feat(k8s/amour): descheduler

Author: uhthomas

cue.mod/gen/sigs.k8s.io/descheduler/pkg/api/v1alpha2/BUILD.bazel

@@ -0,0 +1,15 @@
+load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library")
+
+cue_library(
+    name = "cue_v1alpha2_library",
+    srcs = [
+        "register_go_gen.cue",
+        "types_go_gen.cue",
+    ],
+    importpath = "sigs.k8s.io/descheduler/pkg/api/v1alpha2",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1:cue_v1_library",
+        "//cue.mod/gen/k8s.io/apimachinery/pkg/runtime:cue_runtime_library",
+    ],
+)

cue.mod/gen/sigs.k8s.io/descheduler/pkg/api/v1alpha2/register_go_gen.cue

@@ -0,0 +1,8 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/descheduler/pkg/api/v1alpha2
+
+package v1alpha2
+
+#GroupName:    "descheduler"
+#GroupVersion: "v1alpha2"

cue.mod/gen/sigs.k8s.io/descheduler/pkg/api/v1alpha2/types_go_gen.cue

@@ -0,0 +1,51 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/descheduler/pkg/api/v1alpha2
+
+package v1alpha2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+#DeschedulerPolicy: {
+	metav1.#TypeMeta
+
+	// Profiles
+	profiles?: [...#DeschedulerProfile] @go(Profiles,[]DeschedulerProfile)
+
+	// NodeSelector for a set of nodes to operate over
+	nodeSelector?: null | string @go(NodeSelector,*string)
+
+	// MaxNoOfPodsToEvictPerNode restricts maximum of pods to be evicted per node.
+	maxNoOfPodsToEvictPerNode?: null | uint @go(MaxNoOfPodsToEvictPerNode,*uint)
+
+	// MaxNoOfPodsToEvictPerNamespace restricts maximum of pods to be evicted per namespace.
+	maxNoOfPodsToEvictPerNamespace?: null | uint @go(MaxNoOfPodsToEvictPerNamespace,*uint)
+}
+
+#DeschedulerProfile: {
+	name: string @go(Name)
+	pluginConfig: [...#PluginConfig] @go(PluginConfigs,[]PluginConfig)
+	plugins: #Plugins @go(Plugins)
+}
+
+#Plugins: {
+	presort:           #PluginSet @go(PreSort)
+	sort:              #PluginSet @go(Sort)
+	deschedule:        #PluginSet @go(Deschedule)
+	balance:           #PluginSet @go(Balance)
+	filter:            #PluginSet @go(Filter)
+	preevictionfilter: #PluginSet @go(PreEvictionFilter)
+}
+
+#PluginConfig: {
+	name: string                @go(Name)
+	args: runtime.#RawExtension @go(Args)
+}
+
+#PluginSet: {
+	enabled: [...string] @go(Enabled,[]string)
+	disabled: [...string] @go(Disabled,[]string)
+}

go.mod

@@ -19,6 +19,7 @@ require (
 	k8s.io/client-go v12.0.0+incompatible
 	k8s.io/kube-aggregator v0.29.1
 	k8s.io/kubernetes v1.29.1
+	sigs.k8s.io/descheduler v0.29.0
 )
 
 require (

go.sum

@@ -3003,6 +3003,8 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0/go.mod h1:VHVDI/
 sigs.k8s.io/controller-runtime v0.2.2/go.mod h1:9dyohw3ZtoXQuV1e766PHUn+cmrRCIcBh6XIMFNMZ+I=
 sigs.k8s.io/controller-runtime v0.16.3 h1:2TuvuokmfXvDUamSx1SuAOO3eTyye+47mJCigwG62c4=
 sigs.k8s.io/controller-runtime v0.16.3/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0=
+sigs.k8s.io/descheduler v0.29.0 h1:C61QOM1LkJbvkQgnXFoSTr5jjnJ1avEPKWnSIIX6GIA=
+sigs.k8s.io/descheduler v0.29.0/go.mod h1:MHwUysQzb/TdaS4ycwBbDY02SxpUjFKTG95iUQJolZc=
 sigs.k8s.io/gateway-api v0.8.0 h1:isQQ3Jx2qFP7vaA3ls0846F0Amp9Eq14P08xbSwVbQg=
 sigs.k8s.io/gateway-api v0.8.0/go.mod h1:okOnjPNBFbIS/Rw9kAhuIUaIkLhTKEu+ARIuXk2dgaM=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=

k8s/amour/BUILD.bazel

@@ -27,6 +27,7 @@ cue_export(
         "//k8s/amour/cert_manager_csi_driver:cue_cert_manager_csi_driver_library",
         "//k8s/amour/cilium:cue_cilium_library",
         "//k8s/amour/dcgm_exporter:cue_dcgm_exporter_library",
+        "//k8s/amour/descheduler:cue_descheduler_library",
         "//k8s/amour/external_secrets:cue_external_secrets_library",
         "//k8s/amour/grafana:cue_grafana_library",
         "//k8s/amour/home_assistant:cue_home_assistant_library",

