From 9f0d59f32460e885bea7a4897bd82565bba3b51a Mon Sep 17 00:00:00 2001 From: relusc Date: Tue, 21 Mar 2023 16:25:18 +0100 Subject: [PATCH 1/3] feat(charts): add K8s pod cleanup chart --- README.md | 4 ++ .../k8s-pod-cleanup/ci/test-values.yaml | 15 +++++++ charts/k8s-pod-cleanup/Chart.yaml | 9 ++++ charts/k8s-pod-cleanup/README.md | 31 ++++++++++++++ .../templates/clusterrole.yaml | 15 +++++++ .../templates/clusterrolebinding.yaml | 15 +++++++ charts/k8s-pod-cleanup/templates/cronjob.yaml | 41 +++++++++++++++++++ .../templates/serviceaccount.yaml | 8 ++++ charts/k8s-pod-cleanup/values.yaml | 27 ++++++++++++ 9 files changed, 165 insertions(+) create mode 100644 chart-tests/k8s-pod-cleanup/ci/test-values.yaml create mode 100644 charts/k8s-pod-cleanup/Chart.yaml create mode 100644 charts/k8s-pod-cleanup/README.md create mode 100644 charts/k8s-pod-cleanup/templates/clusterrole.yaml create mode 100644 charts/k8s-pod-cleanup/templates/clusterrolebinding.yaml create mode 100644 charts/k8s-pod-cleanup/templates/cronjob.yaml create mode 100644 charts/k8s-pod-cleanup/templates/serviceaccount.yaml create mode 100644 charts/k8s-pod-cleanup/values.yaml diff --git a/README.md b/README.md index b84199e..632d43a 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,10 @@ spec: The [OWASP Dependency-Track](https://owasp.org/www-project-dependency-track/) project with separate deployments for API-server and frontend. +### [Kubernetes failed/terminated pods cleanup](https://github.com/MediaMarktSaturn/helm-charts/tree/main/charts/k8s-pod-cleanup) + +A CronJob that deletes terminated/failed pods from a Kubernetes cluster. + --- _This repository is published under the [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0)_ diff --git a/chart-tests/k8s-pod-cleanup/ci/test-values.yaml b/chart-tests/k8s-pod-cleanup/ci/test-values.yaml new file mode 100644 index 0000000..9470a9e --- /dev/null +++ b/chart-tests/k8s-pod-cleanup/ci/test-values.yaml @@ -0,0 +1,15 @@ +# CronJob schedule https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#cron-schedule-syntax +# Defaults to once every Monday on 07:00 AM (once per week) +schedule: "0 5 * * 1" + +successfulJobsHistoryLimit: 4 +failedJobsHistoryLimit: 1 + +# Resources for containers started by CronJob +resources: + requests: + cpu: 123m + memory: 321Mi + limits: + cpu: 123m + memory: 321Mi diff --git a/charts/k8s-pod-cleanup/Chart.yaml b/charts/k8s-pod-cleanup/Chart.yaml new file mode 100644 index 0000000..5a11273 --- /dev/null +++ b/charts/k8s-pod-cleanup/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: k8s-pod-cleanup +home: https://github.com/MediaMarktSaturn/helm-charts +description: Helm Chart for cleaning up failed/terminated Kubernetes pods +type: application +maintainers: + - name: MediaMarktSaturn + url: https://github.com/MediaMarktSaturn +version: 1.0.0 diff --git a/charts/k8s-pod-cleanup/README.md b/charts/k8s-pod-cleanup/README.md new file mode 100644 index 0000000..85ed68b --- /dev/null +++ b/charts/k8s-pod-cleanup/README.md @@ -0,0 +1,31 @@ +# k8s-pod-cleanup + +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) + +Helm Chart for cleaning up failed/terminated Kubernetes pods + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| MediaMarktSaturn | | | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| failedJobsHistoryLimit | int | `3` | | +| image.repository | string | `"bitnami/kubectl"` | | +| image.tag | string | `"1.25"` | | +| resources.limits.cpu | string | `"100m"` | | +| resources.limits.memory | string | `"100Mi"` | | +| resources.requests.cpu | string | `"100m"` | | +| resources.requests.memory | string | `"100Mi"` | | +| schedule | string | `"0 7 * * 1"` | | +| successfulJobsHistoryLimit | int | `3` | | +| ttlSecondsAfterFinished | int | `86400` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/k8s-pod-cleanup/templates/clusterrole.yaml b/charts/k8s-pod-cleanup/templates/clusterrole.yaml new file mode 100644 index 0000000..a7eab2d --- /dev/null +++ b/charts/k8s-pod-cleanup/templates/clusterrole.