Skip to content

Commit

Permalink
fix: disable unused resources
Browse files Browse the repository at this point in the history
Signed-off-by: Michael Fornaro <[email protected]>
  • Loading branch information
xunholy committed Mar 4, 2023
1 parent c3c55ad commit 1dda431
Show file tree
Hide file tree
Showing 5 changed files with 48 additions and 26 deletions.
7 changes: 4 additions & 3 deletions .github/workflows/oci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ jobs:
- name: Sign the OCI artifact
run: cosign sign $GHCR_REPO@${{ steps.crane.outputs.DIGEST }} -y

# Verify the Cosign of the OCI artifact
- name: Verify the pushed tags
run: cosign verify $GHCR_REPO@${{ steps.crane.outputs.DIGEST }}
# TODO: Investigate why this is failing
# # Verify the Cosign of the OCI artifact
# - name: Verify the pushed tags
# run: cosign verify $GHCR_REPO@${{ steps.crane.outputs.DIGEST }}
4 changes: 2 additions & 2 deletions k8s/namespaces/base/kube-system/cilium/app/1.13.x.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,7 @@ securityContext:
# Used since cilium monitor uses mmap
- IPC_LOCK
# Used in iptables. Consider removing once we are iptables-free
- SYS_MODULE
# - SYS_MODULE
# We need it for now but might not need it for >= 5.11 specially
# for the 'SYS_RESOURCE'.
# In >= 5.8 there's already BPF and PERMON capabilities
Expand Down Expand Up @@ -257,7 +257,7 @@ securityContext:
# Used since cilium modifies routing tables, etc...
- NET_ADMIN
# Used in iptables. Consider removing once we are iptables-free
- SYS_MODULE
# - SYS_MODULE
# We need it for now but might not need it for >= 5.11 specially
# for the 'SYS_RESOURCE'.
# In >= 5.8 there's already BPF and PERMON capabilities
Expand Down
37 changes: 29 additions & 8 deletions k8s/namespaces/base/kube-system/descheduler/app/helmrelease.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -42,18 +42,39 @@ spec:
deschedulerPolicy:
strategies:
RemoveDuplicates:
enabled: false
enabled: true
RemovePodsHavingTooManyRestarts:
enabled: true
params:
podsHavingTooManyRestarts:
podRestartThreshold: 100
includingInitContainers: true
RemovePodsViolatingNodeTaints:
enabled: true
RemovePodsViolatingNodeAffinity:
enabled: true
params:
nodeAffinityType:
- requiredDuringSchedulingIgnoredDuringExecution
RemovePodsViolatingInterPodAntiAffinity:
enabled: false
enabled: true
RemovePodsViolatingTopologySpreadConstraint:
enabled: true
params:
includeSoftConstraints: false
LowNodeUtilization:
enabled: true
params:
nodeResourceUtilizationThresholds:
thresholds:
cpu: 40
memory: 40
pods: 15
cpu: 20
memory: 20
pods: 20
targetThresholds:
cpu: 60
memory: 60
pods: 35
cpu: 50
memory: 50
pods: 50
service:
enabled: true
serviceMonitor:
enabled: true
6 changes: 3 additions & 3 deletions k8s/namespaces/overlays/cluster-1/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,10 @@ resources:
- ../../base/security-system
- ../../base/traefik-ingress
- ../../base/velero
- ../../base/actions-runner-system/actions-runner-controller/ks.yaml
# - ../../base/actions-runner-system/actions-runner-controller/ks.yaml
- ../../base/crossplane-system/crossplane/ks.yaml
- ../../base/flux-system/addons/ks.yaml
- ../../base/flux-system/tf-controller/ks.yaml
# - ../../base/flux-system/tf-controller/ks.yaml
- ../../base/flux-system/weave-gitops/ks.yaml
- ../../base/home-system/home-assistant/ks.yaml
- ../../base/home-system/mosquitto/ks.yaml
Expand Down Expand Up @@ -61,7 +61,7 @@ resources:
- ../../base/observability/otel/ks.yaml
- ../../base/observability/thanos/ks.yaml
- ../../base/openebs/cstor/ks.yaml
- ../../base/openebs/jiva/ks.yaml
# - ../../base/openebs/jiva/ks.yaml
- ../../base/openfaas/openfaas/ks.yaml
- ../../base/rook-ceph/rook-ceph-operator/ks.yaml
- ../../base/security-system/kyverno/ks.yaml
Expand Down
Loading

0 comments on commit 1dda431

Please sign in to comment.