Skip to content

Commit

Permalink
feature(agent): add support for Universal eBPF - CA (#1270)
Browse files Browse the repository at this point in the history 
Co-authored-by: Adam Roberts <[email protected]>
  • Loading branch information
@mavimo @aroberts87
mavimo and aroberts87 authored Oct 18, 2023
1 parent 3329a0d commit fd27a06
Show file tree
Hide file tree
Showing 8 changed files with 173 additions and 9 deletions.
2 changes: 1 addition & 1 deletion charts/agent/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,4 @@ sources:
- https://app.sysdigcloud.com/#/settings/user
- https://github.com/draios/sysdig
type: application
version: 1.13.15
version: 1.14.0
7 changes: 4 additions & 3 deletions charts/agent/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,8 @@ The following table lists the configurable parameters of the Sysdig chart and th
| Parameter | Description | Default |
|---------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------|
| `global.clusterConfig.name` | Sets a unique name to the cluster. You can then use the cluster name to identify events using the `kubernetes.cluster.name` tag. | `quay.io` |
| `global.sysdig.accessKey` | Specify your Sysdig Agent Access Key. | Either `accessKey` or `accessKeySecret` is required |
| `global.sysdig.accessKeySecret` | An alternative to using the Sysdig Agent access key. Specify the name of a Kubernetes secret containing an `access-key` entry. | Either `accessKey` or `accessKeySecret` is required |
| `global.sysdig.accessKey` | Specify your Sysdig Agent Access Key. | Either `accessKey` or `accessKeySecret` is required |
| `global.sysdig.accessKeySecret` | An alternative to using the Sysdig Agent access key. Specify the name of a Kubernetes secret containing an `access-key` entry. | Either `accessKey` or `accessKeySecret` is required |
| `global.sysdig.region` | The SaaS region for these agents. Possible values: `"us1"`, `"us2"`, `"us3"`, `"us4"`, `"eu1"`, `"au1"`, and `"custom"` | `"us1"` |
| `global.proxy.httpProxy` | Sets `http_proxy` on the `agent` container. | `""` |
| `global.proxy.httpsProxy` | Sets `https_proxy` on the `agent` container. | `""` |
Expand Down Expand Up @@ -146,6 +146,7 @@ The following table lists the configurable parameters of the Sysdig chart and th
| `slim.resources.limits.cpu` | Specifies the CPU limit for building the kernel module | `1000m` |
| `slim.resources.limits.memory` | Specifies the memory limit for building the kernel module. | `512Mi` |
| `ebpf.enabled` | Enables eBPF support for Sysdig instead of `sysdig-probe` kernel module. | `false` |
| `ebpf.kind` | Define which eBPF driver to use, can be `legacy_ebpf` or `universal_ebpf` | `legacy_ebpf` |
| `clusterName` | Sets a unique cluster name which is used to identify events with the `kubernetes.cluster.name` tag. Overrides `global.clusterConfig.name`. | ` ` |
| `sysdig.accessKey` | Your Sysdig Agent Access Key. Overrides `global.sysdig.accessKey` | Either `accessKey` or `existingAccessKeySecret` is required |
| `sysdig.existingAccessKeySecret` | Specifies the name of a Kubernetes secret containing an `access-key ` entry. Overrides `global.sysdig.existingAccessKeySecret` | Either `accessKey` or `existingAccessKeySecret` is required |
Expand All @@ -158,7 +159,7 @@ The following table lists the configurable parameters of the Sysdig chart and th
| `auditLog.auditServerUrl` | Specifies the URL where Sysdig Agent listens for the Kubernetes audit log events. | `0.0.0.0` |
| `auditLog.auditServerPort` | Specifies the port where Sysdig Agent listens for the Kubernetes audit log events. | `7765` |
| `auditLog.dynamicBackend.enabled` | Deploys the Audit Sink where Sysdig listens for Kubernetes audit log events. | `false` |
| `tolerations` | Specifies the tolerations for scheduling. | <pre>node-role.kubernetes.io/master:NoSchedule,<br>node-role.kubernetes.io/control-plane:NoSchedule</pre> | |
| `tolerations` | Specifies the tolerations for scheduling. | <pre>node-role.kubernetes.io/master:NoSchedule,<br>node-role.kubernetes.io/control-plane:NoSchedule</pre> |
| `leaderelection.enable` | Enables the agent leader election algorithm. | `false` |
| `prometheus.file` | Specifies the file to configure promscrape. | `false` |
| `prometheus.yaml` | Configures the Prometheus metric collection. Performs relabelling and filtering. | ` ` |
Expand Down
18 changes: 17 additions & 1 deletion charts/agent/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,11 +54,15 @@ Define the proper imageRegistry to use for agent and kmodule image
{{- end -}}

