From 5883212e87b9cf4c8235e8534c5d3c554cac7175 Mon Sep 17 00:00:00 2001 From: Jim Crossley Date: Wed, 11 Mar 2020 16:23:38 -0400 Subject: [PATCH 1/5] New field in CR, `resources`, to override deployments in manifest It's a map of deployment names to a []v1.ResourceRequirement. The array corresponds to the order of the containers in the deployment spec. --- ...0-serving-v1alpha1-knativeserving-crd.yaml | 38 +++++++++++++ .../serving/v1alpha1/knativeserving_types.go | 4 ++ .../serving/v1alpha1/zz_generated.deepcopy.go | 17 ++++++ .../knativeserving/common/extensions.go | 1 + .../knativeserving/common/resources.go | 56 +++++++++++++++++++ 5 files changed, 116 insertions(+) create mode 100644 pkg/reconciler/knativeserving/common/resources.go diff --git a/config/300-serving-v1alpha1-knativeserving-crd.yaml b/config/300-serving-v1alpha1-knativeserving-crd.yaml index 5cf6730a..de799475 100644 --- a/config/300-serving-v1alpha1-knativeserving-crd.yaml +++ b/config/300-serving-v1alpha1-knativeserving-crd.yaml @@ -127,6 +127,44 @@ spec: description: The number of replicas that HA parts of the control plane will be scaled to type: integer minimum: 1 + resources: + description: A mapping of deployment name to resource requirements + type: object + additionalProperties: + type: array + items: + type: object + properties: + requests: + type: object + properties: + memory: + type: string + pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ + cpu: + type: string + pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ + storage: + type: string + pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ + ephemeral-storage: + type: string + pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ + limits: + type: object + properties: + memory: + type: string + pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ + cpu: + type: string + pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ + storage: + type: string + pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ + ephemeral-storage: + type: string + pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ type: object status: description: Status defines the observed state of KnativeServing diff --git a/pkg/apis/serving/v1alpha1/knativeserving_types.go b/pkg/apis/serving/v1alpha1/knativeserving_types.go index a45cc334..fdd9e77b 100644 --- a/pkg/apis/serving/v1alpha1/knativeserving_types.go +++ b/pkg/apis/serving/v1alpha1/knativeserving_types.go @@ -105,6 +105,10 @@ type KnativeServingSpec struct { // Allows specification of HA control plane // +optional HighAvailability *HighAvailability `json:"high-availability,omitempty"` + + // Override resource requirements; keyed by deployment name + // +optional + Resources map[string][]corev1.ResourceRequirements `json:"resources,omitempty"` } // KnativeServingStatus defines the observed state of KnativeServing diff --git a/pkg/apis/serving/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/serving/v1alpha1/zz_generated.deepcopy.go index 85e0bcdd..1564f308 100644 --- a/pkg/apis/serving/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/serving/v1alpha1/zz_generated.deepcopy.go @@ -171,6 +171,23 @@ func (in *KnativeServingSpec) DeepCopyInto(out *KnativeServingSpec) { *out = new(HighAvailability) **out = **in } + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make(map[string][]v1.ResourceRequirements, len(*in)) + for key, val := range *in { + var outVal []v1.ResourceRequirements + if val == nil { + (*out)[key] = nil + } else { + in, out := &val, &outVal + *out = make([]v1.ResourceRequirements, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + (*out)[key] = outVal + } + } return } diff --git a/pkg/reconciler/knativeserving/common/extensions.go b/pkg/reconciler/knativeserving/common/extensions.go index 6138d1d7..ede8f68f 100644 --- a/pkg/reconciler/knativeserving/common/extensions.go +++ b/pkg/reconciler/knativeserving/common/extensions.go @@ -41,6 +41,7 @@ func (platforms Platforms) Transformers(kubeClientSet kubernetes.Interface, inst GatewayTransform(instance, log), CustomCertsTransform(instance, log), HighAvailabilityTransform(instance, log), + ResourceRequirementsTransform(instance, log), } for _, fn := range platforms { transformer, err := fn(kubeClientSet, log) diff --git a/pkg/reconciler/knativeserving/common/resources.go b/pkg/reconciler/knativeserving/common/resources.go new file mode 100644 index 00000000..0ac3b357 --- /dev/null +++ b/pkg/reconciler/knativeserving/common/resources.go @@ -0,0 +1,56 @@ +/* +Copyright 2020 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package common + +import ( + mf "github.com/manifestival/manifestival" + "go.uber.org/zap" + appsv1 "k8s.io/api/apps/v1" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/client-go/kubernetes/scheme" + servingv1alpha1 "knative.dev/serving-operator/pkg/apis/serving/v1alpha1" +) + +// ResourceRequirementsTransform configures the resource requests for +// all containers within all deployments in the manifest +func ResourceRequirementsTransform(instance *servingv1alpha1.KnativeServing, log *zap.SugaredLogger) mf.Transformer { + return func(u *unstructured.Unstructured) error { + if u.GetKind() == "Deployment" { + deployment := &appsv1.Deployment{} + if err := scheme.Scheme.Convert(u, deployment, nil); err != nil { + return err + } + containers := deployment.Spec.Template.Spec.Containers + overrides := instance.Spec.Resources[u.GetName()] + for i := range containers { + if len(overrides) > i { + containers[i].Resources = overrides[i] + } else { + containers[i].Resources = v1.ResourceRequirements{} + } + } + if err := scheme.Scheme.Convert(deployment, u, nil); err != nil { + return err + } + // Avoid superfluous updates from converted zero defaults + u.SetCreationTimestamp(metav1.Time{}) + } + return nil + } +} From f2a0c2a404994e8ffcbf09c5fffece9985488377 Mon Sep 17 00:00:00 2001 From: Jim Crossley Date: Fri, 13 Mar 2020 13:40:53 -0400 Subject: [PATCH 2/5] Use 0.13.0 manifest for some tests --- .../common/testdata/manifest.yaml | 2753 +++++++++++++++++ 1 file changed, 2753 insertions(+) create mode 100644 pkg/reconciler/knativeserving/common/testdata/manifest.yaml diff --git a/pkg/reconciler/knativeserving/common/testdata/manifest.yaml b/pkg/reconciler/knativeserving/common/testdata/manifest.yaml new file mode 100644 index 00000000..1a836ae8 --- /dev/null +++ b/pkg/reconciler/knativeserving/common/testdata/manifest.yaml @@ -0,0 +1,2753 @@ +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: images.caching.internal.knative.dev + labels: + knative.dev/crd-install: "true" +spec: + group: caching.internal.knative.dev + version: v1alpha1 + names: + kind: Image + plural: images + singular: image + categories: + - knative-internal + - caching + shortNames: + - img + scope: Namespaced + subresources: + status: {} + +--- +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: knative-serving + labels: + # TODO(mattmoor): We should not require any istio annotations. + istio-injection: enabled + serving.knative.dev/release: "v0.13.0" + +--- +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: controller + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: knative-serving-admin + labels: + serving.knative.dev/release: "v0.13.0" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + serving.knative.dev/controller: "true" +rules: [] # Rules are automatically filled in by the controller manager. +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: knative-serving-controller-admin + labels: + serving.knative.dev/release: "v0.13.0" +subjects: +- kind: ServiceAccount + name: controller + namespace: knative-serving +roleRef: + kind: ClusterRole + name: knative-serving-admin + apiGroup: rbac.authorization.k8s.io + +--- +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: caching.internal.knative.dev/v1alpha1 +kind: Image +metadata: + name: queue-proxy + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" +spec: + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:0fad95e6903c53dbfb73deb7d04f54fea8e417ffff1ba9be7ae8464120ae11ec + +--- +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-autoscaler + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # The Revision ContainerConcurrency field specifies the maximum number + # of requests the Container can handle at once. Container concurrency + # target percentage is how much of that maximum to use in a stable + # state. E.g. if a Revision specifies ContainerConcurrency of 10, then + # the Autoscaler will try to maintain 7 concurrent connections per pod + # on average. + # Note: this limit will be applied to container concurrency set at every + # level (ConfigMap, Revision Spec or Annotation). + # For legacy and backwards compatibility reasons, this value also accepts + # fractional values in (0, 1] interval (i.e. 0.7 ⇒ 70%). + # Thus minimal percentage value must be greater than 1.0, or it will be + # treated as a fraction. + container-concurrency-target-percentage: "70" + + # The container concurrency target default is what the Autoscaler will + # try to maintain when concurrency is used as the scaling metric for a + # Revision and the Revision specifies unlimited concurrency. + # Even when specifying unlimited concurrency, the autoscaler will + # horizontally scale the application based on this target concurrency. + # NOTE: Only one metric can be used for autoscaling a Revision. + container-concurrency-target-default: "100" + + # The requests per second (RPS) target default is what the Autoscaler will + # try to maintain when RPS is used as the scaling metric for a Revision and + # the Revision specifies unlimited RPS. Even when specifying unlimited RPS, + # the autoscaler will horizontally scale the application based on this + # target RPS. + # Must be greater than 1.0. + # NOTE: Only one metric can be used for autoscaling a