From 8874e137c5e88a8fc27b353c6760152f2a32d69e Mon Sep 17 00:00:00 2001 From: Girish Thimmegowda <60695752+onmyquest@users.noreply.github.com> Date: Thu, 23 Mar 2023 13:18:52 +0800 Subject: [PATCH] Add files via upload --- sysdig-image-analyzer-daemonset.yaml | 167 +++++++++++++ sysdig-node-analyzer-daemonset.yaml | 352 +++++++++++++++++++++++++++ 2 files changed, 519 insertions(+) create mode 100644 sysdig-image-analyzer-daemonset.yaml create mode 100644 sysdig-node-analyzer-daemonset.yaml diff --git a/sysdig-image-analyzer-daemonset.yaml b/sysdig-image-analyzer-daemonset.yaml new file mode 100644 index 0000000..e53f6f9 --- /dev/null +++ b/sysdig-image-analyzer-daemonset.yaml @@ -0,0 +1,167 @@ +# apiVersion: extensions/v1beta1 # If you are in Kubernetes version 1.8 or less please use this line instead of the following one +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: sysdig-image-analyzer + labels: + app: sysdig-image-analyzer +spec: + selector: + matchLabels: + app: sysdig-image-analyzer + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + app: sysdig-image-analyzer + spec: + volumes: + # Needed for cri-o image inspection. + # cri-o and especially OCP 4.x by default use containers/storage to handle images, and this makes sure that the + # analyzer has access to the configuration. This file is mounted read-only. + - name: etc-containers-storage-vol + hostPath: + path: /etc/containers/storage.conf + # Needed for cri-o image inspection. + # This is the directory where image data is stored by default when using cri-o and OCP 4.x and the analyzer + # uses it to get the data to scan. This directory must be mounted r/w because proper access to its files through + # the containers/storage library is always regulated with a lockfile. + - name: var-lib-containers-vol + hostPath: + path: /var/lib/containers + # Needed for socket access + - name: varrun-vol + hostPath: + path: /var/run + # Add custom volume here + - name: sysdig-image-analyzer-config + configMap: + name: sysdig-image-analyzer + optional: true + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + # The following line is necessary for RBAC + serviceAccount: sysdig-agent + terminationGracePeriodSeconds: 5 + containers: + - name: sysdig-image-analyzer + image: docker.io/sysdig/node-image-analyzer:latest + securityContext: + # The privileged flag is necessary for OCP 4.x and other Kubernetes setups that deny host filesystem access to + # running containers by default regardless of volume mounts. In those cases, access to the CRI socket would fail. + privileged: true + imagePullPolicy: Always + resources: + limits: + cpu: 500m + memory: 1024Mi + requests: + cpu: 250m + memory: 512Mi + volumeMounts: + - mountPath: /var/run + name: varrun-vol + - mountPath: /etc/containers/storage.conf + name: etc-containers-storage-vol + readOnly: true + - mountPath: /var/lib/containers + name: var-lib-containers-vol + # Add custom volume mount here + env: + - name: ACCESS_KEY + valueFrom: + secretKeyRef: + name: sysdig-agent + key: access-key + - name: IMAGE_PERIOD + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: image_period + optional: true + - name: IMAGE_CACHE_TTL + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: image_cache_ttl + optional: true + - name: REPORT_PERIOD + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: report_period + optional: true + - name: DOCKER_SOCKET_PATH + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: docker_socket_path + optional: true + - name: CRI_SOCKET_PATH + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: cri_socket_path + optional: true + - name: CONTAINERD_SOCKET_PATH + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: containerd_socket_path + optional: true + - name: AM_COLLECTOR_ENDPOINT + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: collector_endpoint + optional: true + - name: AM_COLLECTOR_TIMEOUT + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: collector_timeout + optional: true + - name: VERIFY_CERTIFICATE + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: ssl_verify_certificate + optional: true + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: K8S_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: K8S_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: DEBUG + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: debug + optional: true + - name: HTTP_PROXY + valueFrom: + configMapKeyRef: + key: http_proxy + name: sysdig-image-analyzer + optional: true + - name: HTTPS_PROXY + valueFrom: + configMapKeyRef: + key: https_proxy + name: sysdig-image-analyzer + optional: true + - name: NO_PROXY + valueFrom: + configMapKeyRef: + key: no_proxy + name: sysdig-image-analyzer + optional: true diff --git a/sysdig-node-analyzer-daemonset.yaml b/sysdig-node-analyzer-daemonset.yaml new file mode 100644 index 0000000..fab9a62 --- /dev/null +++ b/sysdig-node-analyzer-daemonset.yaml @@ -0,0 +1,352 @@ +# apiVersion: extensions/v1beta1 # If you are in Kubernetes version 1.8 or less please use this line instead of the following one +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: sysdig-node-analyzer + labels: + app: sysdig-node-analyzer +spec: + selector: + matchLabels: + app: sysdig-node-analyzer + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + app: sysdig-node-analyzer + spec: + volumes: + - name: sysdig-agent-config + configMap: + name: sysdig-agent + optional: true + # Needed for cri-o image inspection. + # cri-o and especially OCP 4.x by default use containers/storage to handle images, and this makes sure that the + # analyzer has access to the configuration. This file is mounted read-only. + - name: etc-containers-storage-vol + hostPath: + path: /etc/containers/storage.conf + # Needed for cri-o image inspection. + # This is the directory where image data is stored by default when using cri-o and OCP 4.x and the analyzer + # uses it to get the data to scan. This directory must be mounted r/w because proper access to its files through + # the containers/storage library is always regulated with a lockfile. + - name: var-lib-containers-vol + hostPath: + path: /var/lib/containers + # Needed for some IBM OpenShift clusters which symlink /var/run/containers/storage to contents of /var/data by default + - name: vardata-vol + hostPath: + path: /var/data + # Needed for socket access + - name: varrun-vol + hostPath: + path: /var/run + # Add custom volume here + - name: sysdig-image-analyzer-config + configMap: + name: sysdig-image-analyzer + optional: true + # Needed to run Benchmarks. This mount is read-only. + # Benchmarks include numerous checks that run tests against config files in the host filesystem. There are also + # checks that test various host configurations such as loaded modules and enabled security features. + - name: root-vol + hostPath: + path: / + - name: tmp-vol + emptyDir: {} + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + # The following line is necessary for RBAC + serviceAccount: sysdig-agent + terminationGracePeriodSeconds: 5 + # Use the Host Network Namespace. + # This is required by the Benchmark container to determine the hostname and host mac address + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + # Use the Host PID namespace. + # This is required for Kubernetes benchmarks, as they contain tests that check Kubernetes processes running on + # the host + hostPID: true + containers: + - name: sysdig-image-analyzer + image: quay.io/sysdig/node-image-analyzer + securityContext: + # The privileged flag is necessary for OCP 4.x and other Kubernetes setups that deny host filesystem access to + # running containers by default regardless of volume mounts. In those cases, access to the CRI socket would fail. + privileged: true + imagePullPolicy: Always + resources: + limits: + cpu: 500m + memory: 1536Mi + requests: + cpu: 150m + memory: 512Mi + volumeMounts: + - mountPath: /var/run + name: varrun-vol + - mountPath: /etc/containers/storage.conf + name: etc-containers-storage-vol + readOnly: true + - mountPath: /var/lib/containers + name: var-lib-containers-vol + - mountPath: /var/data + name: vardata-vol + # Add custom volume mount here + env: + - name: ACCESS_KEY + valueFrom: + secretKeyRef: + name: sysdig-agent + key: access-key + - name: IMAGE_PERIOD + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: image_period + optional: true + - name: IMAGE_CACHE_TTL + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: image_cache_ttl + optional: true + - name: REPORT_PERIOD + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: report_period + optional: true + - name: DOCKER_SOCKET_PATH + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: docker_socket_path + optional: true + - name: CRI_SOCKET_PATH + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: cri_socket_path + optional: true + - name: CONTAINERD_SOCKET_PATH + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: containerd_socket_path + optional: true + - name: AM_COLLECTOR_ENDPOINT + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: collector_endpoint + optional: true + - name: AM_COLLECTOR_TIMEOUT + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: collector_timeout + optional: true + - name: VERIFY_CERTIFICATE + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: ssl_verify_certificate + optional: true + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: K8S_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: K8S_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: DEBUG + valueFrom: + configMapKeyRef: + name: sysdig-image-analyzer + key: debug + optional: true + - name: HTTP_PROXY + valueFrom: + configMapKeyRef: + key: http_proxy + name: sysdig-image-analyzer + optional: true + - name: HTTPS_PROXY + valueFrom: + configMapKeyRef: + key: https_proxy + name: sysdig-image-analyzer + optional: true + - name: NO_PROXY + valueFrom: + configMapKeyRef: + key: no_proxy + name: sysdig-image-analyzer + optional: true + - name: sysdig-host-analyzer + image: quay.io/sysdig/host-analyzer:latest + securityContext: + # The privileged flag is necessary for OCP 4.x and other Kubernetes setups that deny host filesystem access to + # running containers by default regardless of volume mounts. In those cases, access to any host related components + # would fail + privileged: true + imagePullPolicy: Always + resources: + limits: + cpu: 500m + memory: 1536Mi + requests: + cpu: 150m + memory: 512Mi + volumeMounts: + - mountPath: /host + name: root-vol + readOnly: true + env: + - name: ACCESS_KEY + valueFrom: + secretKeyRef: + name: sysdig-agent + key: access-key + - name: AM_COLLECTOR_ENDPOINT + valueFrom: + configMapKeyRef: + name: sysdig-host-analyzer + key: collector_endpoint + - name: AM_COLLECTOR_TIMEOUT + valueFrom: + configMapKeyRef: + name: sysdig-host-analyzer + key: collector_timeout + optional: true + - name: SCHEDULE + valueFrom: + configMapKeyRef: + name: sysdig-host-analyzer + key: schedule + optional: true + - name: ANALYZE_AT_STARTUP + valueFrom: + configMapKeyRef: + name: sysdig-host-analyzer + key: analyze_at_startup + optional: true + - name: HOST_BASE + value: /host + - name: DIRS_TO_SCAN + valueFrom: + configMapKeyRef: + name: sysdig-host-analyzer + key: dirs_to_scan + optional: true + - name: MAX_SEND_ATTEMPTS + valueFrom: + configMapKeyRef: + name: sysdig-host-analyzer + key: max_send_attempts + optional: true + - name: VERIFY_CERTIFICATE + valueFrom: + configMapKeyRef: + name: sysdig-host-analyzer + key: ssl_verify_certificate + optional: true + - name: DEBUG + valueFrom: + configMapKeyRef: + name: sysdig-host-analyzer + key: debug + optional: true + - name: HTTP_PROXY + valueFrom: + configMapKeyRef: + key: http_proxy + name: sysdig-host-analyzer + optional: true + - name: HTTPS_PROXY + valueFrom: + configMapKeyRef: + key: https_proxy + name: sysdig-host-analyzer + optional: true + - name: NO_PROXY + valueFrom: + configMapKeyRef: + key: no_proxy + name: sysdig-host-analyzer + optional: true + - name: sysdig-benchmark-runner + image: quay.io/sysdig/compliance-benchmark-runner + imagePullPolicy: Always + securityContext: + # The privileged flag is necessary for OCP 4.x and other Kubernetes setups that deny host filesystem access to + # running containers by default regardless of volume mounts. In those cases, the benchmark process would fail. + privileged: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 150m + memory: 128Mi + volumeMounts: + - mountPath: /opt/draios/etc/kubernetes/config + name: sysdig-agent-config + - mountPath: /host + name: root-vol + readOnly: true + - mountPath: /host/tmp + name: tmp-vol + env: + - name: ACCESS_KEY + valueFrom: + secretKeyRef: + name: sysdig-agent + key: access-key + - name: BACKEND_ENDPOINT + valueFrom: + configMapKeyRef: + name: sysdig-benchmark-runner + key: collector_endpoint + - name: BACKEND_VERIFY_TLS + valueFrom: + configMapKeyRef: + name: sysdig-benchmark-runner + key: ssl_verify_certificate + optional: true + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DEBUG + valueFrom: + configMapKeyRef: + name: sysdig-benchmark-runner + key: debug + optional: true + - name: HTTP_PROXY + valueFrom: + configMapKeyRef: + key: http_proxy + name: sysdig-benchmark-runner + optional: true + - name: HTTPS_PROXY + valueFrom: + configMapKeyRef: + key: https_proxy + name: sysdig-benchmark-runner + optional: true + - name: NO_PROXY + valueFrom: + configMapKeyRef: + key: no_proxy + name: sysdig-benchmark-runner + optional: true