diff --git a/api/unversioned/config/config.go b/api/unversioned/config/config.go index 4184354a75..f9e04eac94 100644 --- a/api/unversioned/config/config.go +++ b/api/unversioned/config/config.go @@ -106,6 +106,7 @@ func Default() *unversioned.EraserConfig { "eraser.sh/cleanup.filter", }, }, + AdditionalPodLabels: map[string]string{}, }, Components: unversioned.Components{ Collector: unversioned.OptionalContainerConfig{ diff --git a/api/unversioned/eraserconfig_types.go b/api/unversioned/eraserconfig_types.go index 0705ccf881..6f0bc5db80 100644 --- a/api/unversioned/eraserconfig_types.go +++ b/api/unversioned/eraserconfig_types.go @@ -156,15 +156,16 @@ type ContainerConfig struct { } type ManagerConfig struct { - Runtime RuntimeSpec `json:"runtime,omitempty"` - OTLPEndpoint string `json:"otlpEndpoint,omitempty"` - LogLevel string `json:"logLevel,omitempty"` - Scheduling ScheduleConfig `json:"scheduling,omitempty"` - Profile ProfileConfig `json:"profile,omitempty"` - ImageJob ImageJobConfig `json:"imageJob,omitempty"` - PullSecrets []string `json:"pullSecrets,omitempty"` - NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` - PriorityClassName string `json:"priorityClassName,omitempty"` + Runtime RuntimeSpec `json:"runtime,omitempty"` + OTLPEndpoint string `json:"otlpEndpoint,omitempty"` + LogLevel string `json:"logLevel,omitempty"` + Scheduling ScheduleConfig `json:"scheduling,omitempty"` + Profile ProfileConfig `json:"profile,omitempty"` + ImageJob ImageJobConfig `json:"imageJob,omitempty"` + PullSecrets []string `json:"pullSecrets,omitempty"` + NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` + PriorityClassName string `json:"priorityClassName,omitempty"` + AdditionalPodLabels map[string]string `json:"additionalPodLabels,omitempty"` } type ScheduleConfig struct { diff --git a/api/unversioned/zz_generated.deepcopy.go b/api/unversioned/zz_generated.deepcopy.go index b06cf3dd58..1e4a4f2d1c 100644 --- a/api/unversioned/zz_generated.deepcopy.go +++ b/api/unversioned/zz_generated.deepcopy.go @@ -303,6 +303,13 @@ func (in *ManagerConfig) DeepCopyInto(out *ManagerConfig) { copy(*out, *in) } in.NodeFilter.DeepCopyInto(&out.NodeFilter) + if in.AdditionalPodLabels != nil { + in, out := &in.AdditionalPodLabels, &out.AdditionalPodLabels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagerConfig. diff --git a/api/v1alpha1/zz_generated.conversion.go b/api/v1alpha1/zz_generated.conversion.go index 18dc66b827..98f62f724c 100644 --- a/api/v1alpha1/zz_generated.conversion.go +++ b/api/v1alpha1/zz_generated.conversion.go @@ -632,6 +632,7 @@ func autoConvert_unversioned_ManagerConfig_To_v1alpha1_ManagerConfig(in *unversi return err } out.PriorityClassName = in.PriorityClassName + // WARNING: in.AdditionalPodLabels requires manual conversion: does not exist in peer-type return nil } diff --git a/api/v1alpha2/zz_generated.conversion.go b/api/v1alpha2/zz_generated.conversion.go index 0a0440450d..b7e282cf68 100644 --- a/api/v1alpha2/zz_generated.conversion.go +++ b/api/v1alpha2/zz_generated.conversion.go @@ -363,6 +363,7 @@ func autoConvert_unversioned_ManagerConfig_To_v1alpha2_ManagerConfig(in *unversi return err } out.PriorityClassName = in.PriorityClassName + // WARNING: in.AdditionalPodLabels requires manual conversion: does not exist in peer-type return nil } diff --git a/api/v1alpha3/config/config.go b/api/v1alpha3/config/config.go index 1ca8f536c0..ae9ea6ce07 100644 --- a/api/v1alpha3/config/config.go +++ b/api/v1alpha3/config/config.go @@ -64,6 +64,7 @@ func Default() *v1alpha3.EraserConfig { "eraser.sh/cleanup.filter", }, }, + AdditionalPodLabels: map[string]string{}, }, Components: v1alpha3.Components{ Collector: v1alpha3.OptionalContainerConfig{ diff --git a/api/v1alpha3/eraserconfig_types.go b/api/v1alpha3/eraserconfig_types.go index a88aaa0ae0..6f7ef2e434 100644 --- a/api/v1alpha3/eraserconfig_types.go +++ b/api/v1alpha3/eraserconfig_types.go @@ -156,15 +156,16 @@ type ContainerConfig struct { } type ManagerConfig struct { - Runtime RuntimeSpec `json:"runtime,omitempty"` - OTLPEndpoint string `json:"otlpEndpoint,omitempty"` - LogLevel string `json:"logLevel,omitempty"` - Scheduling ScheduleConfig `json:"scheduling,omitempty"` - Profile ProfileConfig `json:"profile,omitempty"` - ImageJob ImageJobConfig `json:"imageJob,omitempty"` - PullSecrets []string `json:"pullSecrets,omitempty"` - NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` - PriorityClassName string `json:"priorityClassName,omitempty"` + Runtime RuntimeSpec `json:"runtime,omitempty"` + OTLPEndpoint string `json:"otlpEndpoint,omitempty"` + LogLevel string `json:"logLevel,omitempty"` + Scheduling ScheduleConfig `json:"scheduling,omitempty"` + Profile ProfileConfig `json:"profile,omitempty"` + ImageJob ImageJobConfig `json:"imageJob,omitempty"` + PullSecrets []string `json:"pullSecrets,omitempty"` + NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` + PriorityClassName string `json:"priorityClassName,omitempty"` + AdditionalPodLabels map[string]string `json:"additionalPodLabels,omitempty"` } type ScheduleConfig struct { diff --git a/api/v1alpha3/zz_generated.conversion.go b/api/v1alpha3/zz_generated.conversion.go index b5655e6d7e..b40453f670 100644 --- a/api/v1alpha3/zz_generated.conversion.go +++ b/api/v1alpha3/zz_generated.conversion.go @@ -340,6 +340,7 @@ func autoConvert_v1alpha3_ManagerConfig_To_unversioned_ManagerConfig(in *Manager return err } out.PriorityClassName = in.PriorityClassName + out.AdditionalPodLabels = *(*map[string]string)(unsafe.Pointer(&in.AdditionalPodLabels)) return nil } @@ -368,6 +369,7 @@ func autoConvert_unversioned_ManagerConfig_To_v1alpha3_ManagerConfig(in *unversi return err } out.PriorityClassName = in.PriorityClassName + out.AdditionalPodLabels = *(*map[string]string)(unsafe.Pointer(&in.AdditionalPodLabels)) return nil } diff --git a/api/v1alpha3/zz_generated.deepcopy.go b/api/v1alpha3/zz_generated.deepcopy.go index 0916bca337..689915b1dd 100644 --- a/api/v1alpha3/zz_generated.deepcopy.go +++ b/api/v1alpha3/zz_generated.deepcopy.go @@ -135,6 +135,13 @@ func (in *ManagerConfig) DeepCopyInto(out *ManagerConfig) { copy(*out, *in) } in.NodeFilter.DeepCopyInto(&out.NodeFilter) + if in.AdditionalPodLabels != nil { + in, out := &in.AdditionalPodLabels, &out.AdditionalPodLabels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagerConfig. diff --git a/config/manager/controller_manager_config.yaml b/config/manager/controller_manager_config.yaml index 25b6e9b797..031d764b7d 100644 --- a/config/manager/controller_manager_config.yaml +++ b/config/manager/controller_manager_config.yaml @@ -19,6 +19,7 @@ manager: delayOnFailure: 24h pullSecrets: [] # image pull secrets for collector/scanner/eraser priorityClassName: "" # priority class name for collector/scanner/eraser + additionalPodLabels: {} nodeFilter: type: exclude # must be either exclude|include selectors: diff --git a/controllers/imagejob/imagejob_controller.go b/controllers/imagejob/imagejob_controller.go index b4e3555e43..a7a27a5117 100644 --- a/controllers/imagejob/imagejob_controller.go +++ b/controllers/imagejob/imagejob_controller.go @@ -409,10 +409,16 @@ func (r *Reconciler) handleNewJob(ctx context.Context, imageJob *eraserv1.ImageJ }, } + pod.Labels = map[string]string{} + + for k, v := range eraserConfig.Manager.AdditionalPodLabels { + pod.Labels[k] = v + } + if containerName == removerContainer { - pod.Labels = map[string]string{imageJobTypeLabelKey: manualJobType} + pod.Labels[imageJobTypeLabelKey] = manualJobType } else { - pod.Labels = map[string]string{imageJobTypeLabelKey: collectorJobType} + pod.Labels[imageJobTypeLabelKey] = collectorJobType } fitness := checkNodeFitness(pod, &nodeList[i]) diff --git a/docs/docs/customization.md b/docs/docs/customization.md index a05a4cf353..408e840244 100644 --- a/docs/docs/customization.md +++ b/docs/docs/customization.md @@ -102,6 +102,7 @@ manager: delayOnFailure: 24h pullSecrets: [] # image pull secrets for collector/scanner/remover priorityClassName: "" # priority class name for collector/scanner/remover + additionalPodLabels: {} nodeFilter: type: exclude # must be either exclude|include selectors: @@ -207,6 +208,7 @@ timeout: | manager.imageJob.cleanup.delayOnFailure | The amount of time to wait after a failed image job before performing cleanup. | 24h | | manager.pullSecrets | The image pull secrets to use for collector, scanner, and remover containers. | [] | | manager.priorityClassName | The priority class to use for collector, scanner, and remover containers. | "" | +| manager.additionalPodLabels | Additional labels for all pods that the controller creates at runtime. | `{}` | | manager.nodeFilter.type | The type of node filter to use. Must be either "exclude" or "include". | exclude | | manager.nodeFilter.selectors | A list of selectors used to filter nodes. | [] | | components.collector.enabled | Whether to enable the collector component. | true | diff --git a/manifest_staging/charts/eraser/README.md b/manifest_staging/charts/eraser/README.md index a2ad3ced96..b64563f1fd 100644 --- a/manifest_staging/charts/eraser/README.md +++ b/manifest_staging/charts/eraser/README.md @@ -45,6 +45,7 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen | runtimeConfig.manager.imageJob.cleanup | Settings for image job cleanup. | `{}` | | runtimeConfig.manager.pullSecrets | Image pull secrets for collector/scanner/eraser. | `[]` | | runtimeConfig.manager.priorityClassName | Priority class name for collector/scanner/eraser. | `""` | +| runtimeConfig.manager.additionalPodLabels | Additional labels for all pods that the controller creates at runtime. | `{}` | | runtimeConfig.manager.nodeFilter | Filter for nodes. | `{}` | | runtimeConfig.components.collector | Settings for the collector component. | `{ enabled: false }` | | runtimeConfig.components.scanner | Settings for the scanner component. | `{ enabled: false }` | @@ -54,6 +55,7 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen | deploy.image.tag | Overrides the default image tag. | `""` | | deploy.additionalArgs | Additional arguments to pass to the command. | `[]` | | deploy.priorityClassName | Priority class name. | `""` | +| deploy.additionalPodLabels | Additional labels for the controller pod. | `{}` | | deploy.securityContext.allowPrivilegeEscalation | Whether to allow privilege escalation. | `false` | | deploy.resources.limits.memory | Memory limit for the resources. | `30Mi` | | deploy.resources.requests.cpu | CPU request for the resources. | `100m` | diff --git a/manifest_staging/charts/eraser/templates/eraser-controller-manager-deployment.yaml b/manifest_staging/charts/eraser/templates/eraser-controller-manager-deployment.yaml index 05d2ffe028..b132e439c2 100644 --- a/manifest_staging/charts/eraser/templates/eraser-controller-manager-deployment.yaml +++ b/manifest_staging/charts/eraser/templates/eraser-controller-manager-deployment.yaml @@ -21,6 +21,7 @@ spec: template: metadata: labels: + {{- if .Values.deploy.additionalPodLabels }}{{- toYaml .Values.deploy.additionalPodLabels | nindent 8 }}{{end}} app.kubernetes.io/instance: '{{ .Release.Name }}' app.kubernetes.io/managed-by: '{{ .Release.Service }}' app.kubernetes.io/name: '{{ template "eraser.name" . }}' diff --git a/manifest_staging/charts/eraser/values.yaml b/manifest_staging/charts/eraser/values.yaml index 484d3ca3c2..3c09f3da34 100644 --- a/manifest_staging/charts/eraser/values.yaml +++ b/manifest_staging/charts/eraser/values.yaml @@ -29,6 +29,7 @@ runtimeConfig: # delayOnFailure: "" pullSecrets: [] # image pull secrets for collector/scanner/eraser priorityClassName: "" # priority class name for collector/scanner/eraser + additionalPodLabels: {} nodeFilter: type: exclude # must be either exclude|include selectors: @@ -97,6 +98,7 @@ deploy: tag: "v1.4.0-beta.0" additionalArgs: [] priorityClassName: "" + additionalPodLabels: {} securityContext: allowPrivilegeEscalation: false diff --git a/manifest_staging/deploy/eraser.yaml b/manifest_staging/deploy/eraser.yaml index 314d8210d9..1b1cf2ab2b 100644 --- a/manifest_staging/deploy/eraser.yaml +++ b/manifest_staging/deploy/eraser.yaml @@ -432,6 +432,7 @@ data: delayOnFailure: 24h pullSecrets: [] # image pull secrets for collector/scanner/eraser priorityClassName: "" # priority class name for collector/scanner/eraser + additionalPodLabels: {} nodeFilter: type: exclude # must be either exclude|include selectors: diff --git a/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml b/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml index 13f71eb1cc..09dc28da90 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml @@ -5,6 +5,9 @@ metadata: namespace: eraser-system spec: template: + metadata: + labels: + HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_ADDITIONALPODLABELS: "" spec: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PULL_SECRETS: "" volumes: diff --git a/third_party/open-policy-agent/gatekeeper/helmify/replacements.go b/third_party/open-policy-agent/gatekeeper/helmify/replacements.go index 9a69c06a83..e2b74cc2be 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/replacements.go +++ b/third_party/open-policy-agent/gatekeeper/helmify/replacements.go @@ -7,6 +7,7 @@ var replacements = map[string]string{ `HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_AFFINITY: ""`: `{{- toYaml .Values.deploy.affinity | nindent 8 }}`, `- HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_ADDITIONAL_ARGS`: `{{- if .Values.deploy.additionalArgs }}{{- range .Values.deploy.additionalArgs }}{{ nindent 8 "- " }}{{ . }}{{- end -}}{{ end }}`, `HELMSUBST_CONTROLLER_MANAGER_CONFIG_YAML`: `{{- toYaml .Values.runtimeConfig | nindent 4 }}`, + `HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_ADDITIONALPODLABELS: ""`: `{{- if .Values.deploy.additionalPodLabels }}{{- toYaml .Values.deploy.additionalPodLabels | nindent 8 }}{{end}}`, `HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PULL_SECRETS: ""`: `{{- if .Values.runtimeConfig.manager.pullSecrets }} imagePullSecrets: diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md index a2ad3ced96..b64563f1fd 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md @@ -45,6 +45,7 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen | runtimeConfig.manager.imageJob.cleanup | Settings for image job cleanup. | `{}` | | runtimeConfig.manager.pullSecrets | Image pull secrets for collector/scanner/eraser. | `[]` | | runtimeConfig.manager.priorityClassName | Priority class name for collector/scanner/eraser. | `""` | +| runtimeConfig.manager.additionalPodLabels | Additional labels for all pods that the controller creates at runtime. | `{}` | | runtimeConfig.manager.nodeFilter | Filter for nodes. | `{}` | | runtimeConfig.components.collector | Settings for the collector component. | `{ enabled: false }` | | runtimeConfig.components.scanner | Settings for the scanner component. | `{ enabled: false }` | @@ -54,6 +55,7 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen | deploy.image.tag | Overrides the default image tag. | `""` | | deploy.additionalArgs | Additional arguments to pass to the command. | `[]` | | deploy.priorityClassName | Priority class name. | `""` | +| deploy.additionalPodLabels | Additional labels for the controller pod. | `{}` | | deploy.securityContext.allowPrivilegeEscalation | Whether to allow privilege escalation. | `false` | | deploy.resources.limits.memory | Memory limit for the resources. | `30Mi` | | deploy.resources.requests.cpu | CPU request for the resources. | `100m` | diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml index 484d3ca3c2..3c09f3da34 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml @@ -29,6 +29,7 @@ runtimeConfig: # delayOnFailure: "" pullSecrets: [] # image pull secrets for collector/scanner/eraser priorityClassName: "" # priority class name for collector/scanner/eraser + additionalPodLabels: {} nodeFilter: type: exclude # must be either exclude|include selectors: @@ -97,6 +98,7 @@ deploy: tag: "v1.4.0-beta.0" additionalArgs: [] priorityClassName: "" + additionalPodLabels: {} securityContext: allowPrivilegeEscalation: false