Revision. + requests-per-second-target-default: "200" + + # The target burst capacity specifies the size of burst in concurrent + # requests that the system operator expects the system will receive. + # Autoscaler will try to protect the system from queueing by introducing + # Activator in the request path if the current spare capacity of the + # service is less than this setting. + # If this setting is 0, then Activator will be in the request path only + # when the revision is scaled to 0. + # If this setting is > 0 and container-concurrency-target-percentage is + # 100% or 1.0, then activator will always be in the request path. + # -1 denotes unlimited target-burst-capacity and activator will always + # be in the request path. + # Other negative values are invalid. + target-burst-capacity: "200" + + # When operating in a stable mode, the autoscaler operates on the + # average concurrency over the stable window. + # Stable window must be in whole seconds. + stable-window: "60s" + + # When observed average concurrency during the panic window reaches + # panic-threshold-percentage the target concurrency, the autoscaler + # enters panic mode. When operating in panic mode, the autoscaler + # scales on the average concurrency over the panic window which is + # panic-window-percentage of the stable-window. + # When computing the panic window it will be rounded to the closest + # whole second. + panic-window-percentage: "10.0" + + # The percentage of the container concurrency target at which to + # enter panic mode when reached within the panic window. + panic-threshold-percentage: "200.0" + + # Max scale up rate limits the rate at which the autoscaler will + # increase pod count. It is the maximum ratio of desired pods versus + # observed pods. + # Cannot less or equal to 1. + # I.e with value of 2.0 the number of pods can at most go N to 2N + # over single Autoscaler period (see tick-interval), but at least N to + # N+1, if Autoscaler needs to scale up. + max-scale-up-rate: "1000.0" + + # Max scale down rate limits the rate at which the autoscaler will + # decrease pod count. It is the maximum ratio of observed pods versus + # desired pods. + # Cannot less or equal to 1. + # I.e. with value of 2.0 the number of pods can at most go N to N/2 + # over single Autoscaler evaluation period (see tick-interval), but at + # least N to N-1, if Autoscaler needs to scale down. + # Not yet used // TODO(vagababov) remove once other parts are ready. + max-scale-down-rate: "2.0" + + # Scale to zero feature flag + enable-scale-to-zero: "true" + + # Tick interval is the time between autoscaling calculations. + tick-interval: "2s" + + # Dynamic parameters (take effect when config map is updated): + + # Scale to zero grace period is the time an inactive revision is left + # running before it is scaled to zero (min: 30s). + scale-to-zero-grace-period: "30s" + + # Enable graceful scaledown feature flag. + # Once enabled, it allows the autoscaler to prioritize pods processing + # fewer (or zero) requests for removal when scaling down. + enable-graceful-scaledown: "false" + + # pod-autoscaler-class specifies the default pod autoscaler class + # that should be used if none is specified. If omitted, the Knative + # Horizontal Pod Autoscaler (KPA) is used by default. + pod-autoscaler-class: "kpa.autoscaling.knative.dev" + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-defaults + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # revision-timeout-seconds contains the default number of + # seconds to use for the revision's per-request timeout, if + # none is specified. + revision-timeout-seconds: "300" # 5 minutes + + # max-revision-timeout-seconds contains the maximum number of + # seconds that can be used for revision-timeout-seconds. + # This value must be greater than or equal to revision-timeout-seconds. + # If omitted, the system default is used (600 seconds). + max-revision-timeout-seconds: "600" # 10 minutes + + # revision-cpu-request contains the cpu allocation to assign + # to revisions by default. If omitted, no value is specified + # and the system default is used. + revision-cpu-request: "400m" # 0.4 of a CPU (aka 400 milli-CPU) + + # revision-memory-request contains the memory allocation to assign + # to revisions by default. If omitted, no value is specified + # and the system default is used. + revision-memory-request: "100M" # 100 megabytes of memory + + # revision-cpu-limit contains the cpu allocation to limit + # revisions to by default. If omitted, no value is specified + # and the system default is used. + revision-cpu-limit: "1000m" # 1 CPU (aka 1000 milli-CPU) + + # revision-memory-limit contains the memory allocation to limit + # revisions to by default. If omitted, no value is specified + # and the system default is used. + revision-memory-limit: "200M" # 200 megabytes of memory + + # container-name-template contains a template for the default + # container name, if none is specified. This field supports + # Go templating and is supplied with the ObjectMeta of the + # enclosing Service or Configuration, so values such as + # {{.Name}} are also valid. + container-name-template: "user-container" + + # container-concurrency specifies the maximum number + # of requests the Container can handle at once, and requests + # above this threshold are queued. Setting a value of zero + # disables this throttling and lets through as many requests as + # the pod receives. + container-concurrency: "0" + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-deployment + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" +data: + # This is the Go import path for the binary that is containerized + # and substituted here. + queueSidecarImage: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:0fad95e6903c53dbfb73deb7d04f54fea8e417ffff1ba9be7ae8464120ae11ec + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # List of repositories for which tag to digest resolving should be skipped + registriesSkippingTagResolving: "ko.local,dev.local" + +--- +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-domain + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Default value for domain. + # Although it will match all routes, it is the least-specific rule so it + # will only be used if no other domain matches. + example.com: | + + # These are example settings of domain. + # example.org will be used for routes having app=nonprofit. + example.org: | + selector: + app: nonprofit + + # Routes having domain suffix of 'svc.cluster.local' will not be exposed + # through Ingress. You can define your own label selector to assign that + # domain suffix to your Route here, or you can set the label + # "serving.knative.dev/visibility=cluster-local" + # to achieve the same effect. This shows how to make routes having + # the label app=secret only exposed to the local cluster. + svc.cluster.local: | + selector: + app: secret + +--- +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-gc + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Delay after revision creation before considering it for GC + stale-revision-create-delay: "48h" + + # Duration since a route has pointed at the revision before it + # should be GC'd. + # This minus lastpinned-debounce must be longer than the controller + # resync period (10 hours). + stale-revision-timeout: "15h" + + # Minimum number of generations of revisions to keep before considering + # them for GC + stale-revision-minimum-generations: "20" + + # To avoid constant updates, we allow an existing annotation to be stale by this + # amount before we update the timestamp. + stale-revision-lastpinned-debounce: "5h" + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-leader-election + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" +data: + # An inactive but valid configuration follows; see example. + resourceLock: "leases" + leaseDuration: "15s" + renewDeadline: "10s" + retryPeriod: "2s" + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # resourceLock controls which API resource is used as the basis for the + # leader election lock. Valid values are: + # + # - leases -> use the coordination API + # - configmaps -> use configmaps + # - endpoints -> use endpoints + resourceLock: "leases" + + # leaseDuration is how long non-leaders will wait to try to acquire the + # lock; 15 seconds is the value used by core kubernetes controllers. + leaseDuration: "15s" + # renewDeadline is how long a leader will try to renew the lease before + # giving up; 10 seconds is the value used by core kubernetes controllers. + renewDeadline: "10s" + # retryPeriod is how long the leader election client waits between tries of + # actions; 2 seconds is the value used by core kubernetes controllers. + retryPeriod: "2s" + # enabledComponents is a comma-delimited list of component names for which + # leader election is enabled. Valid values are: + # + # - controller + # - hpaautoscaler + # - certcontroller + # - istiocontroller + # - nscontroller + enabledComponents: "controller,hpaautoscaler,certcontroller,istiocontroller,nscontroller" + +--- +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-logging + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Common configuration for all Knative codebase + zap-logger-config: | + { + "level": "info", + "development": false, + "outputPaths": ["stdout"], + "errorOutputPaths": ["stderr"], + "encoding": "json", + "encoderConfig": { + "timeKey": "ts", + "levelKey": "level", + "nameKey": "logger", + "callerKey": "caller", + "messageKey": "msg", + "stacktraceKey": "stacktrace", + "lineEnding": "", + "levelEncoder": "", + "timeEncoder": "iso8601", + "durationEncoder": "", + "callerEncoder": "" + } + } + + # Log level overrides + # For all components except the autoscaler and queue proxy, + # changes are be picked up immediately. + # For autoscaler