From da8f65ffb868858534470f4095782d23abba583c Mon Sep 17 00:00:00 2001 From: Adam Roberts Date: Thu, 8 Aug 2024 13:51:34 -0400 Subject: [PATCH 1/2] fix(agent): set apply kspm-analyzer settings when run in host shield for the kspm-analyzer to run as expected as a part of host shield, the agent/host-shield container needs to expose the kspm-analyzer's agent port, which is 12000 by default. additionally, the kspm-analyzer also needs to have its agent_app_name set to match the selector used on the agent pod. --- charts/agent/Chart.yaml | 2 +- charts/agent/templates/configmap.yaml | 3 ++ charts/agent/templates/daemonset.yaml | 6 ++- charts/agent/tests/kspm_analyzer_test.yaml | 53 ++++++++++++++++++++++ 4 files changed, 62 insertions(+), 2 deletions(-) create mode 100644 charts/agent/tests/kspm_analyzer_test.yaml diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml index bf7c54378..9252dbc72 100644 --- a/charts/agent/Chart.yaml +++ b/charts/agent/Chart.yaml @@ -30,4 +30,4 @@ sources: - https://app.sysdigcloud.com/#/settings/user - https://github.com/draios/sysdig type: application -version: 1.27.16 +version: 1.27.17 diff --git a/charts/agent/templates/configmap.yaml b/charts/agent/templates/configmap.yaml index d18117ad6..be9675011 100644 --- a/charts/agent/templates/configmap.yaml +++ b/charts/agent/templates/configmap.yaml @@ -45,6 +45,9 @@ data: {{- $caFilePath := printf "%s%s" "certificates/" (include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl)) }} {{- $mergedSettings := mergeOverwrite $baseSettings (dict "http_proxy" (dict "ca_certificate" $caFilePath)) -}} {{ toYaml $mergedSettings | nindent 4 }} +{{- else if (dig "kspm_analyzer" "enabled" false $baseSettings) }} + {{- $mergedSettings := mergeOverwrite $baseSettings (dict "kspm_analyzer" (dict "agent_app_name" "agent")) -}} + {{ toYaml $mergedSettings | nindent 4 }} {{- else if .Values.sysdig.settings }} {{ toYaml .Values.sysdig.settings | nindent 4 }} {{- end }} diff --git a/charts/agent/templates/daemonset.yaml b/charts/agent/templates/daemonset.yaml index e4d963bdb..ca3984858 100644 --- a/charts/agent/templates/daemonset.yaml +++ b/charts/agent/templates/daemonset.yaml @@ -230,11 +230,15 @@ spec: - name: SSL_CERT_FILE value: /opt/draios/certificates/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) -}} {{- end }} - {{- if dig "prometheus_exporter" "enabled" false .Values.sysdig.settings }} ports: + {{- if dig "prometheus_exporter" "enabled" false .Values.sysdig.settings }} - containerPort: {{ regexFind "[0-9]+$" (dig "prometheus_exporter" "listen_url" "0.0.0.0:9544" .Values.sysdig.settings) }} name: metrics {{- end }} + {{- if dig "kspm_analyzer" "enabled" false .Values.sysdig.settings }} + - containerPort: {{ dig "kspm_analyzer" "port" 12000 .Values.sysdig.settings }} + name: kspm-analyzer + {{- end }} readinessProbe: {{- if eq (include "agent.enableHttpProbes" .) "true" }} httpGet: diff --git a/charts/agent/tests/kspm_analyzer_test.yaml b/charts/agent/tests/kspm_analyzer_test.yaml new file mode 100644 index 000000000..3647c6e68 --- /dev/null +++ b/charts/agent/tests/kspm_analyzer_test.yaml @@ -0,0 +1,53 @@ +suite: Test port and label names when kspm analyzer is enabled in host shield +templates: + - templates/configmap.yaml + - templates/daemonset.yaml +kubernetesProvider: + scheme: + "v1/Node": + gvr: + version: "v1" + resource: "nodes" + namespaced: false + objects: + - apiVersion: v1 + kind: Node + metadata: + name: fakenode + status: + nodeInfo: + osImage: fake-os-image +tests: + - it: Ensure configmap and daemonset settings are set when needed + set: + sysdig: + settings: + kspm_analyzer: + enabled: true + asserts: + - matchRegex: + path: data['dragent.yaml'] + pattern: |- + kspm_analyzer: + agent_app_name: agent + enabled: true + template: templates/configmap.yaml + - equal: + path: spec.template.spec.containers[?(@.name == "sysdig")].ports[?