docs/examples/simple-deployment.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: aws-spots-booster
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: aws-spots-booster
  namespace: aws-spots-booster
  labels:
    app: aws-spots-booster
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: aws-spots-booster
  labels:
    app: aws-spots-booster
rules:
  # Permissions needed to watch nodes / to add annotations
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: [ "watch", "list", "get", "update" ]

  # Permissions needed by the events' watcher
  - apiGroups: [""]
    resources: ["events", "endpoints"]
    verbs: ["create", "patch"]

  # Permissions needed to execute drain process
  - apiGroups: [""]
    resources: ["pods/eviction"]
    verbs: ["create"]
  - apiGroups: [""]
    resources: ["pods/status"]
    verbs: ["update"]
  - apiGroups: [""]
    resources: ["endpoints"]
    resourceNames: ["cluster-autoscaler"]
    verbs: ["get", "update"]
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["watch", "list", "get", "update"]
  - apiGroups: [""]
    resources:
      - "namespaces"
      - "pods"
      - "services"
      - "replicationcontrollers"
      - "persistentvolumeclaims"
      - "persistentvolumes"
    verbs: ["watch", "list", "get"]
  - apiGroups: ["extensions"]
    resources: ["replicasets", "daemonsets"]
    verbs: ["watch", "list", "get"]
  - apiGroups: ["policy"]
    resources: ["poddisruptionbudgets"]
    verbs: ["watch", "list"]
  - apiGroups: ["apps"]
    resources: ["statefulsets", "replicasets", "daemonsets"]
    verbs: ["watch", "list", "get"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses", "csinodes", "csidrivers", "csistoragecapacities"]
    verbs: ["watch", "list", "get"]
  - apiGroups: ["batch", "extensions"]
    resources: ["jobs"]
    verbs: ["get", "list", "watch", "patch"]

  # TODO decide if this policies are needed
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["create"]
  - apiGroups: ["coordination.k8s.io"]
    resourceNames: ["cluster-autoscaler"]
    resources: ["leases"]
    verbs: ["get", "update"]

  # Permissions needed by CA Status watcher
  - apiGroups: [ "" ]
    resources: [ "configmaps" ]
    verbs: [ "list","watch" ]
  - apiGroups: [ "" ]
    resources: [ "configmaps" ]
    resourceNames: [ "cluster-autoscaler-status" ]
    verbs: [ "get", "watch" ]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: aws-spots-booster
  labels:
    app: aws-spots-booster
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: aws-spots-booster
subjects:
  - kind: ServiceAccount
    name: aws-spots-booster
    namespace: aws-spots-booster

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: aws-spots-booster
  namespace: aws-spots-booster
  labels:
    app: aws-spots-booster
spec:
  replicas: 1
  selector:
    matchLabels:
      app: aws-spots-booster
  template:
    metadata:
      labels:
        app: aws-spots-booster
      annotations:
        prometheus.io/scrape: 'true'
        prometheus.io/port: '2112'
    spec:
      priorityClassName: system-cluster-critical # TODO
      securityContext: # TODO
        runAsNonRoot: true
        runAsUser: 65534
        fsGroup: 65534
      serviceAccountName: aws-spots-booster
      containers:
        - image: docplanner/aws-spots-booster:v0.0.1
          name: aws-spots-booster
          resources:
            limits:
              cpu: 100m
              memory: 600Mi
            requests:
              cpu: 100m
              memory: 600Mi
          command:
            - ./manager
            - --zap-log-level=debug
            - --max-concurrent-drains=5
            - --time-between-drains=60s
            - --extra-nodes-over-calculation=3
          volumeMounts:
            - name: ssl-certs
              mountPath: /etc/ssl/certs/ca-certificates.crt #/etc/ssl/certs/ca-bundle.crt for Amazon Linux Worker Nodes
              readOnly: true
          imagePullPolicy: "Always"
      volumes:
        - name: ssl-certs
          hostPath:
            path: "/etc/ssl/certs/ca-bundle.crt"