Add files via upload

sysdig-image-analyzer-daemonset.yaml

@@ -0,0 +1,167 @@
+# apiVersion: extensions/v1beta1  # If you are in Kubernetes version 1.8 or less please use this line instead of the following one
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: sysdig-image-analyzer
+  labels:
+    app: sysdig-image-analyzer
+spec:
+  selector:
+    matchLabels:
+      app: sysdig-image-analyzer
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: sysdig-image-analyzer
+    spec:
+      volumes:
+      # Needed for cri-o image inspection.
+      # cri-o and especially OCP 4.x by default use containers/storage to handle images, and this makes sure that the
+      # analyzer has access to the configuration. This file is mounted read-only.
+      - name: etc-containers-storage-vol
+        hostPath:
+          path: /etc/containers/storage.conf
+      # Needed for cri-o image inspection.
+      # This is the directory where image data is stored by default when using cri-o and OCP 4.x and the analyzer
+      # uses it to get the data to scan. This directory must be mounted r/w because proper access to its files through
+      # the containers/storage library is always regulated with a lockfile.
+      - name: var-lib-containers-vol
+        hostPath:
+          path: /var/lib/containers
+      # Needed for socket access
+      - name: varrun-vol
+        hostPath:
+          path: /var/run
+      # Add custom volume here
+      - name: sysdig-image-analyzer-config
+        configMap:
+          name: sysdig-image-analyzer
+          optional: true
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+      # The following line is necessary for RBAC
+      serviceAccount: sysdig-agent
+      terminationGracePeriodSeconds: 5
+      containers:
+      - name: sysdig-image-analyzer
+        image: docker.io/sysdig/node-image-analyzer:latest
+        securityContext:
+          # The privileged flag is necessary for OCP 4.x and other Kubernetes setups that deny host filesystem access to
+          # running containers by default regardless of volume mounts. In those cases, access to the CRI socket would fail.
+          privileged: true
+        imagePullPolicy: Always
+        resources:
+          limits:
+            cpu: 500m
+            memory: 1024Mi
+          requests:
+            cpu: 250m
+            memory: 512Mi
+        volumeMounts:
+        - mountPath: /var/run
+          name: varrun-vol
+        - mountPath: /etc/containers/storage.conf
+          name: etc-containers-storage-vol
+          readOnly: true
+        - mountPath: /var/lib/containers
+          name: var-lib-containers-vol
+        # Add custom volume mount here
+        env:
+        - name: ACCESS_KEY
+          valueFrom:
+            secretKeyRef:
+              name: sysdig-agent
+              key: access-key
+        - name: IMAGE_PERIOD
+          valueFrom:
+            configMapKeyRef:
+              name: sysdig-image-analyzer
+              key: image_period
+              optional: true
+        - name: IMAGE_CACHE_TTL
+          valueFrom:
+            configMapKeyRef:
+              name: sysdig-image-analyzer
+              key: image_cache_ttl
+              optional: true
+        - name: REPORT_PERIOD
+          valueFrom:
+            configMapKeyRef:
+              name: sysdig-image-analyzer
+              key: report_period
+              optional: true
+        - name: DOCKER_SOCKET_PATH
+          valueFrom:
+            configMapKeyRef:
+              name: sysdig-image-analyzer
+              key: docker_socket_path
+              optional: true
+        - name: CRI_SOCKET_PATH
+          valueFrom:
+            configMapKeyRef:
+              name: sysdig-image-analyzer
+              key: cri_socket_path
+              optional: true
+        - name: CONTAINERD_SOCKET_PATH
+          valueFrom:
+            configMapKeyRef:
+              name: sysdig-image-analyzer
+              key: containerd_socket_path
+              optional: true
+        - name: AM_COLLECTOR_ENDPOINT
+          valueFrom:
+            configMapKeyRef:
+              name: sysdig-image-analyzer
+              key: collector_endpoint
+              optional: true
+        - name: AM_COLLECTOR_TIMEOUT
+          valueFrom:
+            configMapKeyRef:
+              name: sysdig-image-analyzer
+              key: collector_timeout
+              optional: true
+        - name: VERIFY_CERTIFICATE
+          valueFrom:
+            configMapKeyRef:
+              name: sysdig-image-analyzer
+              key: ssl_verify_certificate
+              optional: true
+        - name: K8S_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: K8S_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: K8S_POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: DEBUG
+          valueFrom:
+            configMapKeyRef:
+              name: sysdig-image-analyzer
+              key: debug
+              optional: true
+        - name: HTTP_PROXY
+          valueFrom:
+            configMapKeyRef:
+              key: http_proxy
+              name: sysdig-image-analyzer
+              optional: true
+        - name: HTTPS_PROXY
+          valueFrom:
+            configMapKeyRef:
+              key: https_proxy
+              name: sysdig-image-analyzer
+              optional: true
+        - name: NO_PROXY
+          valueFrom:
+            configMapKeyRef:
+              key: no_proxy
+              name: sysdig-image-analyzer
+              optional: true