ops: enforce rpi kubelet reservations via systemd

2026-05-19 14:23:35 -03:00 · 2026-05-19 14:23:35 -03:00 · a8a17e7978
commit a8a17e7978
parent c982b86136
2 changed files with 25 additions and 1 deletions
--- a/services/maintenance/rpi-resource-reservation-daemonset.yaml
+++ b/services/maintenance/rpi-resource-reservation-daemonset.yaml
@ -15,7 +15,7 @@ spec:
      labels:
        app: rpi-resource-reservation
      annotations:
-        atlas.bstein.dev/reservation-revision: "2026-05-19-2"
+        atlas.bstein.dev/reservation-revision: "2026-05-19-3"
    spec:
      serviceAccountName: node-nofile
      nodeSelector:
--- a/services/maintenance/scripts/rpi_resource_reservation.sh
+++ b/services/maintenance/scripts/rpi_resource_reservation.sh
@ -8,6 +8,8 @@ config_dir="${host_root}/etc/rancher/k3s/config.yaml.d"
 config_file="${config_dir}/90-atlas-rpi-reservations.yaml"
 kubelet_config_dir="${host_root}/var/lib/rancher/k3s/agent/etc/kubelet.conf.d"
 kubelet_config_file="${kubelet_config_dir}/90-atlas-rpi-reservations.conf"
+systemd_override_dir="${host_root}/etc/systemd/system/${unit}.service.d"
+systemd_override_file="${systemd_override_dir}/90-atlas-rpi-reservations.conf"

 if [ ! -f "${unit_file}" ]; then
  echo "k3s-agent unit not found; this guardrail only manages worker agents"
@ -70,6 +72,28 @@ if [ ! -f "${kubelet_config_file}" ] || ! cmp -s "${kubelet_tmp_file}" "${kubele
 fi
 rm -f "${kubelet_tmp_file}"

+override_tmp_file="$(mktemp)"
+cat > "${override_tmp_file}" <<'EOF'
+[Service]
+UnsetEnvironment=K3S_KUBELET_ARG
+ExecStart=
+ExecStart=/usr/local/bin/k3s agent \
+  --kubelet-arg=container-log-max-files=2 \
+  --kubelet-arg=system-reserved=cpu=250m,memory=384Mi,ephemeral-storage=1Gi \
+  --kubelet-arg=kube-reserved=cpu=150m,memory=256Mi,ephemeral-storage=1Gi \
+  --kubelet-arg=eviction-hard=memory.available<512Mi,nodefs.available<10%,imagefs.available<10% \
+  --kubelet-arg=eviction-soft=memory.available<768Mi,nodefs.available<15%,imagefs.available<15% \
+  --kubelet-arg=eviction-soft-grace-period=memory.available=1m,nodefs.available=2m,imagefs.available=2m \
+  --kubelet-arg=eviction-max-pod-grace-period=60
+EOF
+
+if [ ! -f "${systemd_override_file}" ] || ! cmp -s "${override_tmp_file}" "${systemd_override_file}"; then
+  mkdir -p "${systemd_override_dir}"
+  install -m 0644 "${override_tmp_file}" "${systemd_override_file}"
+  changed=1
+fi
+rm -f "${override_tmp_file}"
+
 if [ "${changed}" -eq 1 ]; then
  delay="$(( (RANDOM % 420) + 30 ))"
  echo "updated RPi kubelet reservations; restarting ${unit} after ${delay}s"