diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml index 8c4d929c7..811bd4d47 100644 --- a/charts/agent/Chart.yaml +++ b/charts/agent/Chart.yaml @@ -5,7 +5,7 @@ description: Sysdig Monitor and Secure agent type: application # currently matching sysdig 1.14.32 -version: 1.7.5 +version: 1.8.0 appVersion: 12.14.0 diff --git a/charts/agent/README.md b/charts/agent/README.md index daf81d480..246b50f6a 100644 --- a/charts/agent/README.md +++ b/charts/agent/README.md @@ -83,6 +83,8 @@ The following table lists the configurable parameters of the Sysdig chart and th | `collectorSettings.ssl` | The collector accepts SSL | `true` | | `collectorSettings.sslVerifyCertificate` | Set to false if you don't want to verify SSL certificate | `true` | | `gke.autopilot` | If true, overrides the agent configuration to run on GKE Autopilot clusters | `false` | +| `gke.autopilot.createPriorityClass` | If true, create the required PriorityClass to ensure Agent Pods are scheduled in GKE Autopilot. Uses the name provided by the `priorityClassName` parameter | `false` | +| `gke.ephemeralStorage` | Amount of ephemeral storage to provide to the Agent container in GKE Autopilot clusters | `500Mi` | | `rbac.create` | If true, create & use RBAC resources | `true` | | `scc.create` | Create OpenShift's Security Context Constraint | `true` | | `psp.create` | Create Pod Security Policy to allow the agent running in clusters with PSP enabled | `true` | diff --git a/charts/agent/templates/NOTES.txt b/charts/agent/templates/NOTES.txt index b700c58c8..179168f3a 100644 --- a/charts/agent/templates/NOTES.txt +++ b/charts/agent/templates/NOTES.txt @@ -17,6 +17,11 @@ The "drift_killer" feature in agent is not supported when running on GKE Autopil {{- end }} {{- end }} +{{- if and (include "agent.gke.autopilot" .) (not .Values.gke.createPriorityClass) (not .Values.priorityClassName) }} + +A PriorityClass is recommended for GKE Autopilot environments. Please set gke.createPriorityClass=true or provide the name of an existing PriorityClass by using the priorityClassName parameter. +{{- end }} + {{- $secureFeatProvided := false }} {{- if hasKey .Values.sysdig.settings "feature" }} {{- if hasKey .Values.sysdig.settings.feature "mode" }} diff --git a/charts/agent/templates/_helpers.tpl b/charts/agent/templates/_helpers.tpl index 28ba9fd37..4b6c831af 100644 --- a/charts/agent/templates/_helpers.tpl +++ b/charts/agent/templates/_helpers.tpl @@ -77,22 +77,27 @@ Sysdig Agent resources */}} {{- define "agent.resources" -}} {{/* we have same values for both requests and limits */}} -{{- $smallCpu := "1000m" -}} -{{- $smallMemory := "1024Mi" -}} -{{- $mediumCpu := "3000m" -}} -{{- $mediumMemory := "3072Mi" -}} -{{- $largeCpu := "5000m" -}} -{{- $largeMemory := "6144Mi" -}} +{{- $resourceProfiles := dict "small" (dict "cpu" "1000m" + "memory" "1024Mi") + "medium" (dict "cpu" "3000m" + "memory" "3072Mi") + "large" (dict "cpu" "5000m" + "memory" "6144Mi") }} +{{- $resources := dict }} {{/* custom resource values are always first-class */}} {{- if .Values.resources }} -{{- toYaml .Values.resources -}} -{{- else if eq .Values.resourceProfile "small" -}} -{{- printf "requests:\n cpu: %s\n memory: %s\nlimits:\n cpu: %s\n memory: %s" $smallCpu $smallMemory $smallCpu $smallMemory -}} -{{- else if eq .Values.resourceProfile "medium" -}} -{{- printf "requests:\n cpu: %s\n memory: %s\nlimits:\n cpu: %s\n memory: %s" $mediumCpu $mediumMemory $mediumCpu $mediumMemory -}} -{{- else if eq .Values.resourceProfile "large" -}} -{{- printf "requests:\n cpu: %s\n memory: %s\nlimits:\n cpu: %s\n memory: %s" $largeCpu $largeMemory $largeCpu $largeMemory -}} -{{- end -}} + {{- toYaml .Values.resources -}} +{{- else if not (hasKey $resourceProfiles .Values.resourceProfile) }} + {{- fail (printf "Invalid value for resourceProfile provided: %s" .Values.resourceProfile) }} +{{- else if and (include "agent.gke.autopilot" .) (not .Values.slim.enabled) }} + {{- toYaml (dict "requests" (dict "cpu" "250m" + "ephemeral-storage" .Values.gke.ephemeralStorage + "memory" "512Mi") + "limits" (get $resourceProfiles .Values.resourceProfile)) }} +{{- else }} + {{- toYaml (dict "requests" (get $resourceProfiles .Values.resourceProfile) + "limits" (get $resourceProfiles .Values.resourceProfile)) }} +{{- end }} {{- end -}} {{/* diff --git a/charts/agent/templates/daemonset.yaml b/charts/agent/templates/daemonset.yaml index 9f894b77b..d7a7e9339 100644 --- a/charts/agent/templates/daemonset.yaml +++ b/charts/agent/templates/daemonset.yaml @@ -5,8 +5,8 @@ metadata: name: {{ template "agent.fullname" . }} namespace: {{ include "agent.namespace" . }} labels: -{{ include "agent.labels" . | indent 4 }} -{{ include "agent.daemonsetLabels" . | indent 4 }} + {{- include "agent.labels" . | nindent 4 }} + {{- include "agent.daemonsetLabels" . | nindent 4 }} spec: selector: matchLabels: @@ -16,38 +16,38 @@ spec: metadata: name: {{ template "agent.fullname" .