and queue proxy, changes require recreation of the pods. + loglevel.controller: "info" + loglevel.autoscaler: "info" + loglevel.queueproxy: "info" + loglevel.webhook: "info" + loglevel.activator: "info" + +--- +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-network + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # DEPRECATED: + # istio.sidecar.includeOutboundIPRanges is obsolete. + # The current versions have outbound network access enabled by default. + # If you need this option for some reason, please use global.proxy.includeIPRanges in Istio. + # + # istio.sidecar.includeOutboundIPRanges: "*" + + # ingress.class specifies the default ingress class + # to use when not dictated by Route annotation. + # + # If not specified, will use the Istio ingress. + # + # Note that changing the Ingress class of an existing Route + # will result in undefined behavior. Therefore it is best to only + # update this value during the setup of Knative, to avoid getting + # undefined behavior. + ingress.class: "istio.ingress.networking.knative.dev" + + # certificate.class specifies the default Certificate class + # to use when not dictated by Route annotation. + # + # If not specified, will use the Cert-Manager Certificate. + # + # Note that changing the Certificate class of an existing Route + # will result in undefined behavior. Therefore it is best to only + # update this value during the setup of Knative, to avoid getting + # undefined behavior. + certificate.class: "cert-manager.certificate.networking.knative.dev" + + # domainTemplate specifies the golang text template string to use + # when constructing the Knative service's DNS name. The default + # value is "{{.Name}}.{{.Namespace}}.{{.Domain}}". And those three + # values (Name, Namespace, Domain) are the only variables defined. + # + # Changing this value might be necessary when the extra levels in + # the domain name generated is problematic for wildcard certificates + # that only support a single level of domain name added to the + # certificate's domain. In those cases you might consider using a value + # of "{{.Name}}-{{.Namespace}}.{{.Domain}}", or removing the Namespace + # entirely from the template. When choosing a new value be thoughtful + # of the potential for conflicts - for example, when users choose to use + # characters such as `-` in their service, or namespace, names. + # {{.Annotations}} can be used for any customization in the go template if needed. + # We strongly recommend keeping namespace part of the template to avoid domain name clashes + # Example '{{.Name}}-{{.Namespace}}.{{ index .Annotations "sub"}}.{{.Domain}}' + # and you have an annotation {"sub":"foo"}, then the generated template would be {Name}-{Namespace}.foo.{Domain} + domainTemplate: "{{.Name}}.{{.Namespace}}.{{.Domain}}" + + # tagTemplate specifies the golang text template string to use + # when constructing the DNS name for "tags" within the traffic blocks + # of Routes and Configuration. This is used in conjunction with the + # domainTemplate above to determine the full URL for the tag. + tagTemplate: "{{.Tag}}-{{.Name}}" + + # Controls whether TLS certificates are automatically provisioned and + # installed in the Knative ingress to terminate external TLS connection. + # 1. Enabled: enabling auto-TLS feature. + # 2. Disabled: disabling auto-TLS feature. + autoTLS: "Disabled" + + # Controls the behavior of the HTTP endpoint for the Knative ingress. + # It requires autoTLS to be enabled. + # 1. Enabled: The Knative ingress will be able to serve HTTP connection. + # 2. Disabled: The Knative ingress will reject HTTP traffic. + # 3. Redirected: The Knative ingress will send a 302 redirect for all + # http connections, asking the clients to use HTTPS + httpProtocol: "Enabled" + +--- +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-observability + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # logging.enable-var-log-collection defaults to false. + # The fluentd daemon set will be set up to collect /var/log if + # this flag is true. + logging.enable-var-log-collection: "false" + + # logging.revision-url-template provides a template to use for producing the + # logging URL that is injected into the status of each Revision. + # This value is what you might use the the Knative monitoring bundle, and provides + # access to Kibana after setting up kubectl proxy. + logging.revision-url-template: | + http://localhost:8001/api/v1/namespaces/knative-monitoring/services/kibana-logging/proxy/app/kibana#/discover?_a=(query:(match:(kubernetes.labels.serving-knative-dev%2FrevisionUID:(query:'${REVISION_UID}',type:phrase)))) + + # If non-empty, this enables queue proxy writing user request logs to stdout, excluding probe + # requests. + # The value determines the shape of the request logs and it must be a valid go text/template. + # It is important to keep this as a single line. Multiple lines are parsed as separate entities + # by most collection agents and will split the request logs into multiple records. + # + # The following fields and functions are available to the template: + # + # Request: An http.Request (see https://golang.org/pkg/net/http/#Request) + # representing an HTTP request received by the server. + # + # Response: + # struct { + # Code int // HTTP status code (see https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml) + # Size int // An int representing the size of the response. + # Latency float64 // A float64 representing the latency of the response in seconds. + # } + # + # Revision: + # struct { + # Name string // Knative revision name + # Namespace string // Knative revision namespace + # Service string // Knative service name + # Configuration string // Knative configuration name + # PodName string // Name of the pod hosting the revision + # PodIP string // IP of the pod hosting the revision + # } + # + logging.request-log-template: '{"httpRequest": {"requestMethod": "{{.Request.Method}}", "requestUrl": "{{js .Request.RequestURI}}", "requestSize": "{{.Request.ContentLength}}", "status": {{.Response.Code}}, "responseSize": "{{.Response.Size}}", "userAgent": "{{js .Request.UserAgent}}", "remoteIp": "{{js .Request.RemoteAddr}}", "serverIp": "{{.Revision.PodIP}}", "referer": "{{js .Request.Referer}}", "latency": "{{.Response.Latency}}s", "protocol": "{{.Request.Proto}}"}, "traceId": "{{index .Request.Header "X-B3-Traceid"}}"}' + + # If true, this enables queue proxy writing request logs for probe requests to stdout. + # It uses the same template for user requests, i.e. logging.request-log-template. + logging.enable-probe-request-log: "false" + + # metrics.backend-destination field specifies the system metrics destination. + # It supports either prometheus (the default) or stackdriver. + # Note: Using stackdriver will incur additional charges + metrics.backend-destination: prometheus + + # metrics.request-metrics-backend-destination specifies the request metrics + # destination. It enables queue proxy to send request metrics. + # Currently supported values: prometheus (the default), stackdriver. + metrics.request-metrics-backend-destination: prometheus + + # metrics.stackdriver-project-id field specifies the stackdriver project ID. This + # field is optional. When running on GCE, application default credentials will be + # used if this field is not provided. + metrics.stackdriver-project-id: "" + + # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to + # Stackdriver using "global" resource type and custom metric type if the + # metrics are not supported by "knative_revision" resource type. Setting this + # flag to "true" could cause extra Stackdriver charge. + # If metrics.backend-destination is not Stackdriver, this is ignored. + metrics.allow-stackdriver-custom-metrics: "false" + + # profiling.enable indicates whether it is allowed to retrieve runtime profiling data from + # the pods via an HTTP server in the format expected by the pprof visualization tool. When + # enabled, the Knative Serving pods expose the profiling data on an alternate HTTP port 8008. + # The HTTP context root for profiling is then /debug/pprof/. + profiling.enable: "false" + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-tracing + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + # + # This may be "zipkin" or "stackdriver", the default is "none" + backend: "none" + + # URL to zipkin collector where traces are sent. + # This must be specified when backend is "zipkin" + zipkin-endpoint: "http://zipkin.istio-system.svc.cluster.local:9411/api/v2/spans" + + # The GCP project into which stackdriver metrics will be written + # when backend is "stackdriver". If unspecified, the project-id + # is read from GCP metadata when running on GCP. + stackdriver-project-id: "my-project" + + # Enable zipkin debug mode. This allows all spans to be sent to the server + # bypassing sampling. + debug: "false" + + # Percentage (0-1) of requests to trace + sample-rate: "0.1" + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: activator + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" +spec: + minReplicas: 1 + maxReplicas: 20 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: activator + metrics: + - type: Resource + resource: + name: cpu + # Percentage of the requested CPU + targetAverageUtilization: 100 + +--- +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: activator + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" +spec: + selector: + matchLabels: + app: activator + role: activator + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + labels: + app: activator + role: activator + serving.knative.dev/release: "v0.13.0" + spec: + serviceAccountName: controller + containers: + - name: activator + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/knative-releases/knative.dev/serving/cmd/activator@sha256:48e669a1ddf2c56a44e67412dcb713baecb4a45683575f693c958cebb9858641 + # The numbers are based on performance test results from + # https://github.com/knative/serving/issues/1625#issuecomment-511930023 + resources: + requests: + cpu: 300m + memory: 60Mi + limits: + cpu: 1000m + memory: 600Mi + env: + - # Run Activator with GC collection when newly generated memory is 500%. + name: GOGC + value: "500" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config + name: METRICS_DOMAIN + value: knative.dev/internal/serving + securityContext: + allowPrivilegeEscalation: false + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + - name: http1 + containerPort: 8012 + - name: h2c + containerPort: 8013 + readinessProbe: &probe + httpGet: + port: 8012 + httpHeaders: + - name: k-kubelet-probe + value: "activator" + livenessProbe: *probe + # The activator (often) sits on the dataplane, and may proxy long (e.g. + # streaming, websockets) requests. We give a long grace period for the + # activator to "lame duck" and drain outstanding requests before we + # forcibly terminate the pod (and outstanding connections). This value + # should be at least as large as the upper bound on the Revision's + # timeoutSeconds property to avoid servicing events disrupting + # connections. + terminationGracePeriodSeconds: 300 +--- +apiVersion: v1 +kind: Service +metadata: + name: activator-service + namespace: knative-serving + labels: + app: activator + serving.knative.dev/release: "v0.13.0" +spec: + selector: + app: activator + ports: + - # Define metrics and profiling for them to be accessible within service meshes. + name: http-metrics + port: 9090 + targetPort: 9090 + - name: http-profiling + port: 8008 + targetPort: 8008 + - name: http + port: 80 + targetPort: 8012 + - name: http2 + port: 81 + targetPort: 8013 + type: ClusterIP + +--- +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: autoscaler + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" +spec: + replicas: 1 + selector: + matchLabels: + app: autoscaler + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + labels: + app: autoscaler + serving.knative.dev/release: "v0.13.0" + spec: + serviceAccountName: controller + containers: + - name: autoscaler + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler@sha256:941639c7ef25f189e33e92f1b3b0bc7a3908bb0ab5a036c5eb3f270f5774b341 + resources: + requests: + cpu: 30m + memory: 40Mi + limits: + cpu: 300m + memory: 400Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config + name: METRICS_DOMAIN + value: knative.dev/serving + securityContext: + allowPrivilegeEscalation: false + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + - name: websocket + containerPort: 8080 + - name: custom-metrics + containerPort: 8443 + readinessProbe: &probe + httpGet: + port: 8080 + httpHeaders: + - name: k-kubelet-probe + value: "autoscaler" + livenessProbe: *probe + args: + - "--secure-port=8443" + - "--cert-dir=/tmp" +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: autoscaler + serving.knative.dev/release: "v0.13.0" + name: autoscaler + namespace: knative-serving +spec: + ports: + - # Define metrics and profiling for them to be accessible within service meshes. + name: http-metrics + port: 9090 + targetPort: 9090 + - name: http-profiling + port: 8008 + targetPort: 8008 + - name: http + port: 8080 + targetPort: 8080 + - name: https-custom-metrics + port: 443 + targetPort: 8443 + selector: + app: autoscaler + +--- +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" +spec: + selector: + matchLabels: + app: controller + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + labels: + app: controller + serving.knative.dev/release: "v0.13.0" + spec: + serviceAccountName: controller + containers: + - name: controller + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/knative-releases/knative.dev/serving/cmd/controller@sha256:12512eaf4bac15bab1adbf3968723e74108331e06173d9b56d76ff5362ff9851 + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + cpu: 1000m + memory: 1000Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config + name: METRICS_DOMAIN + value: knative.dev/internal/serving + securityContext: + allowPrivilegeEscalation: false + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: controller + serving.knative.dev/release: "v0.13.0" + name: controller + namespace: knative-serving +spec: + ports: + - # Define metrics and profiling for them to be accessible within service meshes. + name: http-metrics + port: 9090 + targetPort: 9090 + - name: http-profiling + port: 8008 + targetPort: 8008 + selector: + app: controller + +--- +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: webhook + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" +spec: + selector: + matchLabels: + app: webhook + role: webhook + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + labels: + app: webhook + role: webhook + serving.knative.dev/release: "v0.13.0" + spec: + serviceAccountName: controller + containers: + - name: webhook + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/knative-releases/knative.dev/serving/cmd/webhook@sha256:d33d129262f03921715c0f2e4cc4fae7b626438c907047df60e0f0f41688fbc2 + resources: + requests: + cpu: 20m + memory: 20Mi + limits: + cpu: 200m + memory: 200Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config + name: METRICS_DOMAIN + value: knative.dev/serving + securityContext: + allowPrivilegeEscalation: false + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + - name: https-webhook + containerPort: 8443 +--- +apiVersion: v1 +kind: Service +metadata: + labels: + role: webhook + serving.knative.dev/release: "v0.13.0" + name: webhook + namespace: knative-serving +spec: + ports: + - # Define metrics and profiling for them to be accessible within service meshes. + name: http-metrics + port: 9090 + targetPort: 9090 + - name: http-profiling + port: 8008 + targetPort: 8008 + - name: https-webhook + port: 443 + targetPort: 8443 + selector: + role: webhook + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: certificates.networking.internal.knative.dev + labels: + serving.knative.dev/release: "v0.13.0" + knative.dev/crd-install: "true" +spec: + group: networking.internal.knative.dev + version: v1alpha1 + names: + kind: Certificate + plural: certificates + singular: certificate + categories: + - knative-internal + - networking + shortNames: + - kcert + scope: Namespaced + subresources: + status: {} + additionalPrinterColumns: + - name: Ready + type: string + JSONPath: ".status.conditions[?(@.type==\"Ready\")].status" + - name: Reason + type: string + JSONPath: ".status.conditions[?(@.type==\"Ready\")].reason" + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: configurations.serving.knative.dev + labels: + serving.knative.dev/release: "v0.13.0" + knative.dev/crd-install: "true" + duck.knative.dev/podspecable: "true" +spec: + group: serving.knative.dev + preserveUnknownFields: false + validation: + openAPIV3Schema: + type: object + # this is a work around so we don't need to flush out the + # schema for each version at this time + # + # see issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + versions: + - name: v1alpha1 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + - name: v1 + served: true + storage: false + names: + kind: Configuration + plural: configurations + singular: configuration + categories: + - all + - knative + - serving + shortNames: + - config + - cfg + scope: Namespaced + subresources: + status: {} + conversion: + strategy: Webhook + webhookClientConfig: + service: + name: webhook + namespace: knative-serving + additionalPrinterColumns: + - name: LatestCreated + type: string + JSONPath: .status.latestCreatedRevisionName + - name: LatestReady + type: string + JSONPath: .status.latestReadyRevisionName + - name: Ready + type: string + JSONPath: ".status.conditions[?(@.type=='Ready')].status" + - name: Reason + type: string + JSONPath: ".status.conditions[?(@.type=='Ready')].reason" + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingresses.networking.internal.knative.dev + labels: + serving.knative.dev/release: "v0.13.0" + knative.dev/crd-install: "true" +spec: + group: networking.internal.knative.dev + versions: + - name: v1alpha1 + served: true + storage: true + names: + kind: Ingress + plural: ingresses + singular: ingress + categories: + - knative-internal + - networking + shortNames: + - kingress + - king + scope: Namespaced + subresources: + status: {} + additionalPrinterColumns: + - name: Ready + type: string + JSONPath: ".status.conditions[?(@.type=='Ready')].status" + - name: Reason + type: string + JSONPath: ".status.conditions[?(@.type=='Ready')].reason" + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: metrics.autoscaling.internal.knative.dev + labels: + serving.knative.dev/release: "v0.13.0" + knative.dev/crd-install: "true" +spec: + group: autoscaling.internal.knative.dev + version: v1alpha1 + names: + kind: Metric + plural: metrics + singular: metric + categories: + - knative-internal + - autoscaling + scope: Namespaced + subresources: + status: {} + additionalPrinterColumns: + - name: Ready + type: string + JSONPath: ".status.conditions[?(@.type=='Ready')].status" + - name: Reason + type: string + JSONPath: ".status.conditions[?(@.type=='Ready')].reason" + +--- +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: podautoscalers.autoscaling.internal.knative.dev + labels: + serving.knative.dev/release: "v0.13.0" + knative.dev/crd-install: "true" +spec: + group: autoscaling.internal.knative.dev + versions: + - name: v1alpha1 + served: true + storage: true + names: + kind: PodAutoscaler + plural: podautoscalers + singular: podautoscaler + categories: + - knative-internal + - autoscaling + shortNames: + - kpa + - pa + scope: Namespaced + subresources: + status: {} + additionalPrinterColumns: + - name: DesiredScale + type: integer + JSONPath: ".status.desiredScale" + - name: ActualScale + type: integer + JSONPath: ".status.actualScale" + - name: Ready + type: string + JSONPath: ".status.conditions[?