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: {{ $.Release.Name }} + name: {{ $.Release.Name }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - delete + - list diff --git a/charts/k8s-pod-cleanup/templates/clusterrolebinding.yaml b/charts/k8s-pod-cleanup/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..9d7ed46 --- /dev/null +++ b/charts/k8s-pod-cleanup/templates/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: {{ $.Release.Name }} + name: {{ $.Release.Name }} +roleRef: + apiGroup: "" + kind: ClusterRole + name: {{ $.Release.Name }} +subjects: + - kind: ServiceAccount + name: {{ $.Release.Name }} + namespace: {{ $.Release.Namespace }} diff --git a/charts/k8s-pod-cleanup/templates/cronjob.yaml b/charts/k8s-pod-cleanup/templates/cronjob.yaml new file mode 100644 index 0000000..908d599 --- /dev/null +++ b/charts/k8s-pod-cleanup/templates/cronjob.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + labels: + app.kubernetes.io/name: {{ $.Release.Name }} + name: {{ $.Release.Name }} + namespace: {{ $.Release.Namespace }} +spec: + schedule: {{ $.Values.schedule | quote }} + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: {{ $.Values.successfulJobsHistoryLimit }} + failedJobsHistoryLimit: {{ $.Values.failedJobsHistoryLimit }} + jobTemplate: + metadata: + labels: + app.kubernetes.io/name: {{ $.Release.Name }} + spec: + ttlSecondsAfterFinished: {{ $.Values.ttlSecondsAfterFinished }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ $.Release.Name }} + spec: + securityContext: + runAsUser: 1000 + automountServiceAccountToken: true + containers: + - image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" + name: {{ $.Release.Name }} + command: + - /bin/sh + - -c + - kubectl delete pods -A --field-selector=status.phase=Failed + resources: + {{- toYaml $.Values.resources | nindent 16 }} + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + restartPolicy: OnFailure + serviceAccountName: {{ $.Release.Name }} diff --git a/charts/k8s-pod-cleanup/templates/serviceaccount.yaml b/charts/k8s-pod-cleanup/templates/serviceaccount.yaml new file mode 100644 index 0000000..ad0c376 --- /dev/null +++ b/charts/k8s-pod-cleanup/templates/serviceaccount.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: {{ $.Release.Name }} + name: {{ $.Release.Name }} + namespace: {{ $.Release.Namespace }} diff --git a/charts/k8s-pod-cleanup/values.yaml b/charts/k8s-pod-cleanup/values.yaml new file mode 100644 index 0000000..4afef52 --- /dev/null +++ b/charts/k8s-pod-cleanup/values.yaml @@ -0,0 +1,27 @@ +image: + # Docker image used in container, defaults to https://hub.docker.com/r/bitnami/kubectl + # A different image can be used as long as it contains the "kubectl" tool + repository: bitnami/kubectl + # Tag can be set to any Kubernetes version, to avoid unexpected compability issues it is recommended to use the same version configured for the K8s cluster + tag: "1.25" + +# CronJob schedule https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#cron-schedule-syntax +# Defaults to once every Monday on 07:00 AM (once per week) +schedule: "0 7 * * 1" + +# How much completed jobs to keep in each state +successfulJobsHistoryLimit: 3 +failedJobsHistoryLimit: 3 + +# https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +# Defaults to 86400 seconds = 1d +ttlSecondsAfterFinished: 86400 + +# Resources for containers started by CronJob +resources: + requests: + cpu: 100m + memory: 100Mi + limits: + cpu: 100m + memory: 100Mi From e3f32fbbe9efc34f7a4b62e1a666694f8bc66eda Mon Sep 17 00:00:00 2001 From: relusc Date: Wed, 22 Mar 2023 14:04:23 +0100 Subject: [PATCH 2/3] fix(charts): remove comments from test values.yaml --- chart-tests/k8s-pod-cleanup/ci/test-values.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/chart-tests/k8s-pod-cleanup/ci/test-values.yaml b/chart-tests/k8s-pod-cleanup/ci/test-values.yaml index 9470a9e..5eef2fc 100644 --- a/chart-tests/k8s-pod-cleanup/ci/test-values.yaml +++ b/chart-tests/k8s-pod-cleanup/ci/test-values.yaml @@ -1,11 +1,8 @@ -# CronJob schedule https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#cron-schedule-syntax -# Defaults to once every Monday on 07:00 AM (once per week) schedule: "0 5 * * 1" successfulJobsHistoryLimit: 4 failedJobsHistoryLimit: 1 -# Resources for containers started by CronJob resources: requests: cpu: 123m From 3fe06b292687d67b0dbc2511a17d9323dbd61cdf Mon Sep 17 