Merge pull request #18 from bryopsida/17-increase-default-allocations

Bump default pod size, hook in https probes
bryopsida · Jul 2, 2023 · 70ef54c · 70ef54c
2 parents a119fb9 + e5700c2
commit 70ef54c
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 12 deletions.
diff --git a/helm/psa-restricted-patcher/Chart.yaml b/helm/psa-restricted-patcher/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: psa-restricted-patcher
 description: Automatically patches pods on creation to conform to the pod security restricted profile
 type: application
-version: 0.9.0
+version: 0.10.0
 appVersion: "0.4.0"
 maintainers:
   - name: bryopsida
diff --git a/helm/psa-restricted-patcher/README.md b/helm/psa-restricted-patcher/README.md
@@ -1,6 +1,6 @@
 # psa-restricted-patcher
 
-![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.4.0](https://img.shields.io/badge/AppVersion-0.4.0-informational?style=flat-square)
+![Version: 0.10.0](https://img.shields.io/badge/Version-0.10.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.4.0](https://img.shields.io/badge/AppVersion-0.4.0-informational?style=flat-square)
 
 Automatically patches pods on creation to conform to the pod security restricted profile
 
@@ -47,10 +47,10 @@ Automatically patches pods on creation to conform to the pod security restricted
 | rbacCreate | bool | `true` | Create the RBAC rules and bindings to allow the webhook to update the caBundle value, this is needed to handle rotations, if disabled you can provide your own bindings |
 | reinvocationPolicy | string | `"IfNeeded"` | ReinvocationPolicy can be Never or IfNeeded, this hook operates in a idempotent manner so IfNeeded is the default. |
 | replicaCount | int | `1` |  |
-| resources.limits.cpu | string | `"0.2"` |  |
-| resources.limits.memory | string | `"128Mi"` |  |
-| resources.requests.cpu | string | `"0.1"` |  |
-| resources.requests.memory | string | `"64Mi"` |  |
+| resources.limits.cpu | string | `"0.5"` |  |
+| resources.limits.memory | string | `"256Mi"` |  |
+| resources.requests.cpu | string | `"0.25"` |  |
+| resources.requests.memory | string | `"128Mi"` |  |
 | seccompProfile | string | `"RuntimeDefault"` | The seccompProfile to set for type |
 | securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | securityContext.capabilities.drop[0] | string | `"ALL"` |  |

diff --git a/helm/psa-restricted-patcher/templates/deployment.yaml b/helm/psa-restricted-patcher/templates/deployment.yaml
@@ -59,11 +59,20 @@ spec:
               containerPort: 3000
               protocol: TCP
           livenessProbe:
-            tcpSocket:
+            httpGet:
+              path: /status
               port: https
+              scheme: HTTPS
+            initialDelaySeconds: 30
+            periodSeconds: 15
+            failureThreshold: 3
           readinessProbe:
-            tcpSocket:
+            httpGet:
+              path: /status
               port: https
+              scheme: HTTPS
+            periodSeconds: 5
+            failureThreshold: 2
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}

diff --git a/helm/psa-restricted-patcher/values.yaml b/helm/psa-restricted-patcher/values.yaml
@@ -68,11 +68,11 @@ objectSelector: {}
 rbacCreate: true
 resources:
   requests:
-    memory: "64Mi"
-    cpu: "0.1"
-  limits:
     memory: "128Mi"
-    cpu: "0.2"
+    cpu: "0.25"
+  limits:
+    memory: "256Mi"
+    cpu: "0.5"
 
 
 autoscaling: