fix(agent): add POD_NAMESPACE to host shield when kspm-analyzer enabled

sysdiglabs · Aug 13, 2024 · acc686b · acc686b
1 parent da8f65f
commit acc686b
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 1 deletion.
diff --git a/charts/agent/templates/configmap.yaml b/charts/agent/templates/configmap.yaml
@@ -46,7 +46,7 @@ data:
   {{- $mergedSettings := mergeOverwrite $baseSettings (dict "http_proxy" (dict "ca_certificate" $caFilePath)) -}}
   {{ toYaml $mergedSettings | nindent 4 }}
 {{- else if (dig "kspm_analyzer" "enabled" false $baseSettings) }}
-  {{- $mergedSettings := mergeOverwrite $baseSettings (dict "kspm_analyzer" (dict "agent_app_name" "agent")) -}}
+  {{- $mergedSettings := mergeOverwrite $baseSettings (dict "kspm_analyzer" (dict "agent_app_name" "agent" "pod_namespace" .Release.Namespace)) -}}
   {{ toYaml $mergedSettings | nindent 4 }}
 {{- else if .Values.sysdig.settings }}
   {{ toYaml .Values.sysdig.settings | nindent 4 }}

diff --git a/charts/agent/templates/daemonset.yaml b/charts/agent/templates/daemonset.yaml
@@ -230,6 +230,13 @@ spec:
             - name: SSL_CERT_FILE
               value: /opt/draios/certificates/{{- include "sysdig.custom_ca.keyName"  (dict "global" .Values.global.ssl "component" .Values.ssl) -}}
             {{- end }}
+            {{- if (dig "kspm_analyzer" "enabled" false .Values.sysdig.settings) }}
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            {{- end }}
+          {{- if or (dig "prometheus_exporter" "enabled" false .Values.sysdig.settings) (dig "kspm_analyzer" "enabled" false .Values.sysdig.settings) }}
           ports:
           {{- if dig "prometheus_exporter" "enabled" false .Values.sysdig.settings }}
             - containerPort: {{ regexFind "[0-9]+$" (dig "prometheus_exporter" "listen_url" "0.0.0.0:9544" .Values.sysdig.settings) }}
@@ -239,6 +246,7 @@ spec:
             - containerPort: {{ dig "kspm_analyzer" "port" 12000 .Values.sysdig.settings }}
               name: kspm-analyzer
           {{- end }}
+          {{- end }}
           readinessProbe:
             {{- if eq (include "agent.enableHttpProbes" .) "true" }}
             httpGet:

diff --git a/charts/agent/tests/kspm_analyzer_test.yaml b/charts/agent/tests/kspm_analyzer_test.yaml
@@ -31,6 +31,7 @@ tests:
             kspm_analyzer:
               agent_app_name: agent
               enabled: true
+              pod_namespace: NAMESPACE
         template: templates/configmap.yaml
       - equal:
           path: spec.template.spec.containers[?(@.name == "sysdig")].ports[?(@.name == "kspm-analyzer")]
@@ -47,7 +48,33 @@ tests:
             kspm_analyzer:
               agent_app_name: agent
               enabled: true
+              pod_namespace: NAMESPACE
         template: templates/configmap.yaml
       - notExists:
           path: spec.template.spec.containers[?(@.name == "sysdig")].ports[?(@.name == "kspm-analyzer")]
         template: templates/daemonset.yaml
+
+  - it: Ensure POD_NAMESPACE env var set if kspm-analyzer is enabled
+    set:
+      sysdig:
+        settings:
+          kspm_analyzer:
+            enabled: true
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[?(@.name == "sysdig")].env[?(@.name == "POD_NAMESPACE")]
+          value:
+            name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+    template: templates/daemonset.yaml
+
+  - it: Ensure POD_NAMESPACE env var not set if kspm-analyzer is disabled
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[?(@.name == "sysdig")].env
+          value:
+            name: POD_NAMESPACE
+            value: NAMESPACE
+    template: templates/daemonset.yaml