whenever there are dedicated control plane or
      # other tainted nodes.
      tolerations: []
      volumes:
        - name: metrics-shared-volume
          emptyDir: {}