This Charm deploys a modified version of the Namespace Node Affinity Kubernetes MutatingWebhook.
The Namespace Node Affinity webhook allows a user to add a given set of node affinities and/or tolerations to all pods deployed in a namespace. This is useful for example in a case where you have a cluster that has some nodes with specific labels (eg: nodes labeled control-plane) and you want all workloads in a Kubernetes namespace to be deployed only on those nodes and not any others in the cluster. More descriptions of the tool are given in the upstream README.md.
This charm is deployed using the Juju command line tool as follows:
juju deploy namespace-node-affinity --trustBy default, the webhook is not configured to modify pods in any namespace. To add namespaces to its scope, the user must:
- provide a
settings_yamlconfig file - label any namespace we want to work on with the label
namespace-node-affinity=enabled
These configurations can be modified during charm runtime, and the webhook always uses the most up to date value.
We must provide the settings_yaml config, which is a YAML string as described upstream. For example, we can configure the tool to apply:
- apply a node affinity for pods in
testing-ns-ato look for pods with the labelcontrol-plane=true, but only to pods that do not have the labelignoreme: ignored - apply a node affinity for pods in
testing-ns-bto look for pods with the labelother-key: other-value
by setting the charm config:
cat <<EOF > settings.yaml
testing-ns-a: |
nodeSelectorTerms:
- matchExpressions:
- key: control-plane
operator: In
values:
- true
excludedLabels:
ignoreme: ignored
testing-ns-b: |
nodeSelectorTerms:
- matchExpressions:
- key: other-key
operator: In
values:
- other-value
EOF
SETTINGS_YAML=$(cat settings.yaml)
juju config namespace-node-affinity settings_yaml="$SETTINGS_YAML"We must apply the label namespace-node-affinity=enabled to all namespaces being acted on by this tool (this is a requirement by the tool itself, not the chaming application. We might change this in future as it feels like a redundant setting). For example, you can do:
kubectl label ns testing-ns-a namespace-node-affinity=enabled
kubectl label ns testing-ns-b namespace-node-affinity=enabledWhen debugging this charm, it is sometimes useful to send AdmissionReview JSON payloads to the webhook pod in the same format as what the Kubernetes API would send in order to check if the webhook pods are working properly. To facilitate that, this tool was used during charm development and might be useful.