Pulse Operator CRD and RBAC
The Pulse Operator CRD is a configuration file that defines how Kubernetes should manage Pulse components throughout their lifecycle. It includes the structure (schema) of the Custom Resource (CR) created by the Pulse Manager Server and ensures the Pulse Operator keeps the Pulse environment running as expected.
This CRD:
- Belongs to the Kubernetes API group
pulse.acceldata.com - Runs in the same namespace as the
controller-manager - Continuously monitors the Pulse service pods
- Manages the number of running instances (replicas)
- Handles leader election
- Detects and responds to configuration changes or updates
To perform these tasks, the operator uses a set of Role-Based Access Control (RBAC) policies, which limit access and permissions within the same namespace.
The CRD definition and the required RBAC policies are provided in the following section.
Custom Resource Definition
x
apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 name: pulseoperators.pulse.acceldata.comspec: group: pulse.acceldata.com names: kind: PulseOperator listKind: PulseOperatorList plural: pulseoperators singular: pulseoperator scope: Namespaced versions: - name: v1 schema: openAPIV3Schema: description: PulseOperator is the Schema for the pulseoperators API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: PulseOperatorSpec defines the desired state of PulseOperator properties: addons: items: type: string type: array emissary_https_node_port: format: int32 type: integer emissary_logstash_node_port: format: int32 type: integer emissary_nats_node_port: format: int32 type: integer emissary_new_ui_node_port: format: int32 type: integer emissary_node_port: format: int32 type: integer enable_pulse_monitoring: type: boolean environment: type: string host_aliases: items: description: 'HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the pod''s hosts file.' properties: hostnames: description: Hostnames for the above IP address. items: type: string type: array ip: description: IP address of the host file entry. type: string type: object type: array install_emissary: type: boolean microservices: items: properties: command: items: type: string type: array enableHPA: type: boolean environment_variables: additionalProperties: type: string type: object image: type: string kind: type: string labels: additionalProperties: type: string type: object livenessProbe: properties: failureThreshold: type: integer initialDelaySeconds: type: integer path: type: string periodSeconds: type: integer port: type: integer successThreshold: type: integer timeoutSeconds: type: integer required: - failureThreshold - initialDelaySeconds - path - periodSeconds - port - successThreshold - timeoutSeconds type: object max_replicas: format: int32 type: integer name: type: string ports: additionalProperties: type: string type: object pulse_cluster: type: string readinessProbe: properties: failureThreshold: type: integer initialDelaySeconds: type: integer path: type: string periodSeconds: type: integer port: type: integer successThreshold: type: integer timeoutSeconds: type: integer required: - failureThreshold - initialDelaySeconds - path - periodSeconds - port - successThreshold - timeoutSeconds type: object replicas: format: int32 type: integer resources: properties: limits: properties: cpu: type: string memory: type: string required: - cpu - memory type: object requests: properties: cpu: type: string memory: type: string required: - cpu - memory type: object required: - limits - requests type: object volumes: items: description: 'only one of the config map or host path entry would be valid, the volume would be prepared by using configmap or through host path on node where deployment exist' properties: configmap_name: type: string container_path: type: string host_path: type: string is_directory: type: boolean name: type: string pvc_name: type: string read_only: type: boolean sub_path: type: string required: - name type: object type: array required: - environment_variables - image - name - replicas - resources type: object type: array multi_kdc: type: boolean pulse_agent: items: properties: environment_variables: additionalProperties: type: string type: object image: type: string labels: additionalProperties: type: string type: object name: type: string ports: additionalProperties: type: string type: object resources: properties: limits: properties: cpu: type: string memory: type: string required: - cpu - memory type: object requests: properties: cpu: type: string memory: type: string required: - cpu - memory type: object required: - limits - requests type: object terminateGracePeriodSeconds: format: int32 type: integer volumes: items: properties: configmap_name: type: string mountPath: type: string name: type: string subPath: type: string type: object type: array required: - image - name - resources type: object type: array registry_prefix: type: string registry_secret: type: string version: type: string required: - registry_prefix - registry_secret - version type: object status: description: 'PulseOperatorStatus defines the observed state of PulseOperator Important: Run "make" to regenerate code after modifying this file' type: object type: object served: true storage: true subresources: status: {}RBAC
