Applier configuration

Review the additional Applier configuration parameters and their descriptions

The purpose of this topic is to list and describe the additional parameters available for configuring the StormForge Applier. For parameters that apply to the StormForge Agent, see the Agent configuration topic.

Applier settings:

Continuous reconciliation

Controls resource patching behavior based on CI/CD and cluster activity. Auto-deployment must be enabled.

Parameter Default value
reconciliation.mode EventBased
reconciliation.conflictingManagers None
Description

The StormForge Applier can be configured to continuously reconcile drift, ensuring that the latest recommended settings are always maintained on a workload.

The Applier logs whenever it reconciles a workload’s resource settings to the recommended values.

Valid values

  • EventBased (default): Workload requests and limits are updated only by relevant StormForge events that trigger an update: autodeployment of a new recommendation, clicking Apply Now in the UI, or running stormforge apply. Subsequent updates to requests and limits by GitOps tools will override the recommended settings.

  • Continuous: recommended requests and limits values are maintained and not overwritten during CI/CD or deployment activity on the cluster, except when changes are made by the declared reconciliation.conflictingManagers.

    • reconciliation.conflictingManagers: Optional, honored only when reconciliation.mode=Continuous. Declares which field managers conflict with the Applier. The Applier will not reconcile the desired state for fields owned by conflicting managers. Use this if you cannot configure your existing field manager to accept or ignore changes from StormForge.

Installing on Red Hat OpenShift

Required only when installing the Applier on Red Hat OpenShift.

Parameter Default value
openshift false
Description

Set to true when installing the StormForge Applier on Red Hat OpenShift Container Platform version 4.x and later. See this guide for details.

Valid values
  • true
  • false (default)

Enabling the DynamicAdmissionWebhook apply method

A cluster administrator sets these parameters to control the use of a mutating admission webhook for applying recommendations.

Optional allow/deny namespace lists restrict webhook use to specific namespaces.

Teams can then choose to configure specific namespaces or workloads to use a mutating admission webhook (DynamicAdmissionWebhook) to apply recommendations.

Parameter Default value
webhook.enabled false
webhook.allowNamespaces None
webhook.denyNamespaces None
Description

By default, the Applier applies recommendations as patches. Cluster administrators can make available the option to apply recommendations via a mutating admission webhook by setting webhook.enabled=true. This setting grants additional required RBAC to the Applier.

Cluster administrators can further restrict webhook use to specific namespaces by using an allow or deny list:

  • To allow webhook use on specific namespaces (or workloads), configure the webhook.allowNamespaces list.
  • To deny webhook use on specific workloads, configure the webhook.denyNamespaces list.
    If both lists are provided, webhook.denyNamespaces is ignored.

When the webhook feature is enabled on the Applier, teams can then set live.stormforge.io/apply.method=DynamicAdmissionWebhook on individual namespaces or workloads. For annotation syntax details, see Apply method in the Apply Settings topic.

By design, the webhook feature permits a different configuration to be shown in the pod than in the workload. Examples:

  • When changing a workload’s apply method, the recommended values on the deployment might be out of sync with the recommended values in the pods until the next recommendation is applied.
  • In a CI environment, StormForge-recommended values are shown on the pod and the developer-supplied values from Git are shown on the Deployment.
Key points:

  • Continuous reconciliation (if enabled) does not occur on workloads that are configured to use the webhook apply method.

  • If a namespace or workload is configured to use the webhook (live.stormforge.io/apply.method=DynamicAdmissionWebhook) but the feature is not enabled or an allow or deny list restricts the namespace, recommendations are still generated on the configured schedule but the Applier cannot apply them.

    When this scenario occurs, the UI or command line output shows different request and limits values than those on the pod. The Applier updates the workload to indicate what the recommended values are; however, the pods are not updated with the recommended values.

Valid values

webhook.enabled:

  • true
  • false (default)

webhook.allowNamespaces and webhook.denyNamespaces:

  • An array containing any string or regex expressions ([]*regexp.Regexp) to match against namespace names. You might choose to set these lists in a .yaml file as shown below instead of using a Helm parameter.
Examples
webhook:
  denyNamespaces:
  - ".*-system"

or

webhook:
  denyNamespaces: null
  allowNamespaces:
  - "monitoring"
  - "frontend"
  - ".ecommerce-*"

To explicitly unset either of these values, use null.

webhook:
  denyNamespaces: null

Additional RBAC permission

A YAML manifest that grants additional RBAC permissions to the Applier.

Description

To optimize resources that that are not Kubernetes workload types, the Applier needs additional RBAC permissions on the API group and resources.

Example

Add the API groups and their resources in a YAML manifest (for example, applier-rbac.yaml) as shown below.

A working example is shown in the Rightsize workloads scaled by a KEDA-owned HPA topic.

rbac:
  additional: |-
    # In this section, add any resources that you want the Applier to patch
    - apiGroups:
      - # YOUR_API_GROUP
      resources:
      - # YOUR_RESOURCES
      verbs:
      - get
      - list
      - watch
      - patch
      - update
Last modified November 18, 2024