From 40da16ee8e51b8dfe549dc564791a58b8609b354 Mon Sep 17 00:00:00 2001 From: hungran <26101787+hungran@users.noreply.github.com> Date: Sun, 26 Nov 2023 14:21:24 +0700 Subject: [PATCH] feat: adding optional to expose tetragon-operator metrics Signed-off-by: hungran <26101787+hungran@users.noreply.github.com> adding optional to expose tetragon-operator metrics Signed-off-by: hungran <26101787+hungran@users.noreply.github.com> add port address metrics server to configmap of tetragonOperator Signed-off-by: hungran <26101787+hungran@users.noreply.github.com> --- install/kubernetes/README.md | 10 +++++++++- .../templates/operator_configmap.yaml | 5 +++++ .../templates/operator_deployment.yaml | 18 ++++++++++++++++++ .../templates/operator_service.yaml | 19 +++++++++++++++++++ install/kubernetes/test.sh | 4 ++-- install/kubernetes/values.yaml | 8 +++++++- operator/cmd/serve/serve.go | 2 +- 7 files changed, 61 insertions(+), 5 deletions(-) create mode 100644 install/kubernetes/templates/operator_service.yaml diff --git a/install/kubernetes/README.md b/install/kubernetes/README.md index ea8bdb914ba..9cd29e35d6d 100644 --- a/install/kubernetes/README.md +++ b/install/kubernetes/README.md @@ -73,7 +73,7 @@ Helm chart for Tetragon | tetragon.prometheus.serviceMonitor.scrapeInterval | string | `"10s"` | Interval at which metrics should be scraped. If not specified, Prometheus' global scrape interval is used. | | tetragon.resources | object | `{}` | | | tetragon.securityContext.privileged | bool | `true` | | -| tetragonOperator | object | `{"affinity":{},"annotations":{},"extraLabels":{},"extraPodLabels":{},"extraVolumeMounts":[],"extraVolumes":[],"image":{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/tetragon-operator","tag":"v1.0.0"},"nodeSelector":{},"podAnnotations":{},"podInfo":{"enabled":false},"podSecurityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}},"priorityClassName":"","resources":{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}},"securityContext":{},"serviceAccount":{"annotations":{},"create":true,"name":""},"skipCRDCreation":false,"strategy":{},"tolerations":[{"operator":"Exists"}]}` | Tetragon Operator settings | +| tetragonOperator | object | `{"affinity":{},"annotations":{},"extraLabels":{},"extraPodLabels":{},"extraVolumeMounts":[],"extraVolumes":[],"image":{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/tetragon-operator","tag":"v1.0.0"},"nodeSelector":{},"podAnnotations":{},"podInfo":{"enabled":false},"podSecurityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}},"priorityClassName":"","prometheus":{"address":"","enabled":true,"port":2113},"resources":{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}},"securityContext":{},"serviceAccount":{"annotations":{},"create":true,"name":""},"skipCRDCreation":false,"strategy":{},"tolerations":[{"operator":"Exists"}]}` | Tetragon Operator settings | | tetragonOperator.annotations | object | `{}` | Annotations for the Tetragon Operator Deployment. | | tetragonOperator.extraLabels | object | `{}` | Extra labels to be added on the Tetragon Operator Deployment. | | tetragonOperator.extraPodLabels | object | `{}` | Extra labels to be added on the Tetragon Operator Deployment Pods. | @@ -88,6 +88,14 @@ Helm chart for Tetragon | tetragonOperator.securityContext | object | `{}` | securityContext for the Tetragon Operator Deployment Pods. | | tetragonOperator.serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | tetragon-operator service account. | | tetragonOperator.strategy | object | `{}` | resources for the Tetragon Operator Deployment update strategy | +| tetragonOperator.prometheus | object | `{"enabled":true,"port":2113}` | Enables the Tetragon Operator metrics. | +| tetragonOperator.prometheus | object | `{"address":"","enabled":true,"port":2113}` | Enables the Tetragon Operator metrics. | +| tetragonOperator.prometheus.address | string | `""` | The address at which to expose Tetragon Operator metrics. Set it to "" to expose on all available interfaces. | +| tetragonOperator.prometheus.port | int | `2113` | The port at which to expose metrics. | +| tetragonOperator.resources | object | `{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}}` | resources for the Tetragon Operator Deployment Pod container. | +| tetragonOperator.securityContext | object | `{}` | securityContext for the Tetragon Operator Deployment Pods. | +| tetragonOperator.serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | tetragon-operator service account. | +| tetragonOperator.strategy | object | `{}` | resources for the Tetragon Operator Deployment update strategy | | tolerations[0].operator | string | `"Exists"` | | | updateStrategy | object | `{}` | | diff --git a/install/kubernetes/templates/operator_configmap.yaml b/install/kubernetes/templates/operator_configmap.yaml index 296506d3353..d6eda98abab 100644 --- a/install/kubernetes/templates/operator_configmap.yaml +++ b/install/kubernetes/templates/operator_configmap.yaml @@ -8,3 +8,8 @@ metadata: data: skip-crd-creation: {{ .Values.tetragonOperator.skipCRDCreation | quote }} skip-pod-info-crd: {{ not .Values.tetragonOperator.podInfo.enabled | quote }} +{{- if .Values.tetragonOperator.prometheus.enabled }} + metrics-bind-address: {{ .Values.tetragonOperator.prometheus.address }}:{{ .Values.tetragonOperator.prometheus.port }} +{{- else }} + metrics-bind-address: "" +{{- end }} diff --git a/install/kubernetes/templates/operator_deployment.yaml b/install/kubernetes/templates/operator_deployment.yaml index 598dd3d775b..6a838219d4d 100644 --- a/install/kubernetes/templates/operator_deployment.yaml +++ b/install/kubernetes/templates/operator_deployment.yaml @@ -36,6 +36,9 @@ spec: args: - serve - --config-dir=/etc/tetragon/operator.conf.d/ + {{- if .Values.tetragonOperator.prometheus.enabled }} + - --metrics-bind-address={{ .Values.tetragonOperator.prometheus.address }}:{{ .Values.tetragonOperator.prometheus.port }} + {{- end }} image: "{{ if .Values.tetragonOperator.image.override }}{{ .Values.tetragonOperator.image.override }}{{ else }}{{ .Values.tetragonOperator.image.repository }}:{{ .Values.tetragonOperator.image.tag }}{{ end }}" imagePullPolicy: {{ .Values.tetragonOperator.image.pullPolicy }} volumeMounts: @@ -48,6 +51,21 @@ spec: {{- with .Values.tetragonOperator.podSecurityContext }} securityContext: {{- toYaml . | nindent 10 }} + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + {{- if .Values.tetragonOperator.prometheus.enabled }} + ports: + - containerPort: {{ .Values.tetragonOperator.prometheus.port }} + name: metrics + protocol: TCP + {{- end }} + {{- if .Values.tetragonOperator.prometheus.enabled }} + ports: + - name: metrics + containerPort: {{ .Values.tetragonOperator.prometheus.port }} + protocol: TCP {{- end }} livenessProbe: httpGet: diff --git a/install/kubernetes/templates/operator_service.yaml b/install/kubernetes/templates/operator_service.yaml new file mode 100644 index 00000000000..c2950ac448f --- /dev/null +++ b/install/kubernetes/templates/operator_service.yaml @@ -0,0 +1,19 @@ +{{- if .Values.tetragonOperator.prometheus.enabled -}} +--- +apiVersion: v1 +kind: Service +metadata: + namespace: {{ .Release.Namespace }} + name: {{ .Release.Name }}-operator-metrics + labels: + {{- include "tetragon-operator.labels" . | nindent 4 }} +spec: + ports: + - name: metrics + port: {{ .Values.tetragonOperator.prometheus.port }} + targetPort: {{ .Values.tetragonOperator.prometheus.port }} + protocol: TCP + selector: + {{- include "tetragon-operator.selectorLabels" . | nindent 6 }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/install/kubernetes/test.sh b/install/kubernetes/test.sh index 2862c6a5874..f377a305b31 100755 --- a/install/kubernetes/test.sh +++ b/install/kubernetes/test.sh @@ -9,10 +9,10 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) cd $SCRIPT_DIR alias helm='docker run --rm -v $(pwd):/apps alpine/helm:3.3.4' -alias kubeval='docker run --rm -i garethr/kubeval:0.15.0@sha256:6962d8ecbb7839637667f66e6703e6ebaae0c29dfe93a31d9968fba4324c7b8d' +alias kubeconform='docker run --rm -i ghcr.io/yannh/kubeconform:v0.6.4-alpine@sha256:e68a0b638c6e9b76f1b7d58b4ec94340ef3b6601db25b2e40b29e3ac2d68e4bf' helm dependency update . helm lint . --with-subcharts -helm template tetragon . | kubeval --strict --additional-schema-locations https://raw.githubusercontent.com/joshuaspence/kubernetes-json-schema/master +helm template tetragon . | kubeconform --strict --schema-location default # Update README.md. docker run --rm -v "$(pwd):/helm-docs" -u "$(id -u)" jnorwood/helm-docs:v1.11.0@sha256:66c8f4164dec860fa5c1528239c4aa826a12485305b7b224594b1a73f7e6879a diff --git a/install/kubernetes/values.yaml b/install/kubernetes/values.yaml index daae6fa3c65..e9f3e7859b8 100644 --- a/install/kubernetes/values.yaml +++ b/install/kubernetes/values.yaml @@ -217,7 +217,13 @@ tetragonOperator: # -- Enables the PodInfo CRD and the controller that reconciles PodInfo # custom resources. enabled: false - + # -- Enables the Tetragon Operator metrics. + prometheus: + enabled: true + # -- The address at which to expose Tetragon Operator metrics. Set it to "" to expose on all available interfaces. + address: "" + # -- The port at which to expose metrics. + port: 2113 # -- Tetragon event settings export: # "stdout". "" to disable. diff --git a/operator/cmd/serve/serve.go b/operator/cmd/serve/serve.go index 2631aee5bb3..ac0b1546c8d 100644 --- a/operator/cmd/serve/serve.go +++ b/operator/cmd/serve/serve.go @@ -90,7 +90,7 @@ func New() *cobra.Command { return nil }, } - cmd.Flags().StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") + cmd.Flags().StringVar(&metricsAddr, "metrics-bind-address", ":2113", "The address the metric endpoint binds to.") cmd.Flags().StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") cmd.Flags().BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+