k8s/amour/descheduler/BUILD.bazel

@@ -0,0 +1,22 @@
+load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library")
+
+cue_library(
+    name = "cue_descheduler_library",
+    srcs = [
+        "cluster_role_binding_list.cue",
+        "cluster_role_list.cue",
+        "config_map_list.cue",
+        "cron_job_list.cue",
+        "list.cue",
+        "namespace_list.cue",
+        "service_account_list.cue",
+    ],
+    importpath = "github.com/uhthomas/automata/k8s/amour/descheduler",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//cue.mod/gen/k8s.io/api/batch/v1:cue_v1_library",
+        "//cue.mod/gen/k8s.io/api/core/v1:cue_v1_library",
+        "//cue.mod/gen/k8s.io/api/rbac/v1:cue_v1_library",
+        "//cue.mod/gen/sigs.k8s.io/descheduler/pkg/api/v1alpha2:cue_v1alpha2_library",
+    ],
+)

k8s/amour/descheduler/README.md

@@ -0,0 +1,3 @@
+# Descheduler
+
+[https://github.com/kubernetes-sigs/descheduler](https://github.com/kubernetes-sigs/descheduler)

k8s/amour/descheduler/cluster_role_binding_list.cue

@@ -0,0 +1,25 @@
+package descheduler
+
+import rbacv1 "k8s.io/api/rbac/v1"
+
+#ClusterRoleBindingList: rbacv1.#ClusterRoleBindingList & {
+	apiVersion: "rbac.authorization.k8s.io/v1"
+	kind:       "ClusterRoleBindingList"
+	items: [...{
+		apiVersion: "rbac.authorization.k8s.io/v1"
+		kind:       "ClusterRoleBinding"
+	}]
+}
+
+#ClusterRoleBindingList: items: [{
+	subjects: [{
+		kind:      rbacv1.#ServiceAccountKind
+		name:      #Name
+		namespace: #Namespace
+	}]
+	roleRef: {
+		apiGroup: rbacv1.#GroupName
+		kind:     "ClusterRole"
+		name:     #Name
+	}
+}]

k8s/amour/descheduler/cluster_role_list.cue

@@ -0,0 +1,52 @@
+package descheduler
+
+import (
+	"k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+)
+
+#ClusterRoleList: rbacv1.#ClusterRoleList & {
+	apiVersion: "rbac.authorization.k8s.io/v1"
+	kind:       "ClusterRoleList"
+	items: [...{
+		apiVersion: "rbac.authorization.k8s.io/v1"
+		kind:       "ClusterRole"
+	}]
+}
+
+#ClusterRoleList: items: [{
+	rules: [{
+		apiGroups: ["events.k8s.io"]
+		resources: ["events"]
+		verbs: ["create", "update"]
+	}, {
+		apiGroups: [v1.#GroupName]
+		resources: ["nodes"]
+		verbs: ["get", "watch", "list"]
+	}, {
+		apiGroups: [v1.#GroupName]
+		resources: ["namespaces"]
+		verbs: ["get", "watch", "list"]
+	}, {
+		apiGroups: [v1.#GroupName]
+		resources: ["pods"]
+		verbs: ["get", "watch", "list", "delete"]
+	}, {
+		apiGroups: [v1.#GroupName]
+		resources: ["pods/eviction"]
+		verbs: ["create"]
+	}, {
+		apiGroups: ["scheduling.k8s.io"]
+		resources: ["priorityclasses"]
+		verbs: ["get", "watch", "list"]
+	}, {
+		apiGroups: ["coordination.k8s.io"]
+		resources: ["leases"]
+		verbs: ["create"]
+	}, {
+		apiGroups: ["coordination.k8s.io"]
+		resources: ["leases"]
+		resourceNames: ["descheduler"]
+		verbs: ["get", "patch", "delete"]
+	}]
+}]

k8s/amour/descheduler/config_map_list.cue

@@ -0,0 +1,28 @@
+package descheduler
+
+import (
+	"encoding/yaml"
+
+	"k8s.io/api/core/v1"
+	deschedulerv1alpha2 "sigs.k8s.io/descheduler/pkg/api/v1alpha2"
+)
+
+#ConfigMapList: v1.#ConfigMapList & {
+	apiVersion: "v1"
+	kind:       "ConfigMapList"
+	items: [...{
+		apiVersion: "v1"
+		kind:       "ConfigMap"
+	}]
+}
+
+#ConfigMapList: items: [{
+	data: "policy.yaml": yaml.Marshal(deschedulerv1alpha2.#DeschedulerPolicy & {
+		apiVersion: "descheduler/v1alpha2"
+		kind:       "DeschedulerPolicy"
+		profiles: [{
+			name: "Main"
+			plugins: deschedule: enabled: ["RemoveFailedPods"]
+		}]
+	})
+}]