(@.type=='Ready')].status" + - name: Reason + type: string + JSONPath: ".status.conditions[?(@.type=='Ready')].reason" + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: revisions.serving.knative.dev + labels: + serving.knative.dev/release: "v0.13.0" + knative.dev/crd-install: "true" +spec: + group: serving.knative.dev + preserveUnknownFields: false + validation: + openAPIV3Schema: + type: object + # this is a work around so we don't need to flush out the + # schema for each version at this time + # + # see issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + versions: + - name: v1alpha1 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + - name: v1 + served: true + storage: false + names: + kind: Revision + plural: revisions + singular: revision + categories: + - all + - knative + - serving + shortNames: + - rev + scope: Namespaced + subresources: + status: {} + conversion: + strategy: Webhook + webhookClientConfig: + service: + name: webhook + namespace: knative-serving + additionalPrinterColumns: + - name: Config Name + type: string + JSONPath: ".metadata.labels['serving\\.knative\\.dev/configuration']" + - name: K8s Service Name + type: string + JSONPath: ".status.serviceName" + - name: Generation + type: string # int in string form :( + JSONPath: ".metadata.labels['serving\\.knative\\.dev/configurationGeneration']" + - name: Ready + type: string + JSONPath: ".status.conditions[?(@.type=='Ready')].status" + - name: Reason + type: string + JSONPath: ".status.conditions[?(@.type=='Ready')].reason" + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: routes.serving.knative.dev + labels: + serving.knative.dev/release: "v0.13.0" + knative.dev/crd-install: "true" + duck.knative.dev/addressable: "true" +spec: + group: serving.knative.dev + preserveUnknownFields: false + validation: + openAPIV3Schema: + type: object + # this is a work around so we don't need to flush out the + # schema for each version at this time + # + # see issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + versions: + - name: v1alpha1 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + - name: v1 + served: true + storage: false + names: + kind: Route + plural: routes + singular: route + categories: + - all + - knative + - serving + shortNames: + - rt + scope: Namespaced + subresources: + status: {} + conversion: + strategy: Webhook + webhookClientConfig: + service: + name: webhook + namespace: knative-serving + additionalPrinterColumns: + - name: URL + type: string + JSONPath: .status.url + - name: Ready + type: string + JSONPath: ".status.conditions[?(@.type=='Ready')].status" + - name: Reason + type: string + JSONPath: ".status.conditions[?(@.type=='Ready')].reason" + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serverlessservices.networking.internal.knative.dev + labels: + serving.knative.dev/release: "v0.13.0" + knative.dev/crd-install: "true" +spec: + group: networking.internal.knative.dev + versions: + - name: v1alpha1 + served: true + storage: true + names: + kind: ServerlessService + plural: serverlessservices + singular: serverlessservice + categories: + - knative-internal + - networking + shortNames: + - sks + scope: Namespaced + subresources: + status: {} + additionalPrinterColumns: + - name: Mode + type: string + JSONPath: ".spec.mode" + - name: ServiceName + type: string + JSONPath: ".status.serviceName" + - name: PrivateServiceName + type: string + JSONPath: ".status.privateServiceName" + - name: Ready + type: string + JSONPath: ".status.conditions[?(@.type=='Ready')].status" + - name: Reason + type: string + JSONPath: ".status.conditions[?(@.type=='Ready')].reason" + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: services.serving.knative.dev + labels: + serving.knative.dev/release: "v0.13.0" + knative.dev/crd-install: "true" + duck.knative.dev/addressable: "true" + duck.knative.dev/podspecable: "true" +spec: + group: serving.knative.dev + preserveUnknownFields: false + validation: + openAPIV3Schema: + type: object + # this is a work around so we don't need to flush out the + # schema for each version at this time + # + # see issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + versions: + - name: v1alpha1 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + - name: v1 + served: true + storage: false + names: + kind: Service + plural: services + singular: service + categories: + - all + - knative + - serving + shortNames: + - kservice + - ksvc + scope: Namespaced + subresources: + status: {} + conversion: + strategy: Webhook + webhookClientConfig: + service: + name: webhook + namespace: knative-serving + additionalPrinterColumns: + - name: URL + type: string + JSONPath: .status.url + - name: LatestCreated + type: string + JSONPath: .status.latestCreatedRevisionName + - name: LatestReady + type: string + JSONPath: .status.latestReadyRevisionName + - name: Ready + type: string + JSONPath: ".status.conditions[?(@.type=='Ready')].status" + - name: Reason + type: string + JSONPath: ".status.conditions[?(@.type=='Ready')].reason" + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: knative-serving-addressable-resolver + labels: + serving.knative.dev/release: "v0.13.0" + # Labeled to facilitate aggregated cluster roles that act on Addressables. + duck.knative.dev/addressable: "true" +# Do not use this role directly. These rules will be added to the "addressable-resolver" role. +rules: +- apiGroups: + - serving.knative.dev + resources: + - routes + - routes/status + - services + - services/status + verbs: + - get + - list + - watch + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: knative-serving-namespaced-admin + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + serving.knative.dev/release: "v0.13.0" +rules: +- apiGroups: ["serving.knative.dev", "networking.internal.knative.dev", "autoscaling.internal.knative.dev", + "caching.internal.knative.dev"] + resources: ["*"] + verbs: ["*"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: knative-serving-namespaced-edit + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + serving.knative.dev/release: "v0.13.0" +rules: +- apiGroups: ["serving.knative.dev", "networking.internal.knative.dev", "autoscaling.internal.knative.dev", + "caching.internal.knative.dev"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: knative-serving-namespaced-view + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + serving.knative.dev/release: "v0.13.0" +rules: +- apiGroups: ["serving.knative.dev", "networking.internal.knative.dev", "autoscaling.internal.knative.dev", + "caching.internal.knative.dev"] + resources: ["*"] + verbs: ["get", "list", "watch"] + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: knative-serving-core + labels: + serving.knative.dev/release: "v0.13.0" + serving.knative.dev/controller: "true" +rules: +- apiGroups: [""] + resources: ["pods", "namespaces", "secrets", "configmaps", "endpoints", "services", + "events", "serviceaccounts"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +- apiGroups: [""] + resources: ["endpoints/restricted"] # Permission for RestrictedEndpointsAdmission + verbs: ["create"] +- apiGroups: ["apps"] + resources: ["deployments", "deployments/finalizers"] # finalizers are needed for the owner reference of the webhook + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +- apiGroups: ["autoscaling"] + resources: ["horizontalpodautoscalers"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +- apiGroups: ["serving.knative.dev", "autoscaling.internal.knative.dev", "networking.internal.knative.dev"] + resources: ["*", "*/status", "*/finalizers"] + verbs: ["get", "list", "create", "update", "delete", "deletecollection", "patch", + "watch"] +- apiGroups: ["caching.internal.knative.dev"] + resources: ["images"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: knative-serving-podspecable-binding + labels: + serving.knative.dev/release: "v0.13.0" + # Labeled to facilitate aggregated cluster roles that act on PodSpecables. + duck.knative.dev/podspecable: "true" +# Do not use this role directly. These rules will be added to the "podspecable-binder" role. +rules: +- apiGroups: + - serving.knative.dev + resources: + - configurations + - services + verbs: + - list + - watch + - patch + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: config.webhook.serving.knative.dev + labels: + serving.knative.dev/release: "v0.13.0" +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: webhook + namespace: knative-serving + failurePolicy: Fail + sideEffects: None + name: config.webhook.serving.knative.dev + namespaceSelector: + matchExpressions: + - key: serving.knative.dev/release + operator: Exists + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: webhook.serving.knative.dev + labels: + serving.knative.dev/release: "v0.13.0" +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: webhook + namespace: knative-serving + failurePolicy: Fail + sideEffects: None + name: webhook.serving.knative.dev + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: validation.webhook.serving.knative.dev + labels: + serving.knative.dev/release: "v0.13.0" +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: webhook + namespace: knative-serving + failurePolicy: Fail + sideEffects: None + name: validation.webhook.serving.knative.dev + +--- +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Secret +metadata: + name: webhook-certs + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" +# The data is populated at install time. + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: custom-metrics-server-resources + labels: + serving.knative.dev/release: "v0.13.0" + autoscaling.knative.dev/metric-provider: custom-metrics +rules: +- apiGroups: ["custom.metrics.k8s.io"] + resources: ["*"] + verbs: ["*"] + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: custom-metrics:system:auth-delegator + labels: + serving.knative.dev/release: "v0.13.0" + autoscaling.knative.dev/metric-provider: custom-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: controller + namespace: knative-serving + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: hpa-controller-custom-metrics + labels: + serving.knative.dev/release: "v0.13.0" + autoscaling.knative.dev/metric-provider: custom-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: custom-metrics-server-resources +subjects: +- kind: ServiceAccount + name: horizontal-pod-autoscaler + namespace: kube-system + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: custom-metrics-auth-reader + namespace: kube-system + labels: + serving.knative.dev/release: "v0.13.0" + autoscaling.knative.dev/metric-provider: custom-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: controller + namespace: knative-serving + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: autoscaler-hpa + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" + autoscaling.knative.dev/autoscaler-provider: hpa +spec: + selector: + matchLabels: + app: autoscaler-hpa + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + labels: + app: autoscaler-hpa + serving.knative.dev/release: "v0.13.0" + spec: + serviceAccountName: controller + containers: + - name: autoscaler-hpa + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler-hpa@sha256:3b58f5bdbc0a01ea592d671fd7b5f0291dfc6d366454c6e1ec00927f35723029 + resources: + requests: + cpu: 30m + memory: 40Mi + limits: + cpu: 300m + memory: 400Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config + name: METRICS_DOMAIN + value: knative.dev/serving + securityContext: + allowPrivilegeEscalation: false + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: autoscaler-hpa + serving.knative.dev/release: "v0.13.0" + autoscaling.knative.dev/autoscaler-provider: hpa + name: autoscaler-hpa + namespace: knative-serving +spec: + ports: + - # Define metrics and profiling for them to be accessible within service meshes. + name: http-metrics + port: 9090 + targetPort: 9090 + - name: http-profiling + port: 8008 + targetPort: 8008 + selector: + app: autoscaler-hpa + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiregistration.k8s.io/v1beta1 +kind: APIService +metadata: + name: v1beta1.custom.metrics.k8s.io + labels: + serving.knative.dev/release: "v0.13.0" + autoscaling.knative.dev/metric-provider: custom-metrics +spec: + service: + name: autoscaler + namespace: knative-serving + group: custom.metrics.k8s.io + version: v1beta1 + insecureSkipTLSVerify: true + groupPriorityMinimum: 100 + versionPriority: 100 + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # These are the permissions needed by the Istio Ingress implementation. + name: knative-serving-istio + labels: + serving.knative.dev/release: "v0.13.0" + serving.knative.dev/controller: "true" + networking.knative.dev/ingress-provider: istio +rules: +- apiGroups: ["networking.istio.io"] + resources: ["virtualservices", "gateways"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is the shared Gateway for all Knative routes to use. +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: knative-ingress-gateway + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# A cluster local gateway to allow pods outside of the mesh to access +# Services and Routes not exposing through an ingress. If the users +# do have a service mesh setup, this isn't required. +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: cluster-local-gateway + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + istio: cluster-local-gateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + +--- +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-istio + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" + networking.knative.dev/ingress-provider: istio +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Default Knative Gateway after v0.3. It points to the Istio + # standard istio-ingressgateway, instead of a custom one that we + # used pre-0.3. The configuration format should be `gateway. + # {{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}. + # {{ingress_namespace}}.svc.cluster.local"`. The {{gateway_namespace}} + # is optional; when it is omitted, the system will search for + # the gateway in the serving system namespace `knative-serving` + gateway.knative-serving.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local" + + # A cluster local gateway to allow pods outside of the mesh to access + # Services and Routes not exposing through an ingress. If the users + # do have a service mesh setup, this isn't required and can be removed. + # + # An example use case is when users want to use Istio without any + # sidecar injection (like Knative's istio-ci-no-mesh.yaml). Since every pod + # is outside of the service mesh in that case, a cluster-local service + # will need to be exposed to a cluster-local gateway to be accessible. + # The configuration format should be `local-gateway.{{local_gateway_namespace}}. + # {{local_gateway_name}}: "{{cluster_local_gateway_name}}. + # {{cluster_local_gateway_namespace}}.svc.cluster.local"`. The + # {{local_gateway_namespace}} is optional; when it is omitted, the system + # will search for the local gateway in the serving system namespace + # `knative-serving` + local-gateway.knative-serving.cluster-local-gateway: "cluster-local-gateway.istio-system.svc.cluster.local" + + # To use only Istio service mesh and no cluster-local-gateway, replace + # all local-gateway.* entries by the following entry. + local-gateway.mesh: "mesh" + # TODO(nghia): Extract the .svc.cluster.local suffix into its own config. + +--- +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: networking-istio + namespace: knative-serving + labels: + serving.knative.dev/release: "v0.13.0" + networking.knative.dev/ingress-provider: istio +spec: + selector: + matchLabels: + app: networking-istio + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + # This must be outside of the mesh to probe the gateways. + # NOTE: this is allowed here and not elsewhere because + # this is the Istio controller, and so it may be Istio-aware. + sidecar.istio.io/inject: "false" + labels: + app: networking-istio + serving.knative.dev/release: "v0.13.0" + spec: + serviceAccountName: controller + containers: + - name: networking-istio + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/knative-releases/knative.dev/serving/cmd/networking/istio@sha256:0b8759bbb02461728546672d6e4a59fa0fdfc9bf31730ce41d5363d9b08b590f + resources: + requests: + cpu: 30m + memory: 40Mi + limits: + cpu: 300m + memory: 400Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config + name: METRICS_DOMAIN + value: knative.dev/serving + securityContext: + allowPrivilegeEscalation: false + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + +# Unlike other controllers, this doesn't need a Service defined for metrics and +# profiling because it opts out of the mesh (see annotation above). + +--- From 2601e2b7ed1ea1642313e275f6abbdb6b615599c Mon Sep 17 00:00:00 2001 From: Jim Crossley Date: Fri, 13 Mar 2020 17:09:49 -0400 Subject: [PATCH 3/5] Unit tests for resource overrides Added a dummy container to the webhook just to show that capability, even if yet unused --- .../knativeserving/common/resources_test.go | 126 ++++++++++++++++++ .../common/testdata/manifest.yaml | 2 + 2 files changed, 128 insertions(+) create mode 100644 pkg/reconciler/knativeserving/common/resources_test.go diff --git a/pkg/reconciler/knativeserving/common/resources_test.go b/pkg/reconciler/knativeserving/common/resources_test.go new file mode 100644 index 00000000..c7a20225 --- /dev/null +++ b/pkg/reconciler/knativeserving/common/resources_test.go @@ -0,0 +1,126 @@ +/* +Copyright 2020 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package common + +import ( + "reflect" + "testing" + + mf "github.com/manifestival/manifestival" + appsv1 "k8s.io/api/apps/v1" + v1 "k8s.io/api/core/v1" + "k8s.io/client-go/kubernetes/scheme" + servingv1alpha1 "knative.dev/serving-operator/pkg/apis/serving/v1alpha1" + "sigs.k8s.io/yaml" +) + +var testdata = []byte(` +- apiVersion: operator.knative.dev/v1alpha1 + kind: KnativeServing + metadata: + name: single-container + spec: + resources: + activator: + - requests: + cpu: 330m + memory: 69Mi + limits: + cpu: 9990m + memory: 690Mi +- apiVersion: operator.knative.dev/v1alpha1 + kind: KnativeServing + metadata: + name: multi-container + spec: + resources: + webhook: + - requests: + cpu: 22m + memory: 22Mi + limits: + cpu: 220m + memory: 220Mi + - requests: + cpu: 33m + memory: 42Mi + limits: + cpu: 330m + memory: 420Mi +- apiVersion: operator.knative.dev/v1alpha1 + kind: KnativeServing + metadata: + name: multi-deployment + spec: + resources: + autoscaler: + - requests: + cpu: 33m + memory: 42Mi + limits: + cpu: 330m + memory: 420Mi + controller: + - requests: + cpu: 999m + memory: 999Mi + limits: + cpu: 9990m + memory: 9990Mi +`) + +func TestResourceRequirementsTransform(t *testing.T) { + tests := []servingv1alpha1.KnativeServing{} + err := yaml.Unmarshal(testdata, &tests) + if err != nil { + t.Error(err) + return + } + for _, ks := range tests { + t.Run(ks.Name, func(t *testing.T) { + runResourceRequirementsTransformTest(t, &ks) + }) + } +} + +func runResourceRequirementsTransformTest(t *testing.T, ks *servingv1alpha1.KnativeServing) { + manifest, err := mf.NewManifest("testdata/manifest.yaml") + if err != nil { + t.Error(err) + } + actual, err := manifest.Transform(ResourceRequirementsTransform(ks, log)) + if err != nil { + t.Error(err) + } + for _, u := range