apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: resource-governance
  namespace: resource-governance
  labels:
    app.kubernetes.io/name: resource-governance
    app.kubernetes.io/component: governance
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: resource-governance
      app.kubernetes.io/component: governance
  template:
    metadata:
      labels:
        app.kubernetes.io/name: resource-governance
        app.kubernetes.io/component: governance
    spec:
      serviceAccountName: resource-governance-sa
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        fsGroup: 1000
      containers:
      - name: resource-governance
        image: resource-governance:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 8080
          name: http
          protocol: TCP
        env:
        - name: KUBECONFIG
          value: "/var/run/secrets/kubernetes.io/serviceaccount/token"
        - name: CPU_LIMIT_RATIO
          valueFrom:
            configMapKeyRef:
              name: resource-governance-config
              key: CPU_LIMIT_RATIO
        - name: MEMORY_LIMIT_RATIO
          valueFrom:
            configMapKeyRef:
              name: resource-governance-config
              key: MEMORY_LIMIT_RATIO
        - name: MIN_CPU_REQUEST
          valueFrom:
            configMapKeyRef:
              name: resource-governance-config
              key: MIN_CPU_REQUEST
        - name: MIN_MEMORY_REQUEST
          valueFrom:
            configMapKeyRef:
              name: resource-governance-config
              key: MIN_MEMORY_REQUEST
        - name: CRITICAL_NAMESPACES
          valueFrom:
            configMapKeyRef:
              name: resource-governance-config
              key: CRITICAL_NAMESPACES
        - name: PROMETHEUS_URL
          valueFrom:
            configMapKeyRef:
              name: resource-governance-config
              key: PROMETHEUS_URL
        - name: REPORT_EXPORT_PATH
          valueFrom:
            configMapKeyRef:
              name: resource-governance-config
              key: REPORT_EXPORT_PATH
        - name: ENABLE_RBAC
          valueFrom:
            configMapKeyRef:
              name: resource-governance-config
              key: ENABLE_RBAC
        - name: SERVICE_ACCOUNT_NAME
          valueFrom:
            configMapKeyRef:
              name: resource-governance-config
              key: SERVICE_ACCOUNT_NAME
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 500m
            memory: 512Mi
        livenessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 3
        readinessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 5
          timeoutSeconds: 3
          failureThreshold: 3
        volumeMounts:
        - name: reports-volume
          mountPath: /tmp/reports
        - name: tmp-volume
          mountPath: /tmp
      volumes:
      - name: reports-volume
        emptyDir: {}
      - name: tmp-volume
        emptyDir: {}
      nodeSelector:
        kubernetes.io/os: linux
      tolerations:
      - key: node-role.kubernetes.io/master
        operator: Exists
        effect: NoSchedule
      - key: node-role.kubernetes.io/control-plane
        operator: Exists
        effect: NoSchedule