k8s/amour/descheduler/cron_job_list.cue

@@ -0,0 +1,76 @@
+package descheduler
+
+import (
+	"k8s.io/api/core/v1"
+	batchv1 "k8s.io/api/batch/v1"
+)
+
+#CronJobList: batchv1.#CronJobList & {
+	apiVersion: "batch/v1"
+	kind:       "CronJobList"
+	items: [...{
+		apiVersion: "batch/v1"
+		kind:       "CronJob"
+	}]
+}
+
+#CronJobList: items: [{
+	spec: {
+		schedule:          "*/2 * * * *" // At every second minute.
+		concurrencyPolicy: batchv1.#ForbidConcurrent
+		jobTemplate: spec: template: spec: {
+			volumes: [{
+				name: "policy"
+				configMap: name: #Name
+			}]
+			containers: [{
+				name:  "descheduler"
+				image: "registry.k8s.io/descheduler/descheduler:v\(#Version)"
+				command: ["/bin/descheduler"]
+				args: [
+					"--policy-config-file=/var/descheduler/policy.yaml",
+					"--v=3",
+				]
+				ports: [{
+					name:          "https"
+					containerPort: 10258
+				}]
+				resources: limits: {
+					cpu:    "500m"
+					memory: "256Mi"
+				}
+				livenessProbe: {
+					httpGet: {
+						path:   "/healthz"
+						port:   "https"
+						scheme: v1.#URISchemeHTTPS
+					}
+					initialDelaySeconds: 3
+					periodSeconds:       10
+					failureThreshold:    3
+				}
+				volumeMounts: [{
+					name:      "policy"
+					mountPath: "/var/descheduler/policy.yaml"
+					subPath:   "policy.yaml"
+				}]
+				imagePullPolicy: v1.#PullIfNotPresent
+				securityContext: {
+					capabilities: drop: ["ALL"]
+					readOnlyRootFilesystem:   true
+					allowPrivilegeEscalation: false
+				}
+			}]
+			restartPolicy:      v1.#RestartPolicyNever
+			serviceAccountName: #Name
+			securityContext: {
+				runAsUser:    1000
+				runAsGroup:   3000
+				runAsNonRoot: true
+				fsGroup:      2000
+				seccompProfile: type: v1.#SeccompProfileTypeRuntimeDefault
+			}
+			priorityClassName: "system-cluster-critical"
+		}
+	}
+}]

k8s/amour/descheduler/list.cue

@@ -0,0 +1,39 @@
+package descheduler
+
+import (
+	"list"
+
+	"k8s.io/api/core/v1"
+)
+
+#Name:      "descheduler"
+#Namespace: #Name
+
+// renovate: datasource=github-releases depName=kubernetes-sigs/descheduler extractVersion=^v(?<version>.*)$
+#Version: "0.29.0"
+
+#List: v1.#List & {
+	apiVersion: "v1"
+	kind:       "List"
+	items: [...{
+		metadata: {
+			name:      #Name
+			namespace: #Namespace
+			labels: {
+				"app.kubernetes.io/name":    #Name
+				"app.kubernetes.io/version": #Version
+			}
+		}
+	}]
+}
+
+#List: items: list.Concat(_items)
+
+_items: [
+	#ClusterRoleBindingList.items,
+	#ClusterRoleList.items,
+	#ConfigMapList.items,
+	#CronJobList.items,
+	#NamespaceList.items,
+	#ServiceAccountList.items,
+]

k8s/amour/descheduler/namespace_list.cue

@@ -0,0 +1,14 @@
+package descheduler
+
+import "k8s.io/api/core/v1"
+
+#NamespaceList: v1.#NamespaceList & {
+	apiVersion: "v1"
+	kind:       "NamespaceList"
+	items: [...{
+		apiVersion: "v1"
+		kind:       "Namespace"
+	}]
+}
+
+#NamespaceList: items: [{}]

k8s/amour/descheduler/service_account_list.cue

@@ -0,0 +1,14 @@
+package descheduler
+
+import "k8s.io/api/core/v1"
+
+#ServiceAccountList: v1.#ServiceAccountList & {
+	apiVersion: "v1"
+	kind:       "ServiceAccountList"
+	items: [...{
+		apiVersion: "v1"
+		kind:       "ServiceAccount"
+	}]
+}
+
+#ServiceAccountList: items: [{}]

k8s/amour/list.cue

@@ -7,6 +7,7 @@ import (
 	"github.com/uhthomas/automata/k8s/amour/cert_manager"
 	"github.com/uhthomas/automata/k8s/amour/cilium"
 	"github.com/uhthomas/automata/k8s/amour/dcgm_exporter"
+	"github.com/uhthomas/automata/k8s/amour/descheduler"
 	"github.com/uhthomas/automata/k8s/amour/external_secrets"
 	"github.com/uhthomas/automata/k8s/amour/grafana"
 	"github.com/uhthomas/automata/k8s/amour/home_assistant"
@@ -64,6 +65,7 @@ _items: [
 	cert_manager.#List.items,
 	cilium.#List.items,
 	dcgm_exporter.#List.items,
+	descheduler.#List.items,
 	external_secrets.#List.items,
 	grafana.#List.items,
 	home_assistant.#List.items,