Leveraging descheduler to automatically evict pods that no longer satisfy their NodeAffinity constraints. This is used to work in concert with node-feature-discovery
such that when USB devices are moved from one node to a different node, the pods requiring the USB devices will be properly forced to reschedule to the new location
Using external-secrets & 1Password connect to reference secrets housed in 1Password
Leverage Intel-based iGPU via the gpu plugin DaemonSet for serving-up GPU-based workloads (e.g. Plex) via the gpu.intel.com/i915
node resource
Automatically drain and reboot nodes when a reboot is required (e.g. a kernel update was applied): https://github.com/weaveworks/kured
Using the nfs-client storage type
nfs-based persistent mounts for various pod access (media mount & data mount)
ingress-nginx controller leveraging cert-manager as the central cert store for the wildcard certificate
Using the USB feature of node-feature-discovery to dynamically label nodes that contain specific USB devices we care about
OAuth2 authenticating proxy leveraging Auth0
registry-creds: Automate Kubernetes registry credentials, to extend Docker Hub limits. This is (sadly) necessary to have cluster-wide imagePulls use an authenticated Docker account so that the cluster doesn't get rate-limited and become unable to schedule workloads. This has already happened once.
reloader: A Kubernetes controller to watch changes in ConfigMap and Secrets and do rolling upgrades on Pods with their associated Deployment, StatefulSet, DaemonSet and DeploymentConfig
snapshot-controller: Sidecar container that watches Kubernetes Snapshot CRD objects and triggers CreateSnapshot/DeleteSnapshot against a CSI endpoint. Used in conjunction with volsync.
volsync: Asynchronous data replication for Kubernetes volumes. Leveraging storage CSI snapshotting and restic, this enables the backing-up of persistent volumes to an S3 bucket.