Add PodDisruptionBudget and topologySpreadConstraints for eks-pod-identity-webhook

2022-02-22 17:36:08 +09:00 · 2022-02-22 17:36:08 +09:00 · c586f6c411
parent f1e79c583d
commit c586f6c411
3 changed files with 57 additions and 2 deletions
--- a/tests/integration/update_cluster/irsa/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content
+++ b/tests/integration/update_cluster/irsa/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content
@ -53,7 +53,7 @@ spec:
    version: 9.99.0
  - id: k8s-1.16
    manifest: eks-pod-identity-webhook.addons.k8s.io/k8s-1.16.yaml
-    manifestHash: 781012ab6de0bc9188332dd94f232d3d771332f062005c769d5ddf452f77dc11
+    manifestHash: 9d92eb7408dee4f5d9be3cba887e8dc8f8c4a9480f6dbdccda32c920384f8505
    name: eks-pod-identity-webhook.addons.k8s.io
    needsPKI: true
    selector:
--- a/tests/integration/update_cluster/irsa/data/aws_s3_bucket_object_minimal.example.com-addons-eks-pod-identity-webhook.addons.k8s.io-k8s-1.16_content
+++ b/tests/integration/update_cluster/irsa/data/aws_s3_bucket_object_minimal.example.com-addons-eks-pod-identity-webhook.addons.k8s.io-k8s-1.16_content
@ -136,6 +136,19 @@ spec:
          name: cert
          readOnly: true
      serviceAccountName: pod-identity-webhook
+      topologySpreadConstraints:
+      - labelSelector:
+          matchLabels:
+            app: pod-identity-webhook
+        maxSkew: 1
+        topologyKey: topology.kubernetes.io/zone
+        whenUnsatisfiable: ScheduleAnyway
+      - labelSelector:
+          matchLabels:
+            app: pod-identity-webhook
+        maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: DoNotSchedule
      volumes:
      - name: cert
        secret:
@ -253,3 +266,21 @@ metadata:
    k8s-addon: eks-pod-identity-webhook.addons.k8s.io
  name: pod-identity-webhook
  namespace: kube-system
+
+---
+
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  creationTimestamp: null
+  labels:
+    addon.kops.k8s.io/name: eks-pod-identity-webhook.addons.k8s.io
+    app.kubernetes.io/managed-by: kops
+    k8s-addon: eks-pod-identity-webhook.addons.k8s.io
+  name: pod-identity-webhook
+  namespace: kube-system
+spec:
+  maxUnavailable: 50%
+  selector:
+    matchLabels:
+      app: pod-identity-webhook
--- a/upup/models/cloudup/resources/addons/eks-pod-identity-webhook.addons.k8s.io/k8s-1.16.yaml.template
+++ b/upup/models/cloudup/resources/addons/eks-pod-identity-webhook.addons.k8s.io/k8s-1.16.yaml.template
@ -96,6 +96,19 @@ spec:
        - name: cert
          mountPath: "/etc/webhook/certs"
          readOnly: true
+      topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: "topology.kubernetes.io/zone"
+        whenUnsatisfiable: ScheduleAnyway
+        labelSelector:
+          matchLabels:
+            app: pod-identity-webhook
+      - maxSkew: 1
+        topologyKey: "kubernetes.io/hostname"
+        whenUnsatisfiable: DoNotSchedule
+        labelSelector:
+          matchLabels:
+            app: pod-identity-webhook
      volumes:
      - name: cert
        secret:
@ -180,4 +193,15 @@ metadata:
    prometheus.io/scheme: "https"
    prometheus.io/scrape: "true"
 data:
-  config: {{ PodIdentityWebhookConfigMapData }}
+  config: {{ PodIdentityWebhookConfigMapData }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: pod-identity-webhook
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      app: pod-identity-webhook
+  maxUnavailable: 50%