{{/*
Return the proper Sysdig Agent image name
Return the proper Sysdig Agent repository name
Force the slim version if customer specify enable the slim mode or if the Universal eBPF driver is enforced
*/}}
{{- define "agent.repositoryName" -}}
{{- if .Values.slim.enabled -}}
{{- .Values.slim.image.repository -}}
{{- else if (include "agent.universalEbpfEnforced" . ) -}}
{{- .Values.slim.image.repository -}}
{{- else -}}
{{- .Values.image.repository -}}
{{- end -}}
Expand Down Expand Up @@ -219,6 +223,18 @@ it can act like a boolean
{{- end -}}
{{- end -}}

{{- define "agent.universalEbpfEnforced" -}}
{{- if (and (eq "true" (include "agent.ebpfEnabled" .)) (eq "universal_ebpf" .Values.ebpf.kind )) -}}
true
{{- end -}}
{{- end -}}

{{- define "agent.legacyEbpfEnforced" -}}
{{- if (and (eq "true" (include "agent.ebpfEnabled" .)) (eq "legacy_ebpf" .Values.ebpf.kind )) -}}
true
{{- end -}}
{{- end -}}

{{/*
to help the maxUnavailable pick a reasonable value depending on the cluster size
*/}}
Expand Down
16 changes: 14 additions & 2 deletions charts/agent/templates/daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,8 @@ spec:
imagePullSecrets:
{{ toYaml .Values.global.image.pullSecrets | nindent 8 }}
{{- end }}
{{- if .Values.slim.enabled }}
{{/* When the Universal eBPF is enforced by customer choice there is no reason to start the init container to build the driver */}}
{{- if and .Values.slim.enabled (not (include "agent.universalEbpfEnforced" . )) }}
initContainers:
- name: sysdig-agent-kmodule
image: {{ template "agent.image.kmodule" . }}
Expand All @@ -95,6 +96,10 @@ spec:
- name: SYSDIG_BPF_PROBE
value:
{{- end }}
{{- if (include "agent.legacyEbpfEnforced" .) }}
- name: SYSDIG_AGENT_DRIVER
value: legacy_ebpf
{{- end }}
{{- range $key, $value := .Values.daemonset.kmodule.env }}
- name: {{ $key | quote }}
value: {{ $value | quote }}
Expand Down Expand Up @@ -178,10 +183,17 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
{{- if or (include "agent.ebpfEnabled" .) (include "agent.gke.autopilot" .)}}
{{- if and (or (include "agent.ebpfEnabled" .) (include "agent.gke.autopilot" .)) (not (include "agent.universalEbpfEnforced" . )) }}
- name: SYSDIG_BPF_PROBE
value:
{{- end }}
{{- if (include "agent.universalEbpfEnforced" .) }}
- name: SYSDIG_AGENT_DRIVER
value: universal_ebpf
{{- else if (include "agent.legacyEbpfEnforced" .) }}
- name: SYSDIG_AGENT_DRIVER
value: legacy_ebpf
{{- end }}
{{- if (.Values.proxy.httpProxy | default .Values.global.proxy.httpProxy) }}
- name: http_proxy
value: {{ .Values.proxy.httpProxy | default .Values.global.proxy.httpProxy }}
Expand Down
103 changes: 103 additions & 0 deletions charts/agent/tests/universal_ebpf_test.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
suite: Universal eBPF tests
templates:
- templates/daemonset.yaml
tests:
- it: Ensure that when the eBPF is disabled we create the sysdig container without SYSDIG_BPF_PROBE and SYSDIG_AGENT_DRIVER environment variables
set:
ebpf:
enabled: false
asserts:
- isNull:
path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_BPF_PROBE")]
- isNull:
path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")]
- isNull:
path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_BPF_PROBE")]
- isNull:
path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")]