(@.name == "kspm-analyzer")] + value: + name: kspm-analyzer + containerPort: 12000 + template: templates/daemonset.yaml + + - it: Ensure configmap and daemonset settings are not set when not needed + asserts: + - notMatchRegex: + path: data['dragent.yaml'] + pattern: |- + kspm_analyzer: + agent_app_name: agent + enabled: true + template: templates/configmap.yaml + - notExists: + path: spec.template.spec.containers[?(@.name == "sysdig")].ports[?(@.name == "kspm-analyzer")] + template: templates/daemonset.yaml From acc686b9372c1cb504a986450a586b721c961cbc Mon Sep 17 00:00:00 2001 From: Adam Roberts Date: Tue, 13 Aug 2024 11:25:26 -0400 Subject: [PATCH 2/2] fix(agent): add POD_NAMESPACE to host shield when kspm-analyzer enabled --- charts/agent/templates/configmap.yaml | 2 +- charts/agent/templates/daemonset.yaml | 8 +++++++ charts/agent/tests/kspm_analyzer_test.yaml | 27 ++++++++++++++++++++++ 3 files changed, 36 insertions(+), 1 deletion(-) diff --git a/charts/agent/templates/configmap.yaml b/charts/agent/templates/configmap.yaml index be9675011..10d16ad84 100644 --- a/charts/agent/templates/configmap.yaml +++ b/charts/agent/templates/configmap.yaml @@ -46,7 +46,7 @@ data: {{- $mergedSettings := mergeOverwrite $baseSettings (dict "http_proxy" (dict "ca_certificate" $caFilePath)) -}} {{ toYaml $mergedSettings | nindent 4 }} {{- else if (dig "kspm_analyzer" "enabled" false $baseSettings) }} - {{- $mergedSettings := mergeOverwrite $baseSettings (dict "kspm_analyzer" (dict "agent_app_name" "agent")) -}} + {{- $mergedSettings := mergeOverwrite $baseSettings (dict "kspm_analyzer" (dict "agent_app_name" "agent" "pod_namespace" .Release.Namespace)) -}} {{ toYaml $mergedSettings | nindent 4 }} {{- else if .Values.sysdig.settings }} {{ toYaml .Values.sysdig.settings | nindent 4 }} diff --git a/charts/agent/templates/daemonset.yaml b/charts/agent/templates/daemonset.yaml index ca3984858..5bb7a06fb 100644 --- a/charts/agent/templates/daemonset.yaml +++ b/charts/agent/templates/daemonset.yaml @@ -230,6 +230,13 @@ spec: - name: SSL_CERT_FILE value: /opt/draios/certificates/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) -}} {{- end }} + {{- if (dig "kspm_analyzer" "enabled" false .Values.sysdig.settings) }} + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- end }} + {{- if or (dig "prometheus_exporter" "enabled" false .Values.sysdig.settings) (dig "kspm_analyzer" "enabled" false .Values.sysdig.settings) }} ports: {{- if dig "prometheus_exporter" "enabled" false .Values.sysdig.settings }} - containerPort: {{ regexFind "[0-9]+$" (dig "prometheus_exporter" "listen_url" "0.0.0.0:9544" .Values.sysdig.settings) }} @@ -239,6 +246,7 @@ spec: - containerPort: {{ dig "kspm_analyzer" "port" 12000 .Values.sysdig.settings }} name: kspm-analyzer {{- end }} + {{- end }} readinessProbe: {{- if eq (include "agent.enableHttpProbes" .) "true" }} httpGet: diff --git a/charts/agent/tests/kspm_analyzer_test.yaml b/charts/agent/tests/kspm_analyzer_test.yaml index 3647c6e68..bc8a772f6 100644 --- a/charts/agent/tests/kspm_analyzer_test.yaml +++ b/charts/agent/tests/kspm_analyzer_test.yaml @@ -31,6 +31,7 @@ tests: kspm_analyzer: agent_app_name: agent enabled: true + pod_namespace: NAMESPACE template: templates/configmap.yaml - equal: path: spec.template.spec.containers[?(@.name == "sysdig")].ports[?(@.name == "kspm-analyzer")] @@ -47,7 +48,33 @@ tests: kspm_analyzer: agent_app_name: agent enabled: true + pod_namespace: NAMESPACE template: templates/configmap.yaml - notExists: path: spec.template.spec.containers[?(@.name == "sysdig")].ports[?(@.name == "kspm-analyzer")] template: templates/daemonset.yaml + + - it: Ensure POD_NAMESPACE env var set if kspm-analyzer is enabled + set: + sysdig: + settings: + kspm_analyzer: + enabled: true + asserts: + - equal: + path: spec.template.spec.containers[?(@.name == "sysdig")].env[?(@.name == "POD_NAMESPACE")] + value: + name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + template: templates/daemonset.yaml + + - it: Ensure POD_NAMESPACE env var not set if kspm-analyzer is disabled + asserts: + - notContains: + path: spec.template.spec.containers[?(@.name == "sysdig")].env + value: + name: POD_NAMESPACE + value: NAMESPACE + template: templates/daemonset.yaml