Add Horizontal Pod Autoscaling (HPA) support to Wiz AC (#418)

ofirc-wiz · web-flow · commit 5eb0c5dcaea9 · 2024-10-30T19:41:09.000+02:00
* Add Horizontal Pod Autoscaling (HPA) support to Wiz AC By default this is disabled. Prerequisites: metrics-server installed on the cluster: https://github.com/kubernetes-sigs/metrics-server To enable HPA, set: wiz-admission-controller: hpa: enabled: true
diff --git a/wiz-admission-controller/Chart.yaml b/wiz-admission-controller/Chart.yaml
@@ -7,7 +7,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.6.0
+version: 3.6.1-preview
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/wiz-admission-controller/templates/_helpers.tpl b/wiz-admission-controller/templates/_helpers.tpl
@@ -40,6 +40,14 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 {{- end }}
 
+{{- define "wiz-hpa-enforcer.name" -}}
+{{- printf "%s-hpa" (include "wiz-admission-controller.fullname" .) | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "wiz-hpa-audit-logs.name" -}}
+{{- printf "%s-hpa" (include "wiz-kubernetes-audit-log-collector.name" .) | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@@ -101,6 +109,21 @@ app.kubernetes.io/name: {{ include "wiz-kubernetes-audit-log-collector.name" . }
 {{ include "wiz-kubernetes-audit-log-collector.selectorLabels" . }}
 {{- end }}
 
+{{/*
+Wiz Horizontal Pod Autoscaler labels
+*/}}
+
+{{- define "wiz-hpa-enforcer.labels" -}}
+{{ include "wiz-admission-controller.labels" . }}
+app.kubernetes.io/name: {{ include "wiz-hpa-enforcer.name" . }}
+{{- end }}
+
+{{- define "wiz-hpa-audit-logs.labels" -}}
+{{ include "wiz-admission-controller.labels" . }}
+app.kubernetes.io/name: {{ include "wiz-hpa-audit-logs.name" . }}
+{{- end }}
+
+
 {{/*
 