}} labels: -{{ include "agent.labels" . | indent 8 }} -{{ include "agent.daemonsetLabels" . | indent 8 }} + {{ include "agent.labels" . | nindent 8 }} + {{ include "agent.daemonsetLabels" . | nindent 8 }} {{- if (include "agent.gke.autopilot" .) }} annotations: autopilot.gke.io/no-connect: "true" {{- else }} {{- if .Values.daemonset.annotations }} annotations: -{{ toYaml .Values.daemonset.annotations | indent 8 }} + {{ toYaml .Values.daemonset.annotations | nindent 8 }} {{- end }} {{- end }} spec: serviceAccountName: {{ template "agent.serviceAccountName" .}} -{{- if .Values.priorityClassName }} - priorityClassName: "{{ .Values.priorityClassName }}" +{{- if or .Values.priorityClassName (include "agent.gke.autopilot" .) }} + priorityClassName: {{ .Values.priorityClassName | quote }} {{- end }} tolerations: -{{ toYaml .Values.tolerations | indent 8 }} + {{ toYaml .Values.tolerations | nindent 8 }} hostNetwork: true dnsPolicy: ClusterFirstWithHostNet hostPID: true terminationGracePeriodSeconds: 5 {{- if .Values.daemonset.nodeSelector }} nodeSelector: -{{ toYaml .Values.daemonset.nodeSelector | indent 8 }} + {{ toYaml .Values.daemonset.nodeSelector | nindent 8 }} {{- end }} {{- if (include "agent.gke.autopilot" .) }} affinity: null {{- else }} affinity: {{- if .Values.daemonset.affinity }} -{{ toYaml .Values.daemonset.affinity | indent 8 }} + {{ toYaml .Values.daemonset.affinity | nindent 8 }} {{- else }} nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -72,7 +72,7 @@ spec: {{- end }} {{- if .Values.image.pullSecrets }} imagePullSecrets: -{{ toYaml .Values.image.pullSecrets | indent 8 }} + {{ toYaml .Values.image.pullSecrets | nindent 8 }} {{- end }} {{- if .Values.slim.enabled }} initContainers: @@ -80,24 +80,21 @@ spec: image: {{ template "agent.image.kmodule" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} securityContext: - capabilities: - drop: - - ALL privileged: true runAsNonRoot: false runAsUser: 0 readOnlyRootFilesystem: false allowPrivilegeEscalation: true resources: -{{ toYaml .Values.slim.resources | indent 12 }} + {{ toYaml .Values.slim.resources | nindent 12 }} env: {{- if or (include "agent.ebpfEnabled" .) (include "agent.gke.autopilot" .) }} - name: SYSDIG_BPF_PROBE value: {{- end }} {{- range $key, $value := .Values.daemonset.kmodule.env }} - - name: "{{ $key }}" - value: "{{ $value }}" + - name: {{ $key | quote }} + value: {{ $value | quote }} {{- end }} {{- if (.Values.proxy.httpProxy | default .Values.global.proxy.httpProxy) }} - name: http_proxy @@ -112,45 +109,51 @@ spec: value: {{ .Values.proxy.noProxy | default .Values.global.proxy.noProxy }} {{- end }} volumeMounts: + {{- /* Slim = true, Autopilot = false */}} + {{- if not (include "agent.gke.autopilot" .) }} - mountPath: /etc/modprobe.d name: modprobe-d readOnly: true - mountPath: /host/boot name: boot-vol readOnly: true + - mountPath: /host/etc + name: etc-vol + readOnly: true - mountPath: /host/lib/modules name: modules-vol readOnly: true - mountPath: /host/usr name: usr-vol readOnly: true - {{- if or (include "agent.ebpfEnabled" .) (include "agent.gke.autopilot" .)}} + {{- if (include "agent.ebpfEnabled" .) }} - mountPath: /root/.sysdig name: bpf-probes - mountPath: /sys/kernel/debug name: sys-tracing readOnly: true {{- end }} - {{- if include "agent.gke.autopilot" . }} + {{- end }} + + {{- /* Slim = true, Autopilot = true */}} + {{- if (include "agent.gke.autopilot" .) }} + - mountPath: /host/boot + name: boot-vol + readOnly: true - mountPath: /host/etc/os-release name: osrel readOnly: true - {{- else }} - - mountPath: /host/etc - name: etc-vol - readOnly: true - {{- end }} + - mountPath: /root/.sysdig + name: bpf-probes + {{- end }} {{- end }} containers: - name: sysdig image: {{ template "agent.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} resources: -{{ include "agent.resources" . | indent 12 }} + {{- include "agent.resources" . | nindent 12 }} securityContext: - capabilities: - drop: - - ALL privileged: true runAsNonRoot: false runAsUser: 0 @@ -161,7 +164,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - {{- if or (include "agent.ebpfEnabled" .) (include "agent.gke.autopilot" .)}} + {{- if or (include "agent.ebpfEnabled" .) (include "agent.gke.autopilot" .)}} - name: SYSDIG_BPF_PROBE value: {{- end }} @@ -182,35 +185,37 @@ spec: value: {{ .Values.timezone }} {{- end }} {{- range $key, $value := .Values.daemonset.env }} - - name: "{{ $key }}" - value: "{{ $value }}" + - name: {{ $key | quote }} + value: {{ $value | quote }} {{- end }} readinessProbe: exec: command: [ "test", "-e", "/opt/draios/logs/running" ] initialDelaySeconds: {{ .Values.daemonset.probes.initialDelay }} volumeMounts: - {{- if not .Values.slim.enabled }} + {{- /* Always requested */}} + - mountPath: /host/dev + name: dev-vol + - mountPath: /host/proc + name: proc-vol + readOnly: true + - mountPath: /dev/shm + name: dshm + - mountPath: /opt/draios/etc/kubernetes/config + name: sysdig-agent-config + - mountPath: /opt/draios/etc/kubernetes/secrets + name: sysdig-agent-secrets + - mountPath: /etc/podinfo + name: podinfo + + {{- /* Slim = false, Autopilot = false */}} + {{- if and (not .Values.slim.enabled) (not (include "agent.gke.autopilot" .)) }} - mountPath: /etc/modprobe.d name: modprobe-d readOnly: true - {{- end }} - {{- if include "agent.gke.autopilot" . }} - - mountPath: /host/etc/os-release - name: osrel - readOnly: true - {{- else }} - mountPath: /host/etc name: etc-vol readOnly: true - {{- end }} - - mountPath: /host/dev - name: dev-vol - readOnly: false - - mountPath: /host/proc - name: proc-vol - readOnly: true - {{- if not .Values.slim.enabled }} - mountPath: /host/boot name: boot-vol readOnly: true @@ -220,56 +225,151 @@ spec: - mountPath: /host/usr name: usr-vol readOnly: true - {{- end }} + - mountPath: /host/var/lib + name: varlib-vol - mountPath: /host/run name: run-vol - mountPath: /host/var/run name: varrun-vol - {{- if not (include "agent.gke.autopilot" .) }} + {{- if (include "agent.ebpfEnabled" .) }} + - mountPath: /root/.sysdig + name: bpf-probes + - mountPath: /sys/kernel/debug + name: sys-tracing + readOnly: true + {{- end }} + {{- end }} + + {{- /* Slim = true, Autopilot = false */}} + {{- if and (.Values.slim.enabled) (not (include "agent.gke.autopilot" .)) }} + - mountPath: /host/etc + name: etc-vol + readOnly: true - mountPath: /host/var/lib name: varlib-vol - {{- end }} - - mountPath: /dev/shm - name: dshm - - mountPath: /opt/draios/etc/kubernetes/config - name: sysdig-agent-config - - mountPath: /opt/draios/etc/kubernetes/secrets - name: sysdig-agent-secrets - {{- if (and (or (include "agent.ebpfEnabled" .) (include "agent.gke.autopilot" .)) .Values.slim.enabled) }} + - mountPath: /host/run + name: run-vol + - mountPath: /host/var/run + name: varrun-vol + {{- if (include "agent.ebpfEnabled" .) }} - mountPath: /root/.sysdig name: bpf-probes - mountPath: /sys/kernel/debug name: sys-tracing readOnly: true {{- end }} - {{- if .Values.extraVolumes.mounts }} -{{ toYaml .Values.extraVolumes.mounts | indent 12 }} - {{- end }} - - mountPath: /etc/podinfo - name: podinfo + {{- end }} + + {{- /* Slim = false, Autopilot = true */}} + {{- if and (not .Values.slim.enabled) (include "agent.gke.autopilot" .) }} + - mountPath: /host/etc/os-release + name: osrel + readOnly: true + - mountPath: /host/boot + name: boot-vol + readOnly: true + - mountPath: /host/lib/modules + name: modules-vol + readOnly: true + - mountPath: /host/usr + name: usr-vol + readOnly: true + - mountPath: /host/run + name: run-vol + - mountPath: /host/var/run + name: varrun-vol + {{- end }} + + {{- /* Slim = true, Autopilot = true */}} + {{- if and (.Values.slim.enabled) (include "agent.gke.autopilot" .) }} + - mountPath: /host/etc/os-release + name: osrel + readOnly: true + - mountPath: /host/var/run/containerd/containerd.sock + name: containerdsock-vol + - mountPath: /root/.sysdig + name: bpf-probes + {{- end }} + + {{- if .Values.extraVolumes.mounts }} + {{ toYaml .Values.extraVolumes.mounts | nindent 12 }} + {{- end }} + volumes: - - name: modprobe-d + {{- /* Always requested */}} + - name: dev-vol hostPath: - path: /etc/modprobe.d + path: /dev + - name: proc-vol + hostPath: + path: /proc - name: dshm emptyDir: medium: Memory - {{- if include "agent.gke.autopilot" . }} - - name: osrel + - name: sysdig-agent-config + configMap: + name: {{ include "agent.configmapName" . }} + optional: true + - name: sysdig-agent-secrets + secret: + {{- if not ( include "agent.accessKeySecret" . ) }} + secretName: {{ template "agent.fullname" . }} + {{- else }} + secretName: {{ include "agent.accessKeySecret" . }} + {{- end }} + - name: podinfo + downwardAPI: + defaultMode: 420 + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - fieldRef: + apiVersion: v1 + fieldPath: metadata.name + path: name + + {{- /* Slim = false, Autopilot = false */}} + {{- if and (not .Values.slim.enabled) (not (include "agent.gke.autopilot" .)) }} + - name: modprobe-d hostPath: - path: /etc/os-release - type: FileOrCreate - {{- else }} + path: /etc/modprobe.d - name: etc-vol hostPath: path: /etc - {{- end }} - - name: dev-vol + - name: boot-vol hostPath: - path: /dev - - name: proc-vol + path: /boot + - name: modules-vol hostPath: - path: /proc + path: /lib/modules + - name: usr-vol + hostPath: + path: /usr + - name: varlib-vol + hostPath: + path: /var/lib + - name: run-vol + hostPath: + path: /run + - name: varrun-vol + hostPath: + path: /var/run + {{- if (include "agent.ebpfEnabled" .) }} + - name: bpf-probes + emptyDir: {} + - name: sys-tracing + hostPath: + path: /sys/kernel/debug + {{- end }} + {{- end }} + + {{- /* Slim = true, Autopilot = false */}} + {{- if and (.Values.slim.enabled) (not (include "agent.gke.autopilot" .)) }} + - name: modprobe-d + hostPath: + path: /etc/modprobe.d - name: boot-vol hostPath: path: /boot @@ -285,44 +385,61 @@ spec: - name: varrun-vol hostPath: path: /var/run - {{- if not (include "agent.gke.autopilot" .) }} + - name: etc-vol + hostPath: + path: /etc - name: varlib-vol hostPath: path: /var/lib - {{- end }} - {{- if (and (or (include "agent.ebpfEnabled" .) (include "agent.gke.autopilot" .)) .Values.slim.enabled) }} + {{- if (include "agent.ebpfEnabled" .) }} - name: bpf-probes emptyDir: {} - name: sys-tracing hostPath: path: /sys/kernel/debug {{- end }} - - name: sysdig-agent-config - configMap: - name: {{ include "agent.configmapName" . }} - optional: true - - name: sysdig-agent-secrets - secret: - {{- if not ( include "agent.accessKeySecret" . ) }} - secretName: {{ template "agent.fullname" . }} - {{- else }} - secretName: {{ include "agent.accessKeySecret" . }} - {{- end -}} - {{- if .Values.extraVolumes.volumes }} -{{ toYaml .Values.extraVolumes.volumes | indent 8 }} - {{- end }} - - name: podinfo - downwardAPI: - defaultMode: 420 - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace - - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - path: name + {{- end }} + + {{- /* Slim = false, Autopilot = true */}} + {{- if and (not .Values.slim.enabled) (include "agent.gke.autopilot" .) }} + - name: osrel + hostPath: + path: /etc/os-release + - name: boot-vol + hostPath: + path: /boot + - name: modules-vol + hostPath: + path: /lib/modules + - name: usr-vol + hostPath: + path: /usr + - name: run-vol + hostPath: + path: /run + - name: varrun-vol + hostPath: + path: /var/run + {{- end }} + + {{- /* Slim = true, Autopilot = true */}} + {{- if and (.Values.slim.enabled) (include "agent.gke.autopilot" .) }} + - name: boot-vol + hostPath: + path: /boot + - name: osrel + hostPath: + path: /etc/os-release + - name: bpf-probes + emptyDir: {} + - name: containerdsock-vol + hostPath: + path: /var/run/containerd/containerd.sock + {{- end }} + + {{- if .Values.extraVolumes.volumes }} + {{ toYaml .Values.extraVolumes.volumes | nindent 8 }} + {{- end }} updateStrategy: type: {{ .Values.daemonset.updateStrategy.type }} rollingUpdate: diff --git a/charts/agent/templates/deployment.yaml b/charts/agent/templates/deployment.yaml index 492098a6f..bf2aaf796 100644 --- a/charts/agent/templates/deployment.yaml +++ b/charts/agent/templates/deployment.yaml @@ -5,8 +5,8 @@ metadata: name: {{ template "agent.fullname" . }} namespace: {{ include "agent.namespace" . }} labels: -{{ include "agent.labels" . | indent 4 }} -{{ include "agent.deploymentLabels" . | indent 4 }} + {{- include "agent.labels" . | nindent 4 }} + {{- include "agent.deploymentLabels" . | nindent 4 }} spec: progressDeadlineSeconds: {{ .Values.delegatedAgentDeployment.deployment.progressDeadlineSeconds }} replicas: {{ .Values.delegatedAgentDeployment.deployment.replicas}} @@ -19,10 +19,10 @@ spec: {{ toYaml .Values.delegatedAgentDeployment.deployment.updateStrategy | indent 4 }} template: metadata: - labels: -{{ include "agent.labels" . | indent 8 }} -{{ include "agent.deploymentLabels" . | indent 8 }} name: {{ include "agent.fullname" . }} + labels: + {{- include "agent.labels" . | nindent 8 }} + {{- include "agent.deploymentLabels" . | nindent 8 }} spec: {{- if .Values.delegatedAgentDeployment.deployment.nodeSelector }} nodeSelector: @@ -30,7 +30,7 @@ spec: {{- end }} affinity: {{- if .Values.delegatedAgentDeployment.deployment.affinity }} -{{ toYaml .Values.delegatedAgentDeployment.deployment.affinity | nindent 8 }} + {{ toYaml .Values.delegatedAgentDeployment.deployment.affinity | nindent 8 }} {{- else }} nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -61,11 +61,8 @@ spec: image: {{ template "agent.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} resources: -{{ toYaml .Values.delegatedAgentDeployment.deployment.resources | indent 12 }} + {{ toYaml .Values.delegatedAgentDeployment.deployment.resources | nindent 12 }} securityContext: - capabilities: - drop: - - ALL privileged: true runAsNonRoot: false runAsUser: 0 @@ -83,8 +80,8 @@ spec: value: {{ .Values.timezone }} {{- end }} {{- range $key, $value := .Values.delegatedAgentDeployment.deployment.env }} - - name: "{{ $key }}" - value: "{{ $value }}" + - name: {{ $key | quote }} + value: {{ $value | quote }} {{- end }} {{- if (.Values.proxy.httpProxy | default .Values.global.proxy.httpProxy) }} - name: http_proxy @@ -105,28 +102,12 @@ spec: terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - {{- if include "agent.gke.autopilot" . }} - - mountPath: /host/etc/os-release - name: osrel - readOnly: true - {{- else }} - - mountPath: /host/etc - name: etc-vol - readOnly: true - {{- end }} + {{- /* Always requested */}} - mountPath: /host/dev name: dev-vol - mountPath: /host/proc name: proc-vol readOnly: true - - mountPath: /host/run - name: run-vol - - mountPath: /host/var/run - name: varrun-vol - {{- if not (include "agent.gke.autopilot" .) }} - - mountPath: /host/var/lib - name: varlib-vol - {{- end}} - mountPath: /dev/shm name: dshm - mountPath: /opt/draios/etc/kubernetes/config @@ -135,9 +116,93 @@ spec: name: sysdig-agent-secrets - mountPath: /etc/podinfo name: podinfo - {{- if .Values.extraVolumes.mounts }} -{{ toYaml .Values.extraVolumes.mounts | indent 12 }} + + {{- /* Slim = false, Autopilot = false */}} + {{- if and (not .Values.slim.enabled) (not (include "agent.gke.autopilot" .)) }} + - mountPath: /etc/modprobe.d + name: modprobe-d + readOnly: true + - mountPath: /host/etc + name: etc-vol + readOnly: true + - mountPath: /host/boot + name: boot-vol + readOnly: true + - mountPath: /host/lib/modules + name: modules-vol + readOnly: true + - mountPath: /host/usr + name: usr-vol + readOnly: true + - mountPath: /host/var/lib + name: varlib-vol + - mountPath: /host/run + name: run-vol + - mountPath: /host/var/run + name: varrun-vol + {{- if (include "agent.ebpfEnabled" .) }} + - mountPath: /root/.sysdig + name: bpf-probes + - mountPath: /sys/kernel/debug + name: sys-tracing + readOnly: true {{- end }} + {{- end }} + + {{- /* Slim = true, Autopilot = false */}} + {{- if and (.Values.slim.enabled) (not (include "agent.gke.autopilot" .)) }} + - mountPath: /host/etc + name: etc-vol + readOnly: true + - mountPath: /host/var/lib + name: varlib-vol + - mountPath: /host/run + name: run-vol + - mountPath: /host/var/run + name: varrun-vol + - mountPath: /root/.sysdig + {{- if (include "agent.ebpfEnabled" .) }} + name: bpf-probes + - mountPath: /sys/kernel/debug + name: sys-tracing + readOnly: true + {{- end }} + {{- end }} + + {{- /* Slim = false, Autopilot = true */}} + {{- if and (not .Values.slim.enabled) (include "agent.gke.autopilot" .) }} + - mountPath: /host/etc/os-release + name: osrel + readOnly: true + - mountPath: /host/boot + name: boot-vol + readOnly: true + - mountPath: /host/lib/modules + name: modules-vol + readOnly: true + - mountPath: /host/usr + name: usr-vol + readOnly: true + - mountPath: /host/run + name: run-vol + - mountPath: /host/var/run + name: varrun-vol + {{- end }} + + {{- /* Slim = true, Autopilot = true */}} + {{- if and (.Values.slim.enabled) (include "agent.gke.autopilot" .) }} + - mountPath: /host/etc/os-release + name: osrel + readOnly: true + - mountPath: /host/var/run/containerd/containerd.sock + name: containerdsock-vol + - mountPath: /root/.sysdig + name: bpf-probes + {{- end }} + + {{- if .Values.extraVolumes.mounts }} + {{ toYaml .Values.extraVolumes.mounts | nindent 12 }} + {{- end }} hostPID: true schedulerName: default-scheduler dnsPolicy: ClusterFirstWithHostNet @@ -145,79 +210,135 @@ spec: serviceAccountName: {{ template "agent.serviceAccountName" .}} terminationGracePeriodSeconds: 5 tolerations: -{{ toYaml .Values.tolerations | indent 8 }} + {{ toYaml .Values.tolerations | nindent 8 }} volumes: - - hostPath: - path: /etc/modprobe.d - type: "" - name: modprobe-d - - hostPath: - path: /etc/os-release - type: FileOrCreate - name: osrel - - emptyDir: - medium: Memory - name: dshm - - hostPath: - path: /etc - type: "" - name: etc-vol - - hostPath: + {{- /* Always requested */}} + - name: dev-vol + hostPath: path: /dev - type: "" - name: dev-vol - - hostPath: + - name: proc-vol + hostPath: path: /proc - type: "" - name: proc-vol - - hostPath: + - name: dshm + emptyDir: + medium: Memory + - name: sysdig-agent-config + configMap: + name: {{ printf "%s-deployment" (include "agent.configmapName" . ) | trunc 63 | trimSuffix "-" }} + optional: true + - name: sysdig-agent-secrets + secret: + {{- if not ( include "agent.accessKeySecret" . ) }} + secretName: {{ template "agent.fullname" . }} + {{- else }} + secretName: {{ include "agent.accessKeySecret" . }} + {{- end }} + - name: podinfo + downwardAPI: + defaultMode: 420 + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - fieldRef: + apiVersion: v1 + fieldPath: metadata.name + path: name + + {{- /* Slim = false, Autopilot = false */}} + {{- if and (not .Values.slim.enabled) (not (include "agent.gke.autopilot" .)) }} + - name: modprobe-d + hostPath: + path: /etc/modprobe.d + - name: etc-vol + hostPath: + path: /etc + - name: boot-vol + hostPath: path: /boot - type: "" - name: boot-vol - - hostPath: + - name: modules-vol + hostPath: path: /lib/modules - type: "" - name: modules-vol - - hostPath: + - name: usr-vol + hostPath: path: /usr - type: "" - name: usr-vol - - hostPath: + - name: varlib-vol + hostPath: + path: /var/lib + - name: run-vol + hostPath: path: /run - type: "" - name: run-vol - - hostPath: + - name: varrun-vol + hostPath: path: /var/run - type: "" - name: varrun-vol - {{- if not (include "agent.gke.autopilot" .) }} - - hostPath: - path: /var/lib - type: "" - name: varlib-vol + {{- if (include "agent.ebpfEnabled" .) }} + - name: bpf-probes + emptyDir: {} + - name: sys-tracing + hostPath: + path: /sys/kernel/debug {{- end }} - {{- if .Values.extraVolumes.volumes }} -{{ toYaml .Values.extraVolumes.volumes | indent 8 }} + {{- end }} + + {{- /* Slim = true, Autopilot = false */}} + {{- if and (.Values.slim.enabled) (not (include "agent.gke.autopilot" .)) }} + - name: etc-vol + hostPath: + path: /etc + - name: varlib-vol + hostPath: + path: /var/lib + - name: run-vol + hostPath: + path: /run + - name: varrun-vol + hostPath: + path: /var/run + {{- if (include "agent.ebpfEnabled" .) }} + - name: bpf-probes + emptyDir: {} + - name: sys-tracing + hostPath: + path: /sys/kernel/debug {{- end }} - - configMap: - defaultMode: 420 - name: {{ printf "%s-deployment" (include "agent.configmapName" . ) | trunc 63 | trimSuffix "-" }} - optional: true - name: sysdig-agent-config - - name: sysdig-agent-secrets - secret: - defaultMode: 420 - secretName: sysdig-agent - - downwardAPI: - defaultMode: 420 - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace - - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - path: name - name: podinfo + {{- end }} + + {{- /* Slim = false, Autopilot = true */}} + {{- if and (not .Values.slim.enabled) (include "agent.gke.autopilot" .) }} + - name: osrel + hostPath: + path: /etc/os-release + - name: boot-vol + hostPath: + path: /boot + - name: modules-vol + hostPath: + path: /lib/modules + - name: usr-vol + hostPath: + path: /usr + - name: run-vol + hostPath: + path: /run + - name: varrun-vol + hostPath: + path: /var/run + {{- end }} + + {{- /* Slim = true, Autopilot = true */}} + {{- if and (.Values.slim.enabled) (include "agent.gke.autopilot" .) }} + - name: osrel + hostPath: + path: /etc/os-release + - name: containerdsock-vol + hostPath: + path: /var/run/containerd/containerd.sock + - name: bpf-probes + emptyDir: {} + {{- end }} + + {{- if .Values.extraVolumes.volumes }} + {{ toYaml .Values.extraVolumes.volumes | nindent 8 }} + {{- end }} {{- end }} diff --git a/charts/agent/templates/gkeautopilotpriorityclass.yaml b/charts/agent/templates/gkeautopilotpriorityclass.yaml new file mode 100644 index 000000000..f2fdbce77 --- /dev/null +++ b/charts/agent/templates/gkeautopilotpriorityclass.yaml @@ -0,0 +1,13 @@ +{{- if and (include "agent.gke.autopilot" .) .Values.gke.createPriorityClass }} +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: +{{- if and .Values.gke.createPriorityClass (not .Values.priorityClassName) }} + {{ $_ := set .Values "priorityClassName" "sysdig-daemonset-priority" }} +{{- end }} + name: {{ .Values.priorityClassName }} +value: 10 +preemptionPolicy: PreemptLowerPriority +globalDefault: false +description: "Sysdig DaemonSet priority" +{{- end }} diff --git a/charts/agent/tests/conditional_flag_test.yaml b/charts/agent/tests/conditional_flag_test.yaml index b09f981dd..351792657 100644 --- a/charts/agent/tests/conditional_flag_test.yaml +++ b/charts/agent/tests/conditional_flag_test.yaml @@ -11,19 +11,13 @@ tests: - equal: path: spec.template.metadata.annotations['autopilot.gke.io/no-connect'] value: "true" - - equal: + - isNull: path: spec.template.spec.affinity - value: null - - contains: - path: spec.template.spec.initContainers[0].env - content: - name: SYSDIG_BPF_PROBE - value: null - - contains: - path: spec.template.spec.initContainers[0].volumeMounts - content: - mountPath: /root/.sysdig - name: bpf-probes + - isNull: + path: spec.template.spec.initContainers[0].env[?(@.name == "SYSDIG_BPF_PROBE")].value + - equal: + path: spec.template.spec.initContainers[*].volumeMounts[?(@.name == "bpf-probes")].mountPath + value: /root/.sysdig - it: Checking slim enabled set: @@ -35,5 +29,5 @@ tests: repository: testing/agent-slim asserts: - equal: - path: spec.template.spec.containers[0].image + path: spec.template.spec.containers[*].image value: quay.io/sysdig/agent-slim:12.9.0 diff --git a/charts/agent/tests/gke_autopilot_volumes_test.yaml b/charts/agent/tests/gke_autopilot_volumes_test.yaml new file mode 100644 index 000000000..052017971 --- /dev/null +++ b/charts/agent/tests/gke_autopilot_volumes_test.yaml @@ -0,0 +1,123 @@ +suite: Host volumes are available for agent +templates: + - templates/daemonset.yaml +tests: + - it: Ensure only the right volumes are mounted when running on GKE Autopilot, the agent is slim mode without eBPF + set: + gke: + autopilot: true + slim: + enabled: false + ebpf: + enabled: false + asserts: + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/dev")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/proc")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/etc/os-release")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/boot")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/lib/modules")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/usr")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/run")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/var/run")] + # This seems not work as expected, need deeper investigation + # - lengthEqual: + # path: spec.template.spec.volumes[?(@.hostPath.path =~ /\/.*/)] + # count: 8 + # We are going to use this "workaround" until we found a proper solution + - isNull: + path: spec.template.spec.volumes[?(@.hostPath.path =~ /\/.*/ && @.hostPath.path != "/dev" && @.hostPath.path != "/proc" && @.hostPath.path != "/etc/os-release" && @.hostPath.path != "/boot" && @.hostPath.path != "/lib/modules" && @.hostPath.path != "/usr" && @.hostPath.path != "/run" && @.hostPath.path != "/var/run")] + + - it: Ensure only the right volumes are mounted when running on GKE Autopilot, the agent is slim mode without eBPF + set: + gke: + autopilot: true + slim: + enabled: true + ebpf: + enabled: false + asserts: + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/dev")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/proc")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/etc/os-release")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/boot")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/var/run/containerd/containerd.sock")] + # This seems not work as expected, need deeper investigation + # - lengthEqual: + # path: spec.template.spec.volumes[?