Skip to main content
Version: latest

Operator

Description

TODO

Resource Template

TODO

Resource Management

The resource requirements of containers making up the PODs to be spawned by the Operator can be controlled by annotating the respective custom resource. As of now, annotation of Trench, Attractor and Conduit resources are supported, because these are responsible for creating POD resources.

A Trench can be annotated to set resource requirements by following the example below.

apiVersion: meridio.nordix.org/v1alpha1
kind: Trench
metadata:
name: trench-a
annotations:
resource-template: "small"
spec:
ip-family: dualstack

For each container making up a specific custom resource (e.g. Trench) the annotation value for key resource-template is interpreted as the name of a resource requirements template. Such templates are defined per container, and are to be specified before building the Operator.

As an example some templates are included for each container out-of-the-box. But they are not verified to fit any production use cases, and can be overridden at will. (A template is basically a kubernetes core v1 ResourceRequirements block with name.)

The Operator looks up the templates based on the annotation value for each container contributing to the particular custom resource. If a template is missing for a container, then deployment proceeds without setting resource requirements for the container at issue. Otherwise the related resources will be deployed by importing the respective resource requirements from the matching templates.

Updating the annotation of a custom resource is possible. Changes will be applied by kubernetes according to the Update Strategy of the related resources. Service disturbances and outages are to be expected.

Configuration

Environment variableTypeDescriptionDefault

Command Line

CommandActionDefault
--helpDisplay a help describing
--versionDisplay the version
--debugPrints meridio-version, unix-time, network-interfaces, rules, route, neighbors, system information, and environment-variables in a json format

Communication

Here are all components the operator is communicating with:

ComponentSecuredMethodDescription
SpireTBDUnix SocketObtain and validate SVIDs
Kubernetes APITBDTCPApply/Update/Delete/Watch resources

An overview of the communications between all components is available here.

Health check

The health check is provided by the GRPC Health Checking Protocol. The status returned can be UNKNOWN, SERVING, NOT_SERVING or SERVICE_UNKNOWN.

TODO

Privileges

To work properly, here are the privileges required by the operator:

NameDescription
Kubernetes APImeridio-operator-manager-role - daemonsets - create, delete, get, list, patch, update, watch
Kubernetes APImeridio-operator-manager-role - deployments - create, delete, get, list, patch, update, watch
Kubernetes APImeridio-operator-manager-role - statefulsets - create, delete, get, list, patch, update, watch
Kubernetes APImeridio-operator-manager-role - configmaps - create, delete, get, list, patch, update, watch
Kubernetes APImeridio-operator-manager-role - serviceaccounts - create, delete, get, list, patch, update, watch
Kubernetes APImeridio-operator-manager-role - services - create, delete, get, list, patch, update, watch
Kubernetes APImeridio-operator-manager-role - rolebindings - create, delete, get, list, patch, update, watch
Kubernetes APImeridio-operator-manager-role - roles - create, delete, get, list, patch, update, watch
Kubernetes APImeridio-operator-manager-role - trenches - get, list, update, watch
Kubernetes APImeridio-operator-manager-role - conduits - get, list, update, watch
Kubernetes APImeridio-operator-manager-role - streams - get, list, update, watch
Kubernetes APImeridio-operator-manager-role - flows - get, list, update, watch
Kubernetes APImeridio-operator-manager-role - vips - get, list, update, watch
Kubernetes APImeridio-operator-manager-role - attractors - get, list, update, watch
Kubernetes APImeridio-operator-leader-election-role - gateways - get, list, update, watch
Kubernetes APImeridio-operator-leader-election-role - configmaps - get, list, watch, create, update, patch, delete
Kubernetes APImeridio-operator-leader-election-role - leases - get, list, watch, create, update, patch, delete
Kubernetes APImeridio-operator-leader-election-role - event - create, patch
Kubernetes APIValidating Webhook - trenches - create, update
Kubernetes APIValidating Webhook - conduits - create, update
Kubernetes APIValidating Webhook - streams - create, update
Kubernetes APIValidating Webhook - flows - create, update
Kubernetes APIValidating Webhook - vips - create, update
Kubernetes APIValidating Webhook - attractors - create, update
Kubernetes APIValidating Webhook - gateways - create, update
Kubernetes APIMutating Webhook - gateways - create, update