apiVersion: v1kind: ServiceAccountmetadata: labels: app.kubernetes.io/component: rbac app.kubernetes.io/created-by: installer app.kubernetes.io/instance: controller-manager app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: serviceaccount app.kubernetes.io/part-of: installer name: controller-manager namespace: PULSE_NAMESPACE---apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: labels: app.kubernetes.io/component: rbac app.kubernetes.io/created-by: installer app.kubernetes.io/instance: leader-election-role app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: role app.kubernetes.io/part-of: installer name: leader-election-role namespace: PULSE_NAMESPACErules:- apiGroups: - batch resources: - jobs verbs: - get - list - watch - create - update - patch - delete- apiGroups: - '*' resources: - pods - pods/log verbs: - '*'- apiGroups: - '*' resources: - pods/exec verbs: - '*'- apiGroups: - apps resources: - deployments - daemonsets verbs: - get - list - watch - create - update - patch - delete- apiGroups: - '' resources: - configmaps verbs: - get - list - watch - create - update - patch - delete- apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch - create - update - patch - delete- apiGroups: - '' resources: - events verbs: - create - patch- apiGroups: - batch resources: - jobs - jobs/batch verbs: - get - list - watch - create - update - patch - delete- apiGroups: - '' resources: - services - configmaps - persistentvolumeclaims - secrets - daemonsets verbs: - create - delete - patch - get - list - watch - update- apiGroups: - pulse.acceldata.com resources: - pulseoperators verbs: - create - delete - get - list - patch - update - watch- apiGroups: - pulse.acceldata.com resources: - pulseoperators/finalizers verbs: - update- apiGroups: - pulse.acceldata.com resources: - pulseoperators/status verbs: - get - patch - update---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: labels: app.kubernetes.io/component: rbac app.kubernetes.io/created-by: installer app.kubernetes.io/instance: leader-election-rolebinding app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: rolebinding app.kubernetes.io/part-of: installer name: leader-election-rolebinding namespace: PULSE_NAMESPACEroleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: leader-election-rolesubjects:- kind: ServiceAccount name: controller-manager namespace: PULSE_NAMESPACE---apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: creationTimestamp: null name: manager-role namespace: PULSE_NAMESPACErules:- apiGroups: - pulse.acceldata.com - policy - apps resources: - pulseoperators - poddisruptionbudgets - statefulsets - daemonsets - modules - tcpmappings - hosts - tlscontexts verbs: - create - delete - get - list - patch - update - watch- apiGroups: - pulse.acceldata.com resources: - pulseoperators/finalizers verbs: - update- apiGroups: - pulse.acceldata.com resources: - pulseoperators/status verbs: - get - patch - update- apiGroups: - apps resources: - deployments verbs: - get - list - delete- apiGroups: - '' resources: - services - endpoints - secrets verbs: - get - list - delete---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: labels: app.kubernetes.io/component: rbac app.kubernetes.io/created-by: installer app.kubernetes.io/instance: manager-rolebinding app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: rolebinding app.kubernetes.io/part-of: installer name: manager-rolebinding namespace: PULSE_NAMESPACEroleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: manager-rolesubjects:- kind: ServiceAccount name: controller-manager namespace: PULSE_NAMESPACE---apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: name: pod-watcherrules:- apiGroups: - '' resources: - pods - configmaps verbs: - list - watch - get---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: pod-watcherroleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pod-watchersubjects:- kind: ServiceAccount name: controller-manager namespace: PULSE_NAMESPACE---apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: name: rbacscalability namespace: PULSE_NAMESPACErules:- apiGroups: - '' resources: - pods verbs: - get - watch - list---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: rbindingscalability namespace: PULSE_NAMESPACEroleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: rbacscalabilitysubjects:- kind: User name: system:serviceaccount:PULSE_NAMESPACE:default###
Was this page helpful?