generated from vshn/go-bootstrap
-
Notifications
You must be signed in to change notification settings - Fork 0
/
config.yaml
121 lines (108 loc) · 4.65 KB
/
config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
---
# The label used to mark namespaces to belong to an organization
OrganizationLabel: appuio.io/organization
# UserDefaultOrganizationAnnotation is the annotation the default organization setting for a user is stored in.
UserDefaultOrganizationAnnotation: appuio.io/default-organization
# QuotaOverrideNamespace is the namespace where the quota overrides for organizations are stored.
QuotaOverrideNamespace: appuio-cloud
# The fair use limit of memory usage per CPU core.
# It is possible to select limits by node selector labels.
MemoryPerCoreLimits:
- Limit: 4Gi
NodeSelector:
matchExpressions:
- key: class
operator: DoesNotExist
# Privileged* is a list of the given type allowed to bypass restrictions.
# Wildcards are supported (e.g. "system:serviceaccount:default:*" or "cluster-*-operator").
# ClusterRoles are only ever matched if they are bound through a ClusterRoleBinding,
# this is different from the behavior of Kyverno.
# This is done to prevent a user from wrongly configuring a low-privileged ClusterRole which users
# can then bind to themselves to bypass the restrictions.
PrivilegedGroups: []
PrivilegedUsers: []
PrivilegedClusterRoles:
- cluster-admin
# Default node selectors to add to pods in this namespace
DefaultNamespaceNodeSelectorAnnotation: appuio.io/default-node-selector
# Default node selectors to add to pods if not set from namespace annotation
DefaultNodeSelector:
appuio.io/node-class: plus
# A map containing the configuration for rolebindings that are created by default in each organization namespace.
# The keys are the name of default rolebindings to create and the values are the names of the clusterroles they bind to.
DefaultOrganizationClusterRoles:
admin: admin
# ReservedNamespaces is a list of namespaces that are reserved and can't be created by users.
# Supports '*' and '?' wildcards.
ReservedNamespaces: [default, kube-*, openshift-*]
# AllowedAnnotations is a list of annotations that are allowed on namespaces.
# Supports '*' and '?' wildcards.
AllowedAnnotations: [appuio.io/default-node-selector]
# AllowedLabels is a list of labels that are allowed on namespaces.
# Supports '*' and '?' wildcards.
AllowedLabels: [appuio.io/organization]
# PodRunOnceActiveDeadlineSecondsOverrideAnnotation is the annotation used to override the activeDeadlineSeconds for RunOnce pods.
PodRunOnceActiveDeadlineSecondsOverrideAnnotation: appuio.io/active-deadline-seconds-override
# PodRunOnceActiveDeadlineSecondsDefault is the default activeDeadlineSeconds for RunOnce pods.
PodRunOnceActiveDeadlineSecondsDefault: 1800
# LegacyResourceQuotaAnnotationBase is the base label for the default resource quotas.
# The actual annotation is `$base/$quotaname.$resource`.
LegacyResourceQuotaAnnotationBase: resourcequota.appuio.io
# LegacyDefaultResourceQuotas is a map containing the default resource quotas for each organization.
# The keys are the name of the manifest and the values are the resource quotas spec.
LegacyDefaultResourceQuotas:
# See https://kb.vshn.ch/appuio-cloud/references/quality-requirements/performance/resource-quota.html
organization-objects:
hard:
count/configmaps: "150"
count/jobs.batch: "150"
count/secrets: "150"
count/services: "20"
count/services.loadbalancers: "0"
count/services.nodeports: "0"
count/replicationcontrollers: "100"
openshift.io/imagestreams: "20"
openshift.io/imagestreamtags: "50"
requests.storage: 1000Gi
persistentvolumeclaims: "10"
localblock-storage.storageclass.storage.k8s.io/persistentvolumeclaims: "0"
requests.ephemeral-storage: "250Mi"
limits.ephemeral-storage: "500Mi"
# Limit the total amount of Rook-Ceph backed storage which can be
# requested per namespace
cephfs-fspool-cluster.storageclass.storage.k8s.io/requests.storage: 25Gi
rbd-storagepool-cluster.storageclass.storage.k8s.io/requests.storage: 25Gi
organization-compute:
hard:
requests.cpu: 4
requests.memory: 4Gi
limits.cpu: 8
limits.memory: 20Gi
pods: "45"
scopes:
- NotTerminating
organization-compute-terminating:
hard:
limits.cpu: 4000m
limits.memory: 4Gi
pods: "5"
requests.cpu: 500m
requests.memory: 2Gi
scopes:
- Terminating
# LegacyLimitRangeName is the name of the default limit range.
LegacyLimitRangeName: organization
# LegacyDefaultLimitRange is the default limit range.
LegacyDefaultLimitRange:
limits:
- type: Container
min:
cpu: "10m"
memory: "4Mi"
ephemeral-storage: "100Ki"
default:
cpu: "600m"
memory: "768Mi"
defaultRequest:
cpu: "10m"
memory: "100Mi"