actual.Filter(mf.ByKind("Deployment")).Resources() { + deployment := &appsv1.Deployment{} + if err := scheme.Scheme.Convert(&u, deployment, nil); err != nil { + t.Error(err) + } + containers := deployment.Spec.Template.Spec.Containers + for i := range containers { + expected := v1.ResourceRequirements{} + resources, ok := ks.Spec.Resources[deployment.Name] + if ok { + expected = resources[i] + } + if !reflect.DeepEqual(containers[i].Resources, expected) { + t.Errorf("Expected %v, Got %v", expected, containers[i].Resources) + } + } + } +} diff --git a/pkg/reconciler/knativeserving/common/testdata/manifest.yaml b/pkg/reconciler/knativeserving/common/testdata/manifest.yaml index 1a836ae8..ba3a04da 100644 --- a/pkg/reconciler/knativeserving/common/testdata/manifest.yaml +++ b/pkg/reconciler/knativeserving/common/testdata/manifest.yaml @@ -1373,6 +1373,8 @@ spec: containerPort: 8008 - name: https-webhook containerPort: 8443 + - name: another + image: gcr.io/knative-releases/knative.dev/serving/cmd/webhook@sha256:d33d129262f03921715c0f2e4cc4fae7b626438c907047df60e0f0f41688fbc2 --- apiVersion: v1 kind: Service From fae8a4fc13c5bd6a42c862317139bb1f23626695 Mon Sep 17 00:00:00 2001 From: Jim Crossley Date: Sun, 15 Mar 2020 13:25:53 -0400 Subject: [PATCH 4/5] Change-of-plan: key by container name instead of deployment name This removes any assumption of container order in the deploy spec, with the minor trade-off of container names expected to be unique within the manifest. --- Gopkg.lock | 1 + ...0-serving-v1alpha1-knativeserving-crd.yaml | 66 +++++++++---------- .../serving/v1alpha1/knativeserving_types.go | 4 +- .../serving/v1alpha1/zz_generated.deepcopy.go | 14 +--- .../knativeserving/common/resources.go | 8 +-- .../knativeserving/common/resources_test.go | 18 ++--- 6 files changed, 45 insertions(+), 66 deletions(-) diff --git a/Gopkg.lock b/Gopkg.lock index d32dd798..0da8edb0 100644 --- a/Gopkg.lock +++ b/Gopkg.lock @@ -1458,6 +1458,7 @@ "knative.dev/pkg/test/logstream", "knative.dev/test-infra/scripts", "knative.dev/test-infra/tools/dep-collector", + "sigs.k8s.io/yaml", ] solver-name = "gps-cdcl" solver-version = 1 diff --git a/config/300-serving-v1alpha1-knativeserving-crd.yaml b/config/300-serving-v1alpha1-knativeserving-crd.yaml index de799475..c6a475da 100644 --- a/config/300-serving-v1alpha1-knativeserving-crd.yaml +++ b/config/300-serving-v1alpha1-knativeserving-crd.yaml @@ -131,40 +131,38 @@ spec: description: A mapping of deployment name to resource requirements type: object additionalProperties: - type: array - items: - type: object - properties: - requests: - type: object - properties: - memory: - type: string - pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ - cpu: - type: string - pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ - storage: - type: string - pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ - ephemeral-storage: - type: string - pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ - limits: - type: object - properties: - memory: - type: string - pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ - cpu: - type: string - pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ - storage: - type: string - pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ - ephemeral-storage: - type: string - pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ + type: object + properties: + requests: + type: object + properties: + memory: + type: string + pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ + cpu: + type: string + pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ + storage: + type: string + pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ + ephemeral-storage: + type: string + pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ + limits: + type: object + properties: + memory: + type: string + pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ + cpu: + type: string + pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ + storage: + type: string + pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ + ephemeral-storage: + type: string + pattern: ^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$ type: object status: description: Status defines the observed state of KnativeServing diff --git a/pkg/apis/serving/v1alpha1/knativeserving_types.go b/pkg/apis/serving/v1alpha1/knativeserving_types.go index fdd9e77b..77548a46 100644 --- a/pkg/apis/serving/v1alpha1/knativeserving_types.go +++ b/pkg/apis/serving/v1alpha1/knativeserving_types.go @@ -106,9 +106,9 @@ type KnativeServingSpec struct { // +optional HighAvailability *HighAvailability `json:"high-availability,omitempty"` - // Override resource requirements; keyed by deployment name + // Override resource requirements; keyed by container name // +optional - Resources map[string][]corev1.ResourceRequirements `json:"resources,omitempty"` + Resources map[string]corev1.ResourceRequirements `json:"resources,omitempty"` } // KnativeServingStatus defines the observed state of KnativeServing diff --git a/pkg/apis/serving/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/serving/v1alpha1/zz_generated.deepcopy.go index 1564f308..65cd8e79 100644 --- a/pkg/apis/serving/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/serving/v1alpha1/zz_generated.deepcopy.go @@ -173,19 +173,9 @@ func (in *KnativeServingSpec) DeepCopyInto(out *KnativeServingSpec) { } if in.Resources != nil { in, out := &in.Resources, &out.Resources - *out = make(map[string][]v1.ResourceRequirements, len(*in)) + *out = make(map[string]v1.ResourceRequirements, len(*in)) for key, val := range *in { - var outVal []v1.ResourceRequirements - if val == nil { - (*out)[key] = nil - } else { - in, out := &val, &outVal - *out = make([]v1.ResourceRequirements, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - (*out)[key] = outVal + (*out)[key] = *val.DeepCopy() } } return diff --git a/pkg/reconciler/knativeserving/common/resources.go b/pkg/reconciler/knativeserving/common/resources.go index 0ac3b357..cec4226c 100644 --- a/pkg/reconciler/knativeserving/common/resources.go +++ b/pkg/reconciler/knativeserving/common/resources.go @@ -20,7 +20,6 @@ import ( mf "github.com/manifestival/manifestival" "go.uber.org/zap" appsv1 "k8s.io/api/apps/v1" - v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/client-go/kubernetes/scheme" @@ -37,13 +36,8 @@ func ResourceRequirementsTransform(instance *servingv1alpha1.KnativeServing, log return err } containers := deployment.Spec.Template.Spec.Containers - overrides := instance.Spec.Resources[u.GetName()] for i := range containers { - if len(overrides) > i { - containers[i].Resources = overrides[i] - } else { - containers[i].Resources = v1.ResourceRequirements{} - } + containers[i].Resources = instance.Spec.Resources[containers[i].Name] } if err := scheme.Scheme.Convert(deployment, u, nil); err != nil { return err diff --git a/pkg/reconciler/knativeserving/common/resources_test.go b/pkg/reconciler/knativeserving/common/resources_test.go index c7a20225..b60faa6f 100644 --- a/pkg/reconciler/knativeserving/common/resources_test.go +++ b/pkg/reconciler/knativeserving/common/resources_test.go @@ -22,7 +22,6 @@ import ( mf "github.com/manifestival/manifestival" appsv1 "k8s.io/api/apps/v1" - v1 "k8s.io/api/core/v1" "k8s.io/client-go/kubernetes/scheme" servingv1alpha1 "knative.dev/serving-operator/pkg/apis/serving/v1alpha1" "sigs.k8s.io/yaml" @@ -36,7 +35,7 @@ var testdata = []byte(` spec: resources: activator: - - requests: + requests: cpu: 330m memory: 69Mi limits: @@ -49,13 +48,14 @@ var testdata = []byte(` spec: resources: webhook: - - requests: + requests: cpu: 22m memory: 22Mi limits: cpu: 220m memory: 220Mi - - requests: + another: + requests: cpu: 33m memory: 42Mi limits: @@ -68,14 +68,14 @@ var testdata = []byte(` spec: resources: autoscaler: - - requests: + requests: cpu: 33m memory: 42Mi limits: cpu: 330m memory: 420Mi controller: - - requests: + requests: cpu: 999m memory: 999Mi limits: @@ -113,11 +113,7 @@ func runResourceRequirementsTransformTest(t *testing.T, ks *servingv1alpha1.Knat } containers := deployment.Spec.Template.Spec.Containers for i := range containers { - expected := v1.ResourceRequirements{} - resources, ok := ks.Spec.Resources[deployment.Name] - if ok { - expected = resources[i] - } + expected := ks.Spec.Resources[containers[i].Name] if !reflect.DeepEqual(containers[i].Resources, expected) { t.Errorf("Expected %v, Got %v", expected, containers[i].Resources) } From 93fedc59d79ff0b3ab687332d6e2ab9994525c3f Mon Sep 17 00:00:00 2001 From: Jim Crossley Date: Mon, 16 Mar 2020 15:56:40 -0400 Subject: [PATCH 5/5] Son of change-of-plan: no more default removal of resource reqs We now merge the resource overrides with the existing specs, so that the upstream defaults remain intact if there are no overrides in the KnativeServing CR. We also converted the map to an array to abide by k8s conventions. --- ...0-serving-v1alpha1-knativeserving-crd.yaml | 7 +- .../serving/v1alpha1/knativeserving_types.go | 13 +- .../serving/v1alpha1/zz_generated.deepcopy.go | 23 +- .../knativeserving/common/resources.go | 25 +- .../knativeserving/common/resources_test.go | 262 +++++++++++++++--- 5 files changed, 286 insertions(+), 44 deletions(-) diff --git a/config/300-serving-v1alpha1-knativeserving-crd.yaml b/config/300-serving-v1alpha1-knativeserving-crd.yaml index c6a475da..bdc80a54 100644 --- a/config/300-serving-v1alpha1-knativeserving-crd.yaml +++ b/config/300-serving-v1alpha1-knativeserving-crd.yaml @@ -129,10 +129,13 @@ spec: minimum: 1 resources: description: A mapping of deployment name to resource requirements - type: object - additionalProperties: + type: array + items: type: object properties: + container: + description: The name of the container + type: string requests: type: object properties: diff --git a/pkg/apis/serving/v1alpha1/knativeserving_types.go