From acc686b9372c1cb504a986450a586b721c961cbc Mon Sep 17 00:00:00 2001 From: Adam Roberts Date: Tue, 13 Aug 2024 11:25:26 -0400 Subject: [PATCH] fix(agent): add POD_NAMESPACE to host shield when kspm-analyzer enabled --- charts/agent/templates/configmap.yaml | 2 +- charts/agent/templates/daemonset.yaml | 8 +++++++ charts/agent/tests/kspm_analyzer_test.yaml | 27 ++++++++++++++++++++++ 3 files changed, 36 insertions(+), 1 deletion(-) diff --git a/charts/agent/templates/configmap.yaml b/charts/agent/templates/configmap.yaml index be9675011..10d16ad84 100644 --- a/charts/agent/templates/configmap.yaml +++ b/charts/agent/templates/configmap.yaml @@ -46,7 +46,7 @@ data: {{- $mergedSettings := mergeOverwrite $baseSettings (dict "http_proxy" (dict "ca_certificate" $caFilePath)) -}} {{ toYaml $mergedSettings | nindent 4 }} {{- else if (dig "kspm_analyzer" "enabled" false $baseSettings) }} - {{- $mergedSettings := mergeOverwrite $baseSettings (dict "kspm_analyzer" (dict "agent_app_name" "agent")) -}} + {{- $mergedSettings := mergeOverwrite $baseSettings (dict "kspm_analyzer" (dict "agent_app_name" "agent" "pod_namespace" .Release.Namespace)) -}} {{ toYaml $mergedSettings | nindent 4 }} {{- else if .Values.sysdig.settings }} {{ toYaml .Values.sysdig.settings | nindent 4 }} diff --git a/charts/agent/templates/daemonset.yaml b/charts/agent/templates/daemonset.yaml index ca3984858..5bb7a06fb 100644 --- a/charts/agent/templates/daemonset.yaml +++ b/charts/agent/templates/daemonset.yaml @@ -230,6 +230,13 @@ spec: - name: SSL_CERT_FILE value: /opt/draios/certificates/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) -}} {{- end }} + {{- if (dig "kspm_analyzer" "enabled" false .Values.sysdig.settings) }} + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- end }} + {{- if or (dig "prometheus_exporter" "enabled" false .Values.sysdig.settings) (dig "kspm_analyzer" "enabled" false .Values.sysdig.settings) }} ports: {{- if dig "prometheus_exporter" "enabled" false .Values.sysdig.settings }} - containerPort: {{ regexFind "[0-9]+$" (dig "prometheus_exporter" "listen_url" "0.0.0.0:9544" .Values.sysdig.settings) }} @@ -239,6 +246,7 @@ spec: - containerPort: {{ dig "kspm_analyzer" "port" 12000 .Values.sysdig.settings }} name: kspm-analyzer {{- end }} + {{- end }} readinessProbe: {{- if eq (include "agent.enableHttpProbes" .) "true" }} httpGet: diff --git a/charts/agent/tests/kspm_analyzer_test.yaml b/charts/agent/tests/kspm_analyzer_test.yaml index 3647c6e68..bc8a772f6 100644 --- a/charts/agent/tests/kspm_analyzer_test.yaml +++ b/charts/agent/tests/kspm_analyzer_test.yaml @@ -31,6 +31,7 @@ tests: kspm_analyzer: agent_app_name: agent enabled: true + pod_namespace: NAMESPACE template: templates/configmap.yaml - equal: path: spec.template.spec.containers[?(@.name == "sysdig")].ports[?(@.name == "kspm-analyzer")] @@ -47,7 +48,33 @@ tests: kspm_analyzer: agent_app_name: agent enabled: true + pod_namespace: NAMESPACE template: templates/configmap.yaml - notExists: path: spec.template.spec.containers[?(@.name == "sysdig")].ports[?(@.name == "kspm-analyzer")] template: templates/daemonset.yaml + + - it: Ensure POD_NAMESPACE env var set if kspm-analyzer is enabled + set: + sysdig: + settings: + kspm_analyzer: + enabled: true + asserts: + - equal: + path: spec.template.spec.containers[?(@.name == "sysdig")].env[?(@.name == "POD_NAMESPACE")] + value: + name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + template: templates/daemonset.yaml + + - it: Ensure POD_NAMESPACE env var not set if kspm-analyzer is disabled + asserts: + - notContains: + path: spec.template.spec.containers[?(@.name == "sysdig")].env + value: + name: POD_NAMESPACE + value: NAMESPACE + template: templates/daemonset.yaml