The Run Once Duration Override mutating admission webhook allows to override activeDeadlineSeconds field
for a pod with RestartPolicy set to Never or OnFailure. The so called run-once pods.
In case a pod already has activeDeadlineSeconds set, the minimum of currently set and
configured by the operand is used.
-
Build and push the operand image to a registry:
export QUAY_USER=${your_quay_user_id} export IMAGE_TAG=${your_image_tag} podman build -t quay.io/${QUAY_USER}/run-once-duration-override:${IMAGE_TAG} . podman login quay.io -u ${QUAY_USER} podman push quay.io/${QUAY_USER}/run-once-duration-override:${IMAGE_TAG}
-
Generate manifests deploying the admission webhook:
make manifests
-
Update the image spec under
.spec.template.spec.containers[0].imagefield in the_output/manifests/500_deployment.yamlDeployment to point to the newly built image. -
Deploy the admission webhook:
oc apply -f _output/manifests
-
Check all DaemonSet pods are running:
oc get pods -n run-once-duration-override
-
Create or choose a namespace. E.g.
test$ oc create ns test -
Label the namespace with
runoncedurationoverrides.admission.runoncedurationoverride.openshift.io/enabled: "true"$ oc label ns test runoncedurationoverrides.admission.runoncedurationoverride.openshift.io/enabled=true -
Create a testing pod in the namespace with RestartPolicy set to Never. E.g.
$ cat pod.yaml apiVersion: v1 kind: Pod metadata: name: example namespace: test spec: restartPolicy: Never containers: - name: busybox securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] runAsNonRoot: true seccompProfile: type: "RuntimeDefault" image: busybox:1.25 command: - /bin/sh - -ec - | while sleep 5; do date; doneThe manifest is also located under
examples/pod.yaml.$ oc apply -f pod.yaml
-
Checking the
.spec.activeDeadlineSecondsfield was set to 3600:$ oc get pods -n test -o json | jq '.items[0].spec.activeDeadlineSeconds' 3600