- it: Ensure that when the eBPF is enabled the default driver is "legacy_ebpf" we create the sysdig container with the SYSDIG_BPF_PROBE and SYSDIG_AGENT_DRIVER=legacy_ebpf environment variables
set:
ebpf:
enabled: true
asserts:
- isEmpty:
path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_BPF_PROBE")].value
- equal:
path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value
value: legacy_ebpf
- isEmpty:
path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_BPF_PROBE")].value
- equal:
path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value
value: legacy_ebpf

- it: Ensure that when the eBPF is enabled and we specify to use the "legacy_ebpf" driver we create the sysdig container with the SYSDIG_BPF_PROBE and with SYSDIG_AGENT_DRIVER environment variables
set:
ebpf:
enabled: true
kind: legacy_ebpf
asserts:
- isEmpty:
path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_BPF_PROBE")].value
- equal:
path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value
value: legacy_ebpf
- isEmpty:
path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_BPF_PROBE")].value
- equal:
path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value
value: legacy_ebpf

- it: Ensure that when the eBPF is enabled and we specify to use the "universal_ebpf" driver we create the sysdig container without the SYSDIG_BPF_PROBE and with the SYSDIG_AGENT_DRIVER environment variables
set:
ebpf:
enabled: true
kind: universal_ebpf
asserts:
- isNull:
path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_BPF_PROBE")]
- equal:
path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value
value: universal_ebpf

- it: Ensure that when the eBPF is enabled and we specify to use the "universal_ebpf" driver we don't create the init container
set:
ebpf:
enabled: true
kind: universal_ebpf
asserts:
- isNull:
path: spec.template.spec.initContainers

- it: Ensure that when the eBPF is enabled and we specify to use the "legacy_ebpf" driver we create the init container
set:
ebpf:
enabled: true
kind: legacy_ebpf
asserts:
- matchRegex:
path: spec.template.spec.initContainers[*].image
pattern: quay.io/sysdig/agent-kmodule:.*

- it: Ensure that when the eBPF is enabled and we specify to use the "universal_ebpf" driver we use the slim container
set:
ebpf:
enabled: true
kind: universal_ebpf
asserts:
- matchRegex:
path: spec.template.spec.containers[*].image
pattern: quay.io/sysdig/agent-slim:.*

- it: Ensure that when the eBPF is enabled and we specify to use the "universal_ebpf" driver we use the slim container also if is slim container is not enabled
set:
slim:
enabled: false
ebpf:
enabled: true
kind: universal_ebpf
asserts:
- matchRegex:
path: spec.template.spec.containers[*].image
pattern: quay.io/sysdig/agent-slim:.*
28 changes: 28 additions & 0 deletions charts/agent/values.schema.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"$schema": "http://json-schema.org/schema#",
"type": "object",
"required": [
"ebpf"
],
"properties": {
"ebpf": {
"type": "object",
"required": [
"enabled",
"kind"
],
"properties": {
"enabled": {
"type": "boolean"
},
"kind": {
"type": "string",
"enum": [
"legacy_ebpf",
"universal_ebpf"
]
}
}
}
}
}
4 changes: 4 additions & 0 deletions charts/agent/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,10 @@ priorityClassValue: 10
ebpf:
# Enable eBPF support for Sysdig Agent
enabled: false

# Define the kind of eBPF driver that will be used by the agent. Can be `legacy_ebpf` or `universal_ebpf`
kind: legacy_ebpf

slim:
# Uses a slim version of the Sysdig Agent
enabled: true
Expand Down
4 changes: 2 additions & 2 deletions charts/sysdig-deploy/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: sysdig-deploy
description: A chart with various Sysdig components for Kubernetes
type: application
version: 1.24.7
version: 1.25.0
maintainers:
- name: AlbertoBarba
email: [email protected]
Expand All @@ -26,7 +26,7 @@ dependencies:
- name: agent
# repository: https://charts.sysdig.com
repository: file://../agent
version: ~1.13.15
version: ~1.14.0
alias: agent
condition: agent.enabled
- name: common
Expand Down

0 comments on commit fd27a06

Please sign in to comment.