00:00:00 2001 From: relusc Date: Wed, 22 Mar 2023 16:28:56 +0100 Subject: [PATCH 3/3] Incorporate review suggestions by @heubeck --- README.md | 2 ++ .../{k8s-pod-cleanup => pod-cleanup}/ci/test-values.yaml | 0 charts/{k8s-pod-cleanup => pod-cleanup}/Chart.yaml | 2 +- charts/{k8s-pod-cleanup => pod-cleanup}/README.md | 2 +- .../{k8s-pod-cleanup => pod-cleanup}/templates/clusterrole.yaml | 0 .../templates/clusterrolebinding.yaml | 0 charts/{k8s-pod-cleanup => pod-cleanup}/templates/cronjob.yaml | 0 .../templates/serviceaccount.yaml | 0 charts/{k8s-pod-cleanup => pod-cleanup}/values.yaml | 0 9 files changed, 4 insertions(+), 2 deletions(-) rename chart-tests/{k8s-pod-cleanup => pod-cleanup}/ci/test-values.yaml (100%) rename charts/{k8s-pod-cleanup => pod-cleanup}/Chart.yaml (92%) rename charts/{k8s-pod-cleanup => pod-cleanup}/README.md (98%) rename charts/{k8s-pod-cleanup => pod-cleanup}/templates/clusterrole.yaml (100%) rename charts/{k8s-pod-cleanup => pod-cleanup}/templates/clusterrolebinding.yaml (100%) rename charts/{k8s-pod-cleanup => pod-cleanup}/templates/cronjob.yaml (100%) rename charts/{k8s-pod-cleanup => pod-cleanup}/templates/serviceaccount.yaml (100%) rename charts/{k8s-pod-cleanup => pod-cleanup}/values.yaml (100%) diff --git a/README.md b/README.md index 632d43a..781e94c 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,8 @@ The [OWASP Dependency-Track](https://owasp.org/www-project-dependency-track/) pr A CronJob that deletes terminated/failed pods from a Kubernetes cluster. +Useful when e.g. provisioning Google Kubernetes Engine clusters with preemptible nodes. The preemption leads to pods being shut down during node recreation, however the pods are still kept and displayed when listing them. + --- _This repository is published under the [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0)_ diff --git a/chart-tests/k8s-pod-cleanup/ci/test-values.yaml b/chart-tests/pod-cleanup/ci/test-values.yaml similarity index 100% rename from chart-tests/k8s-pod-cleanup/ci/test-values.yaml rename to chart-tests/pod-cleanup/ci/test-values.yaml diff --git a/charts/k8s-pod-cleanup/Chart.yaml b/charts/pod-cleanup/Chart.yaml similarity index 92% rename from charts/k8s-pod-cleanup/Chart.yaml rename to charts/pod-cleanup/Chart.yaml index 5a11273..eeaed42 100644 --- a/charts/k8s-pod-cleanup/Chart.yaml +++ b/charts/pod-cleanup/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -name: k8s-pod-cleanup +name: pod-cleanup home: https://github.com/MediaMarktSaturn/helm-charts description: Helm Chart for cleaning up failed/terminated Kubernetes pods type: application diff --git a/charts/k8s-pod-cleanup/README.md b/charts/pod-cleanup/README.md similarity index 98% rename from charts/k8s-pod-cleanup/README.md rename to charts/pod-cleanup/README.md index 85ed68b..f106981 100644 --- a/charts/k8s-pod-cleanup/README.md +++ b/charts/pod-cleanup/README.md @@ -1,4 +1,4 @@ -# k8s-pod-cleanup +# pod-cleanup ![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) diff --git a/charts/k8s-pod-cleanup/templates/clusterrole.yaml b/charts/pod-cleanup/templates/clusterrole.yaml similarity index 100% rename from charts/k8s-pod-cleanup/templates/clusterrole.yaml rename to charts/pod-cleanup/templates/clusterrole.yaml diff --git a/charts/k8s-pod-cleanup/templates/clusterrolebinding.yaml b/charts/pod-cleanup/templates/clusterrolebinding.yaml similarity index 100% rename from charts/k8s-pod-cleanup/templates/clusterrolebinding.yaml rename to charts/pod-cleanup/templates/clusterrolebinding.yaml diff --git a/charts/k8s-pod-cleanup/templates/cronjob.yaml b/charts/pod-cleanup/templates/cronjob.yaml similarity index 100% rename from charts/k8s-pod-cleanup/templates/cronjob.yaml rename to charts/pod-cleanup/templates/cronjob.yaml diff --git a/charts/k8s-pod-cleanup/templates/serviceaccount.yaml b/charts/pod-cleanup/templates/serviceaccount.yaml similarity index 100% rename from charts/k8s-pod-cleanup/templates/serviceaccount.yaml rename to charts/pod-cleanup/templates/serviceaccount.yaml diff --git a/charts/k8s-pod-cleanup/values.yaml b/charts/pod-cleanup/values.yaml similarity index 100% rename from charts/k8s-pod-cleanup/values.yaml rename to charts/pod-cleanup/values.yaml