(@.hostPath.path =~ /\/.*/)] + # count: 5 + # We are going to use this "workaround" until we found a proper solution + - isNull: + path: spec.template.spec.volumes[?(@.hostPath.path =~ /\/.*/ && @.hostPath.path != "/dev" && @.hostPath.path != "/proc" && @.hostPath.path != "/etc/os-release" && @.hostPath.path != "/boot" && @.hostPath.path != "/var/run/containerd/containerd.sock")] + + - it: Ensure only the right volumes are mounted when running on GKE Autopilot, the agent is slim mode with eBPF + set: + gke: + autopilot: true + slim: + enabled: false + ebpf: + enabled: true + asserts: + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/dev")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/proc")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/etc/os-release")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/boot")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/lib/modules")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/usr")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/run")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/var/run")] + # This seems not work as expected, need deeper investigation + # - lengthEqual: + # path: spec.template.spec.volumes[?(@.hostPath.path =~ /\/.*/)] + # count: 8 + # We are going to use this "workaround" until we found a proper solution + - isNull: + path: spec.template.spec.volumes[?(@.hostPath.path =~ /\/.*/ && @.hostPath.path != "/dev" && @.hostPath.path != "/proc" && @.hostPath.path != "/etc/os-release" && @.hostPath.path != "/boot" && @.hostPath.path != "/lib/modules" && @.hostPath.path != "/usr" && @.hostPath.path != "/run" && @.hostPath.path != "/var/run")] + + - it: Ensure only the right volumes are mounted when running on GKE Autopilot, the agent is slim mode with eBPF + set: + gke: + autopilot: true + slim: + enabled: true + ebpf: + enabled: true + asserts: + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/dev")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/proc")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/etc/os-release")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/boot")] + - isNotNull: + path: spec.template.spec.volumes[?(@.hostPath.path == "/var/run/containerd/containerd.sock")] + # This seems not work as expected, need deeper investigation + # - lengthEqual: + # path: spec.template.spec.volumes[?(@.hostPath.path =~ /\/.*/)] + # count: 5 + # We are going to use this "workaround" until we found a proper solution + - isNull: + path: spec.template.spec.volumes[?(@.hostPath.path =~ /\/.*/ && @.hostPath.path != "/dev" && @.hostPath.path != "/proc" && @.hostPath.path != "/etc/os-release" && @.hostPath.path != "/boot" && @.hostPath.path != "/var/run/containerd/containerd.sock")] diff --git a/charts/agent/tests/gke_test.yaml b/charts/agent/tests/gke_test.yaml new file mode 100644 index 000000000..c33e85642 --- /dev/null +++ b/charts/agent/tests/gke_test.yaml @@ -0,0 +1,92 @@ +suite: Test GKE Specific config settings +templates: + - templates/daemonset.yaml + - templates/gkeautopilotpriorityclass.yaml +tests: + - it: Enable GKE Autopilot + set: + gke: + autopilot: true + createPriorityClass: true + slim: + enabled: false + asserts: + - containsDocument: + kind: DaemonSet + apiVersion: apps/v1 + - contains: + path: spec.template.spec.containers[0].env + content: + name: SYSDIG_BPF_PROBE + value: + - equal: + path: spec.template.spec.containers[0].resources.requests.ephemeral-storage + value: 500Mi + template: templates/daemonset.yaml + + - it: Set custom value for ephemeral storage + set: + gke: + autopilot: true + createPriorityClass: true + ephemeralStorage: 256Mi + slim: + enabled: false + asserts: + - equal: + path: spec.template.spec.containers[0].resources.requests.ephemeral-storage + value: 256Mi + template: templates/daemonset.yaml + + - it: Check limits are correctly set + set: + gke: + autopilot: true + createPriorityClass: true + slim: + enabled: false + asserts: + - equal: + path: spec.template.spec.containers[0].resources.limits + value: + cpu: 1000m + memory: 1024Mi + template: templates/daemonset.yaml + + - it: Check PriorityClass + set: + gke: + autopilot: true + createPriorityClass: true + slim: + enabled: false + asserts: + - containsDocument: + apiVersion: scheduling.k8s.io/v1 + kind: PriorityClass + name: sysdig-daemonset-priority + - equal: + path: value + value: 10 + - equal: + path: preemptionPolicy + value: PreemptLowerPriority + - equal: + path: globalDefault + value: false + template: templates/gkeautopilotpriorityclass.yaml + + - it: Check PriorityClass name override + set: + gke: + autopilot: true + createPriorityClass: true + priorityClassName: my-priority-class + slim: + enabled: false + asserts: + - containsDocument: + apiVersion: scheduling.k8s.io/v1 + kind: PriorityClass + name: my-priority-class + template: templates/gkeautopilotpriorityclass.yaml diff --git a/charts/agent/tests/notes_test.yaml b/charts/agent/tests/notes_test.yaml index 46c4551e3..d2bccbfe4 100644 --- a/charts/agent/tests/notes_test.yaml +++ b/charts/agent/tests/notes_test.yaml @@ -99,3 +99,41 @@ tests: pattern: |- The "drift_killer" feature in agent is not supported when running on GKE Autopilot. template: templates/NOTES.txt + + - it: Test warning printed for GKE Autopilot environments without PriorityClass creation or existing name specified + set: + gke: + autopilot: true + slim: + enabled: false + asserts: + - matchRegexRaw: + pattern: |- + A PriorityClass is recommended for GKE Autopilot environments. Please set gke.createPriorityClass=true or provide the name of an existing PriorityClass by using the priorityClassName parameter. + template: templates/NOTES.txt + + - it: Test warning not printed for GKE Autopilot environments when PriorityClass creation specified + set: + gke: + autopilot: true + createPriorityClass: true + slim: + enabled: false + asserts: + - notMatchRegexRaw: + pattern: |- + A PriorityClass is recommended for GKE Autopilot environments. Please set gke.createPriorityClass=true or provide the name of an existing PriorityClass by using the priorityClassName parameter. + template: templates/NOTES.txt + + - it: Test warning not printed for GKE Autopilot environments when priorityClassName is specified + set: + gke: + autopilot: true + priorityClassName: my-pc-name + slim: + enabled: false + asserts: + - notMatchRegexRaw: + pattern: |- + A PriorityClass is recommended for GKE Autopilot environments. Please set gke.createPriorityClass=true or provide the name of an existing PriorityClass by using the priorityClassName parameter. + template: templates/NOTES.txt diff --git a/charts/agent/values.yaml b/charts/agent/values.yaml index b289ab50e..9dbde5bfb 100644 --- a/charts/agent/values.yaml +++ b/charts/agent/values.yaml @@ -7,6 +7,7 @@ global: gke: # true here enables the deployment on gke autopilot clusters autopilot: false + ephemeralStorage: "500Mi" namespace: "" @@ -74,6 +75,8 @@ resourceProfile: small gke: # true here enables the deployment on gke autopilot clusters autopilot: false + createPriorityClass: false + ephemeralStorage: "500Mi" rbac: # true here enables creation of rbac resources diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index 613b15c7a..1ca599422 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.7.9 +version: 1.8.0 maintainers: - name: aroberts87 email: adam.roberts@sysdig.com @@ -20,7 +20,7 @@ dependencies: - name: agent # repository: https://charts.sysdig.com repository: file://../agent - version: ~1.7.5 + version: ~1.8.0 alias: agent condition: agent.enabled - name: node-analyzer diff --git a/charts/sysdig-deploy/templates/NOTES.txt b/charts/sysdig-deploy/templates/NOTES.txt index 70478a14a..5a8bdb16e 100644 --- a/charts/sysdig-deploy/templates/NOTES.txt +++ b/charts/sysdig-deploy/templates/NOTES.txt @@ -22,6 +22,11 @@ The "drift_killer" feature in agent is not supported when running on GKE Autopil {{- end }} {{- end }} + {{- if and (or .Values.agent.gke.autopilot .Values.global.gke.autopilot) (not .Values.agent.gke.createPriorityClass) (not .Values.agent.priorityClassName) }} + +A PriorityClass is recommended for GKE Autopilot environments. Please set agent.gke.createPriorityClass=true or provide the name of an existing PriorityClass by using the agent.priorityClassName parameter. + {{- end }} + {{- $agentSecureFeatProvided := false }} {{- if hasKey .Values.agent.sysdig.settings "feature" }} {{- if hasKey .Values.agent.sysdig.settings.feature "mode" }} diff --git a/charts/sysdig-deploy/tests/notes_test.yaml b/charts/sysdig-deploy/tests/notes_test.yaml index eb0956b1e..44e911d1f 100644 --- a/charts/sysdig-deploy/tests/notes_test.yaml +++ b/charts/sysdig-deploy/tests/notes_test.yaml @@ -171,3 +171,41 @@ tests: - notMatchRegexRaw: pattern: |- The "drift_killer" feature in agent is not supported when running on GKE Autopilot. + + - it: Test warning printed for GKE Autopilot environments without PriorityClass creation or existing name specified + set: + agent: + gke: + autopilot: true + slim: + enabled: false + asserts: + - matchRegexRaw: + pattern: |- + A PriorityClass is recommended for GKE Autopilot environments. Please set agent.gke.createPriorityClass=true or provide the name of an existing PriorityClass by using the agent.priorityClassName parameter. + + - it: Test warning not printed for GKE Autopilot environments when PriorityClass creation specified + set: + agent: + gke: + autopilot: true + createPriorityClass: true + slim: + enabled: false + asserts: + - notMatchRegexRaw: + pattern: |- + A PriorityClass is recommended for GKE Autopilot environments. Please set agent.gke.createPriorityClass=true or provide the name of an existing PriorityClass by using the agent.priorityClassName parameter. + + - it: Test warning not printed for GKE Autopilot environments when priorityClassName is specified + set: + agent: + gke: + autopilot: true + priorityClassName: my-pc-name + slim: + enabled: false + asserts: + - notMatchRegexRaw: + pattern: |- + A PriorityClass is recommended for GKE Autopilot environments. Please set agent.gke.createPriorityClass=true or provide the name of an existing PriorityClass by using the agent.priorityClassName parameter.