b/pkg/apis/serving/v1alpha1/knativeserving_types.go index 77548a46..54da4277 100644 --- a/pkg/apis/serving/v1alpha1/knativeserving_types.go +++ b/pkg/apis/serving/v1alpha1/knativeserving_types.go @@ -77,6 +77,15 @@ type HighAvailability struct { Replicas int32 `json:"replicas"` } +// ResourceRequirementsOverride enables the user to override any container's +// resource requests/limits specified in the embedded manifest +type ResourceRequirementsOverride struct { + // The container name + Container string `json:"container"` + // The desired ResourceRequirements + corev1.ResourceRequirements +} + // KnativeServingSpec defines the desired state of KnativeServing // +k8s:openapi-gen=true type KnativeServingSpec struct { @@ -106,9 +115,9 @@ type KnativeServingSpec struct { // +optional HighAvailability *HighAvailability `json:"high-availability,omitempty"` - // Override resource requirements; keyed by container name + // Override containers' resource requirements // +optional - Resources map[string]corev1.ResourceRequirements `json:"resources,omitempty"` + Resources []ResourceRequirementsOverride `json:"resources,omitempty"` } // KnativeServingStatus defines the observed state of KnativeServing diff --git a/pkg/apis/serving/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/serving/v1alpha1/zz_generated.deepcopy.go index 65cd8e79..197ef27d 100644 --- a/pkg/apis/serving/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/serving/v1alpha1/zz_generated.deepcopy.go @@ -173,9 +173,9 @@ func (in *KnativeServingSpec) DeepCopyInto(out *KnativeServingSpec) { } if in.Resources != nil { in, out := &in.Resources, &out.Resources - *out = make(map[string]v1.ResourceRequirements, len(*in)) - for key, val := range *in { - (*out)[key] = *val.DeepCopy() + *out = make([]ResourceRequirementsOverride, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) } } return @@ -241,3 +241,20 @@ func (in *Registry) DeepCopy() *Registry { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResourceRequirementsOverride) DeepCopyInto(out *ResourceRequirementsOverride) { + *out = *in + in.ResourceRequirements.DeepCopyInto(&out.ResourceRequirements) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceRequirementsOverride. +func (in *ResourceRequirementsOverride) DeepCopy() *ResourceRequirementsOverride { + if in == nil { + return nil + } + out := new(ResourceRequirementsOverride) + in.DeepCopyInto(out) + return out +} diff --git a/pkg/reconciler/knativeserving/common/resources.go b/pkg/reconciler/knativeserving/common/resources.go index cec4226c..042b9cb0 100644 --- a/pkg/reconciler/knativeserving/common/resources.go +++ b/pkg/reconciler/knativeserving/common/resources.go @@ -20,6 +20,7 @@ import ( mf "github.com/manifestival/manifestival" "go.uber.org/zap" appsv1 "k8s.io/api/apps/v1" + v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/client-go/kubernetes/scheme" @@ -37,7 +38,10 @@ func ResourceRequirementsTransform(instance *servingv1alpha1.KnativeServing, log } containers := deployment.Spec.Template.Spec.Containers for i := range containers { - containers[i].Resources = instance.Spec.Resources[containers[i].Name] + if override := find(instance, containers[i].Name); override != nil { + merge(&override.Limits, &containers[i].Resources.Limits) + merge(&override.Requests, &containers[i].Resources.Requests) + } } if err := scheme.Scheme.Convert(deployment, u, nil); err != nil { return err @@ -48,3 +52,22 @@ func ResourceRequirementsTransform(instance *servingv1alpha1.KnativeServing, log return nil } } + +func merge(src, tgt *v1.ResourceList) { + if len(*tgt) > 0 { + for k, v := range *src { + (*tgt)[k] = v + } + } else { + *tgt = *src + } +} + +func find(instance *servingv1alpha1.KnativeServing, name string) *servingv1alpha1.ResourceRequirementsOverride { + for _, override := range instance.Spec.Resources { + if override.Container == name { + return &override + } + } + return nil +} diff --git a/pkg/reconciler/knativeserving/common/resources_test.go b/pkg/reconciler/knativeserving/common/resources_test.go index b60faa6f..fb51b771 100644 --- a/pkg/reconciler/knativeserving/common/resources_test.go +++ b/pkg/reconciler/knativeserving/common/resources_test.go @@ -22,87 +22,277 @@ import ( mf "github.com/manifestival/manifestival" appsv1 "k8s.io/api/apps/v1" + v1 "k8s.io/api/core/v1" "k8s.io/client-go/kubernetes/scheme" servingv1alpha1 "knative.dev/serving-operator/pkg/apis/serving/v1alpha1" "sigs.k8s.io/yaml" ) +type resourceOverrideTest struct { + Input servingv1alpha1.KnativeServing + Expected map[string]v1.ResourceRequirements +} + var testdata = []byte(` -- apiVersion: operator.knative.dev/v1alpha1 - kind: KnativeServing - metadata: - name: single-container - spec: - resources: - activator: - requests: - cpu: 330m - memory: 69Mi +- input: + apiVersion: operator.knative.dev/v1alpha1 + kind: KnativeServing + metadata: + name: no-overrides + expected: + activator: + requests: + cpu: 300m + memory: 60Mi + limits: + cpu: 1 + memory: 600Mi + autoscaler: + requests: + cpu: 30m + memory: 40Mi + limits: + cpu: 300m + memory: 400Mi + controller: + requests: + cpu: 100m + memory: 100Mi + limits: + cpu: 1 + memory: 1000Mi + webhook: + requests: + cpu: 20m + memory: 20Mi + limits: + cpu: 200m + memory: 200Mi + autoscaler-hpa: + requests: + cpu: 30m + memory: 40Mi + limits: + cpu: 300m + memory: 400Mi + networking-istio: + requests: + cpu: 30m + memory: 40Mi + limits: + cpu: 300m + memory: 400Mi +- input: + apiVersion: operator.knative.dev/v1alpha1 + kind: KnativeServing + metadata: + name: single-container + spec: + resources: + - container: activator limits: - cpu: 9990m - memory: 690Mi -- apiVersion: operator.knative.dev/v1alpha1 - kind: KnativeServing - metadata: - name: multi-container - spec: - resources: - webhook: + cpu: 9999m + memory: 999Mi + expected: + activator: + requests: + cpu: 300m + memory: 60Mi + limits: + cpu: 9999m + memory: 999Mi + autoscaler: + requests: + cpu: 30m + memory: 40Mi + limits: + cpu: 300m + memory: 400Mi + controller: + requests: + cpu: 100m + memory: 100Mi + limits: + cpu: 1 + memory: 1000Mi + webhook: + requests: + cpu: 20m + memory: 20Mi + limits: + cpu: 200m + memory: 200Mi + autoscaler-hpa: + requests: + cpu: 30m + memory: 40Mi + limits: + cpu: 300m + memory: 400Mi + networking-istio: + requests: + cpu: 30m + memory: 40Mi + limits: + cpu: 300m + memory: 400Mi +- input: + apiVersion: operator.knative.dev/v1alpha1 + kind: KnativeServing + metadata: + name: multi-container + spec: + resources: + - container: webhook requests: cpu: 22m memory: 22Mi limits: cpu: 220m memory: 220Mi - another: + - container: another requests: cpu: 33m memory: 42Mi limits: cpu: 330m memory: 420Mi -- apiVersion: operator.knative.dev/v1alpha1 - kind: KnativeServing - metadata: - name: multi-deployment - spec: - resources: - autoscaler: + expected: + webhook: + requests: + cpu: 22m + memory: 22Mi + limits: + cpu: 220m + memory: 220Mi + another: + requests: + cpu: 33m + memory: 42Mi + limits: + cpu: 330m + memory: 420Mi + activator: + requests: + cpu: 300m + memory: 60Mi + limits: + cpu: 1 + memory: 600Mi + autoscaler: + requests: + cpu: 30m + memory: 40Mi + limits: + cpu: 300m + memory: 400Mi + controller: + requests: + cpu: 100m + memory: 100Mi + limits: + cpu: 1 + memory: 1000Mi + autoscaler-hpa: + requests: + cpu: 30m + memory: 40Mi + limits: + cpu: 300m + memory: 400Mi + networking-istio: + requests: + cpu: 30m + memory: 40Mi + limits: + cpu: 300m + memory: 400Mi +- input: + apiVersion: operator.knative.dev/v1alpha1 + kind: KnativeServing + metadata: + name: multi-deployment + spec: + resources: + - container: autoscaler requests: cpu: 33m memory: 42Mi limits: cpu: 330m memory: 420Mi - controller: + - container: controller requests: cpu: 999m memory: 999Mi limits: cpu: 9990m memory: 9990Mi + expected: + autoscaler: + requests: + cpu: 33m + memory: 42Mi + limits: + cpu: 330m + memory: 420Mi + controller: + requests: + cpu: 999m + memory: 999Mi + limits: + cpu: 9990m + memory: 9990Mi + activator: + requests: + cpu: 300m + memory: 60Mi + limits: + cpu: 1 + memory: 600Mi + webhook: + requests: + cpu: 20m + memory: 20Mi + limits: + cpu: 200m + memory: 200Mi + autoscaler-hpa: + requests: + cpu: 30m + memory: 40Mi + limits: + cpu: 300m + memory: 400Mi + networking-istio: + requests: + cpu: 30m + memory: 40Mi + limits: + cpu: 300m + memory: 400Mi `) func TestResourceRequirementsTransform(t *testing.T) { - tests := []servingv1alpha1.KnativeServing{} + tests := []resourceOverrideTest{} err := yaml.Unmarshal(testdata, &tests) if err != nil { t.Error(err) return } - for _, ks := range tests { - t.Run(ks.Name, func(t *testing.T) { - runResourceRequirementsTransformTest(t, &ks) + for _, test := range tests { + t.Run(test.Input.Name, func(t *testing.T) { + runResourceRequirementsTransformTest(t, &test) }) } } -func runResourceRequirementsTransformTest(t *testing.T, ks *servingv1alpha1.KnativeServing) { +func runResourceRequirementsTransformTest(t *testing.T, test *resourceOverrideTest) { manifest, err := mf.NewManifest("testdata/manifest.yaml") if err != nil { t.Error(err) } - actual, err := manifest.Transform(ResourceRequirementsTransform(ks, log)) + actual, err := manifest.Transform(ResourceRequirementsTransform(&test.Input, log)) if err != nil { t.Error(err) } @@ -113,9 +303,9 @@ func runResourceRequirementsTransformTest(t *testing.T, ks *servingv1alpha1.Knat } containers := deployment.Spec.Template.Spec.Containers for i := range containers { - expected := ks.Spec.Resources[containers[i].Name] + expected := test.Expected[containers[i].Name] if !reflect.DeepEqual(containers[i].Resources, expected) { - t.Errorf("Expected %v, Got %v", expected, containers[i].Resources) + t.Errorf("\n Name: %s\n Expect: %v\n Actual: %v", containers[i].Name, expected, containers[i].Resources) } } }