apiVersion: apps/v1 kind: Deployment metadata: name: resource-governance namespace: resource-governance labels: app.kubernetes.io/name: resource-governance app.kubernetes.io/component: governance spec: replicas: 1 strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 0 # Nunca derruba pods até o novo estar pronto maxSurge: 1 # Permite 1 pod extra durante o rollout selector: matchLabels: app.kubernetes.io/name: resource-governance app.kubernetes.io/component: governance template: metadata: labels: app.kubernetes.io/name: resource-governance app.kubernetes.io/component: governance spec: serviceAccountName: resource-governance-sa # imagePullSecrets: # - name: quay-secret # Only needed for private repositories securityContext: runAsNonRoot: true containers: - name: resource-governance image: quay.io/rh_ee_anobre/resource-governance:latest imagePullPolicy: Always ports: - containerPort: 8080 name: http protocol: TCP livenessProbe: httpGet: path: /health port: 8080 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 readinessProbe: httpGet: path: /health port: 8080 initialDelaySeconds: 15 # Aguarda mais tempo para inicializar periodSeconds: 5 timeoutSeconds: 3 failureThreshold: 5 # Mais tentativas antes de falhar successThreshold: 2 # Precisa de 2 sucessos consecutivos securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL seccompProfile: type: RuntimeDefault env: - name: KUBECONFIG value: "/var/run/secrets/kubernetes.io/serviceaccount/token" - name: CPU_LIMIT_RATIO valueFrom: configMapKeyRef: name: resource-governance-config key: CPU_LIMIT_RATIO - name: MEMORY_LIMIT_RATIO valueFrom: configMapKeyRef: name: resource-governance-config key: MEMORY_LIMIT_RATIO - name: MIN_CPU_REQUEST valueFrom: configMapKeyRef: name: resource-governance-config key: MIN_CPU_REQUEST - name: MIN_MEMORY_REQUEST valueFrom: configMapKeyRef: name: resource-governance-config key: MIN_MEMORY_REQUEST - name: CRITICAL_NAMESPACES valueFrom: configMapKeyRef: name: resource-governance-config key: CRITICAL_NAMESPACES - name: INCLUDE_SYSTEM_NAMESPACES valueFrom: configMapKeyRef: name: resource-governance-config key: INCLUDE_SYSTEM_NAMESPACES - name: SYSTEM_NAMESPACE_PREFIXES valueFrom: configMapKeyRef: name: resource-governance-config key: SYSTEM_NAMESPACE_PREFIXES - name: PROMETHEUS_URL valueFrom: configMapKeyRef: name: resource-governance-config key: PROMETHEUS_URL - name: THANOS_URL valueFrom: configMapKeyRef: name: resource-governance-config key: THANOS_URL - name: REPORT_EXPORT_PATH valueFrom: configMapKeyRef: name: resource-governance-config key: REPORT_EXPORT_PATH - name: SERVICE_ACCOUNT_NAME valueFrom: configMapKeyRef: name: resource-governance-config key: SERVICE_ACCOUNT_NAME - name: REDIS_URL valueFrom: configMapKeyRef: name: redis-config key: REDIS_URL - name: CELERY_BROKER_URL valueFrom: configMapKeyRef: name: redis-config key: CELERY_BROKER_URL - name: CELERY_RESULT_BACKEND valueFrom: configMapKeyRef: name: redis-config key: CELERY_RESULT_BACKEND resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 512Mi volumeMounts: - name: reports mountPath: /tmp/reports - name: service-account-token mountPath: /var/run/secrets/kubernetes.io/serviceaccount readOnly: true volumes: - name: reports emptyDir: {} - name: service-account-token secret: secretName: resource-governance-sa-token optional: false restartPolicy: Always