canonical / namespace-node-affinity-operator Goto Github PK

This Charm deploys a modified version of the Namespace Node Affinity Kubernetes MutatingWebhook.

The Namespace Node Affinity webhook allows a user to add a given set of node affinities and/or tolerations to all pods deployed in a namespace. This is useful for example in a case where you have a cluster that has some nodes with specific labels (eg: nodes labeled control-plane) and you want all workloads in a Kubernetes namespace to be deployed only on those nodes and not any others in the cluster. More descriptions of the tool are given in the upstream README.md.

This charm is deployed using the Juju command line tool as follows:

juju deploy namespace-node-affinity --trust

By default, the webhook is not configured to modify pods in any namespace. To add namespaces to its scope, the user must:

• provide a settings_yaml config file
• label any namespace we want to work on with the label namespace-node-affinity=enabled

These configurations can be modified during charm runtime, and the webhook always uses the most up to date value.

We must provide the settings_yaml config, which is a YAML string as described upstream. For example, we can configure the tool to apply:

• apply a node affinity for pods in testing-ns-a to look for pods with the label control-plane=true, but only to pods that do not have the label ignoreme: ignored
• apply a node affinity for pods in testing-ns-b to look for pods with the label other-key: other-value

by setting the charm config:

cat <<EOF > settings.yaml

testing-ns-a: |
  nodeSelectorTerms:
    - matchExpressions:
      - key: control-plane
        operator: In
        values:
        - true
  excludedLabels:
    ignoreme: ignored
testing-ns-b: |
  nodeSelectorTerms:
    - matchExpressions:
      - key: other-key
        operator: In
        values:
        - other-value
EOF
SETTINGS_YAML=$(cat settings.yaml)
juju config namespace-node-affinity settings_yaml="$SETTINGS_YAML"

We must apply the label namespace-node-affinity=enabled to all namespaces being acted on by this tool (this is a requirement by the tool itself, not the chaming application. We might change this in future as it feels like a redundant setting). For example, you can do:

kubectl label ns testing-ns-a namespace-node-affinity=enabled
kubectl label ns testing-ns-b namespace-node-affinity=enabled

When debugging this charm, it is sometimes useful to send AdmissionReview JSON payloads to the webhook pod in the same format as what the Kubernetes API would send in order to check if the webhook pods are working properly. To facilitate that, this tool was used during charm development and might be useful.