CS | KubernetesCluster | add default limits (#48)

tenable · Jan 12, 2025 · 4416d77 · 4416d77
1 parent 8a1df8e
commit 4416d77
Show file tree

Hide file tree

Showing 6 changed files with 132 additions and 36 deletions.
diff --git a/charts/cloud-security/kubernetes-cluster/templates/admission-controller/deployment.yaml b/charts/cloud-security/kubernetes-cluster/templates/admission-controller/deployment.yaml
@@ -19,17 +19,17 @@ spec:
   template:
     metadata:
       annotations:
-        {{- with .Values.pod.annotations }}
+        {{- with .Values.admissionController.pod.annotations }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
       labels:
         {{- include "labels" . | nindent 8 }}
         {{- include "admissionController.labels" . | nindent 8 }}
-        {{- with .Values.pod.labels }}
+        {{- with .Values.admissionController.pod.labels }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
-      {{- with .Values.pod.affinity }}
+      {{- with .Values.admissionController.pod.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -80,7 +80,7 @@ spec:
           periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 3
-        {{- with .Values.pod.resources }}
+        {{- with .Values.admissionController.pod.resources }}
         resources:
         {{- toYaml . | nindent 10 }}
         {{- end }}
@@ -110,7 +110,7 @@ spec:
           type: RuntimeDefault
       serviceAccountName: {{ include "admissionController.resourceNamePrefix" . }}-service-account
       terminationGracePeriodSeconds: 60
-      {{- with .Values.pod.tolerations }}
+      {{- with .Values.admissionController.pod.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}

diff --git a/charts/cloud-security/kubernetes-cluster/templates/sensor/daemonset.yaml b/charts/cloud-security/kubernetes-cluster/templates/sensor/daemonset.yaml
@@ -16,17 +16,17 @@ spec:
   template:
     metadata:
       annotations:
-        {{- with .Values.pod.annotations }}
+        {{- with .Values.sensor.pod.annotations }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
       labels:
         {{- include "labels" . | nindent 8 }}
         {{- include "sensor.labels" . | nindent 8 }}
-        {{- with .Values.pod.labels }}
+        {{- with .Values.sensor.pod.labels }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
-      {{- with .Values.pod.affinity }}
+      {{- with .Values.sensor.pod.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -48,7 +48,7 @@ spec:
           image: {{ .Values.sensor.containerImagePath }}
           imagePullPolicy: Always
           name: {{ include "sensor.resourceNamePrefix" . }}-container
-          {{- with .Values.pod.resources }}
+          {{- with .Values.sensor.pod.resources }}
           resources:
           {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -73,7 +73,7 @@ spec:
         seccompProfile:
           type: RuntimeDefault
       serviceAccountName: {{ include "sensor.resourceNamePrefix" . }}-service-account
-      {{- with .Values.pod.tolerations }}
+      {{- with .Values.sensor.pod.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}

diff --git a/charts/cloud-security/kubernetes-cluster/values.schema.json b/charts/cloud-security/kubernetes-cluster/values.schema.json
@@ -23,6 +23,9 @@
       "healthPort": {
         "type": "integer"
       },
+      "logLevel": {
+        "type": "string"
+      },
       "networkPolicy": {
         "enabled": {
           "type": "boolean"
@@ -32,8 +35,41 @@
         },
         "type": "object"
       },
-      "logLevel": {
-        "type": "string"
+      "pod": {
+        "properties": {
+          "affinity": {
+            "properties": {},
+            "type": [
+              "object"
+            ]
+          },
+          "annotations": {
+            "properties": {},
+            "type": [
+              "object"
+            ]
+          },
+          "labels": {
+            "properties": {},
+            "type": [
+              "object"
+            ]
+          },
+          "resources": {
+            "properties": {},
+            "type": [
+              "object"
+            ]
+          },
+          "tolerations": {
+            "type": [
+              "array"
+            ]
+          }
+        },
+        "type": [
+          "object"
+        ]
       },
       "replicas": {
         "type": "integer"
@@ -190,6 +226,42 @@
           "type": [
             "boolean"
           ]
+        },
+        "pod": {
+          "properties": {
+            "affinity": {
+              "properties": {},
+              "type": [
+                "object"
+              ]
+            },
+            "annotations": {
+              "properties": {},
+              "type": [
+                "object"
+              ]
+            },
+            "labels": {
+              "properties": {},
+              "type": [
+                "object"
+              ]
+            },
+            "resources": {
+              "properties": {},
+              "type": [
+                "object"
+              ]
+            },
+            "tolerations": {
+              "type": [
+                "array"
+              ]
+            }
+          },
+          "type": [
+            "object"
+          ]
         }
       },
       "required": [

diff --git a/charts/cloud-security/kubernetes-cluster/values.yaml b/charts/cloud-security/kubernetes-cluster/values.yaml
@@ -4,10 +4,16 @@ admissionController:
   containerImagePullSecrets: []
   enabled: false
   healthPort: 9090
+  logLevel: "information"
   networkPolicy:
     enabled: false
     ingress: {}
-  logLevel: "information"
+  pod:
+    affinity: {}
+    annotations: {}
+    labels: {}
+    resources: {}
+    tolerations: []
   replicas: 3
   webhook:
     failurePolicy: Ignore
@@ -25,11 +31,29 @@ pod:
   affinity: {}
   annotations: {}
   labels: {}
-  resources: {}
+  resources:
+    limits:
+      cpu: "100m"
+      memory: "256Mi"
+    requests:
+      memory: "150Mi"
   tolerations: []
 resourceNamePrefix: kubernetes-cluster
 sensor:
   containerImagePath: 585051939341.dkr.ecr.us-east-2.amazonaws.com/engserviceimagekubernetesclustersensorrepository
   containerImagePullSecrets: []
   dataPath: "/var/lib/tenable"
   enabled: false
+  pod:
+    affinity: {}
+    annotations: {}
+    labels: {}
+    resources:
+      limits:
+        cpu: "1"
+        memory: "1Gi"
+      requests:
+        cpu: "300m"
+        memory: "256Mi"
+    tolerations: []
+