apiVersion: karpenter.sh/v1alpha5 kind: Provisioner metadata: name: stksrv spec: requirements: - key: karpenter.k8s.aws/instance-cpu operator: In values: - "2" - key: kubernetes.io/arch operator: In values: - arm64 - amd64 - key: karpenter.k8s.aws/instance-generation operator: In values: - "6" - "7" - key: karpenter.k8s.aws/instance-category operator: In values: - c - key: karpenter.sh/capacity-type operator: In values: # - spot - on-demand limits: resources: cpu: 20k providerRef: name: stksrv ttlSecondsAfterEmpty: 30 --- apiVersion: karpenter.k8s.aws/v1alpha1 kind: AWSNodeTemplate metadata: name: stksrv spec: amiFamily: AL2 blockDeviceMappings: - deviceName: /dev/xvda ebs: volumeSize: 200Gi volumeType: gp3 iops: 10000 deleteOnTermination: true throughput: 125 securityGroupSelector: karpenter.sh/discovery: kts-usw2 subnetSelector: karpenter.sh/discovery: kts-usw2 # userData: | # MIME-Version: 1.0 # Content-Type: multipart/mixed; boundary="BOUNDARY" # # --BOUNDARY # Content-Type: text/x-shellscript; charset="us-ascii" # # #!/bin/bash # iptables -N limit-by-ip-chain # iptables -A limit-by-ip-chain -m hashlimit --hashlimit-upto 5/sec --hashlimit-mode srcip --hashlimit-name per_ip_conn_rate_limit -j ACCEPT # iptables -A limit-by-ip-chain --match limit --limit 1/min -j LOG --log-prefix "IPTables-Rejected: " # iptables -A limit-by-ip-chain -j DROP # iptables -I INPUT -p udp -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j limit-by-ip-chain # --BOUNDARY