 {{/*
@@ -189,3 +212,25 @@ Use for debug purpose only.
 {{- define "helpers.var_dump" -}}
 {{- . | mustToPrettyJson | printf "\nThe JSON output of the dumped var is: \n%s" | fail }}
 {{- end -}}
+
+{{- define "wiz-admission-controller.resources" -}}
+{{- if hasKey .Values "resources" }}
+{{- toYaml .Values.resources }}
+{{- else -}}
+{{- if .Values.hpa.enabled }}
+requests:
+    cpu: 500m
+    memory: 300Mi
+{{- else }}
+{}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "wiz-admission-controller.isEnforcerEnabled" -}}
+  {{- if or .Values.opaWebhook.enabled .Values.imageIntegrityWebhook.enabled .Values.debugWebhook.enabled }}
+    true
+  {{- else }}
+    false
+  {{- end }}
+{{- end }}
diff --git a/wiz-admission-controller/templates/deploymentauditlogs.yaml b/wiz-admission-controller/templates/deploymentauditlogs.yaml
@@ -7,7 +7,9 @@ metadata:
   labels:
     {{- include "wiz-kubernetes-audit-log-collector.labels" . | nindent 4 }}
 spec:
+  {{- if not .Values.hpa.enabled }}
   replicas: {{ .Values.kubernetesAuditLogsWebhook.replicaCount }}
+  {{- end }}
   selector:
     matchLabels:
       {{- include "wiz-admission-controller.selectorLabels" . | nindent 6 }}
@@ -184,7 +186,7 @@ spec:
             value: "true"
           {{- end }}
           resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+            {{- include "wiz-admission-controller.resources" . | nindent 12 }}
           volumeMounts:
           - mountPath: /var/server-certs
             name: server-certs
diff --git a/wiz-admission-controller/templates/deploymentenforcement.yaml b/wiz-admission-controller/templates/deploymentenforcement.yaml
@@ -1,4 +1,5 @@
-{{- if or .Values.opaWebhook.enabled .Values.imageIntegrityWebhook.enabled .Values.debugWebhook.enabled}}
+{{- $isEnabled := include "wiz-admission-controller.isEnforcerEnabled" . | trim | lower }}
+{{- if eq $isEnabled "true" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -7,7 +8,9 @@ metadata:
   labels:
     {{- include "wiz-admission-controller-enforcement.labels" . | nindent 4 }}
 spec:
+  {{- if not .Values.hpa.enabled }}
   replicas: {{ .Values.replicaCount }}
+  {{- end }}
   selector:
     matchLabels:
       {{- include "wiz-admission-controller.selectorLabels" . | nindent 6 }}
@@ -209,9 +212,9 @@ spec:
           {{- if .Values.debugWebhook.enabled }}
           - name: WIZ_DEBUG_WEBHOOK_ENABLED
             value: "true"
-          {{- end }}        
+          {{- end }}
           resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+            {{- include "wiz-admission-controller.resources" . | nindent 12 }}
           volumeMounts:
           - mountPath: /var/cache
             name: cache
diff --git a/wiz-admission-controller/templates/hpa.yaml b/wiz-admission-controller/templates/hpa.yaml
@@ -0,0 +1,84 @@
+{{- if .Values.hpa.enabled }}
+{{- $isEnabled := include "wiz-admission-controller.isEnforcerEnabled" . | trim | lower }}
+{{- if eq $isEnabled "true" }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "wiz-hpa-enforcer.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "wiz-hpa-enforcer.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "wiz-admission-controller.fullname" . }}
+  minReplicas: {{ .Values.hpa.minReplicas }}
+  maxReplicas: {{ .Values.hpa.maxReplicas }}
+  metrics:
+    {{- if .Values.hpa.enableCPU }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.hpa.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.hpa.enableMemory }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.hpa.targetMemoryUtilizationPercentage }}
+    {{- end }}
+    {{- with .Values.hpa.customMetrics }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- if hasKey .Values.hpa "behavior" }}
+  behavior:
+    {{- toYaml .Values.hpa.behavior | nindent 4 }}
+  {{- end }}
+---
+{{- end }}
+{{ if .Values.kubernetesAuditLogsWebhook.enabled -}}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "wiz-hpa-audit-logs.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "wiz-hpa-audit-logs.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "wiz-kubernetes-audit-log-collector.name" . }}
+  minReplicas: {{ .Values.hpa.minReplicas }}
+  maxReplicas: {{ .Values.hpa.maxReplicas }}
+  metrics:
+    {{- if .Values.hpa.enableCPU }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.hpa.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.hpa.enableMemory }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.hpa.targetMemoryUtilizationPercentage }}
+    {{- end }}
+    {{- with .Values.hpa.customMetrics }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- if hasKey .Values.hpa "behavior" }}
+  behavior:
+    {{- toYaml .Values.hpa.behavior | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}
diff --git a/wiz-admission-controller/templates/opawebhook.yaml b/wiz-admission-controller/templates/opawebhook.yaml
@@ -163,7 +163,8 @@ webhooks:
   failurePolicy: {{ .Values.debugWebhook.failurePolicy }}
   sideEffects: {{ .Values.debugWebhook.sideEffects }}
 {{- end }}
-{{- if and (or .Values.opaWebhook.enabled .Values.imageIntegrityWebhook.enabled .Values.kubernetesAuditLogsWebhook.enabled .Values.debugWebhook.enabled) (not $useCertManagerCerts) }}
+{{- $isEnabled := include "wiz-admission-controller.isEnforcerEnabled" . | trim | lower }}
+{{- if and (eq $isEnabled "true") (not $useCertManagerCerts) }}
 ---
 apiVersion: v1
 kind: Secret
diff --git a/wiz-admission-controller/templates/service.yaml b/wiz-admission-controller/templates/service.yaml
@@ -1,4 +1,5 @@
-{{- if or .Values.opaWebhook.enabled .Values.imageIntegrityWebhook.enabled .Values.debugWebhook.enabled}}
+{{- $isEnabled := include "wiz-admission-controller.isEnforcerEnabled" . | trim | lower }}
+{{- if eq $isEnabled "true" }}
 ---
 apiVersion: v1
 kind: Service
diff --git a/wiz-admission-controller/values.yaml b/wiz-admission-controller/values.yaml
@@ -390,9 +390,11 @@ tlsCertificate:
   tlsCertificate: ""
   tlsKey: ""
 
-resources: {}
-  # The recommended values should vary depending on the load in each cluster, the number of replicas, and more.
-  # To make sure we cover most cases, the following is a suggestion for environments with a high load, we recommend adjusting it based on your needs.
+# Remove the comment below to provide custom requests and limits to the Wiz pods.
+#
+# resources:
+  ## The recommended values should vary depending on the load in each cluster, the number of replicas, and more.
+  ## To make sure we cover most cases, the following is a suggestion for environments with a high load, we recommend adjusting it based on your needs.
   # requests:
   #   cpu: 0.5
   #   memory: 256M
@@ -426,6 +428,20 @@ probes: # Probes config for the container
     timeoutSeconds: 30
     failureThreshold: 3
 
+# Horizontal Pod Autoscaling support.
+hpa:
+  enabled: false
+  minReplicas: 2
+  maxReplicas: 5
+  enableCPU: true
+  targetCPUUtilizationPercentage: 50
+  enableMemory: false
+  targetMemoryUtilizationPercentage: 50
+  customMetrics: []
+  # Uncomment to customize the behavior.
+  # If not set, the default HPAScalingRules for scale up and scale down are used.
+  #behavior: {}
+
 # Global values to override chart values.
 global:
   nameOverride: "" # Override the release’s name.
