feat(shield): add host support (universal_ebpf) on gke-autopilot (#2076)

Author: francesco-furlan

charts/shield/Chart.yaml

@@ -13,5 +13,5 @@ maintainers:
   - name: mavimo
     email: marcovito.moscaritolo@sysdig.com
 type: application
-version: 1.0.0
+version: 1.1.0
 appVersion: "1.0.0"

charts/shield/templates/host/_helpers.tpl

@@ -90,14 +90,14 @@ true
 {{- end }}
 
 {{- define "host.driver.is_legacy_ebpf" }}
-{{- if eq "legacy_ebpf" .Values.host.driver }}
+{{- if and (eq "legacy_ebpf" .Values.host.driver) (not (include "common.cluster_type.is_gke_autopilot" .)) }}
 true
 {{- else }}
 {{- end }}
 {{- end }}
 
 {{- define "host.driver.is_universal_ebpf" }}
-{{- if eq "universal_ebpf" .Values.host.driver }}
+{{- if or (eq "universal_ebpf" .Values.host.driver) (include "common.cluster_type.is_gke_autopilot" .) }}
 true
 {{- else }}
 {{- end }}

charts/shield/templates/host/daemonset.yaml

@@ -98,8 +98,6 @@ spec:
             - mountPath: /host/etc/os-release
               name: osrel
               readOnly: true
-            - mountPath: /root/.sysdig
-              name: bpf-probes
           {{- end }}
       {{- end }}
       containers:
@@ -123,7 +121,7 @@ spec:
             - name: SYSDIG_BPF_PROBE
               value:
             {{- end }}
-            {{- if and (include "host.driver.is_universal_ebpf" .) (not (include "common.cluster_type.is_gke_autopilot" .)) }}
+            {{- if (include "host.driver.is_universal_ebpf" .) }}
             - name: SYSDIG_AGENT_DRIVER
               value: universal_ebpf
             {{- else if and (include "host.driver.is_legacy_ebpf" .) (not (include "common.cluster_type.is_gke_autopilot" .)) }}
@@ -214,8 +212,6 @@ spec:
               readOnly: true
             - mountPath: /host/var/run/containerd/containerd.sock
               name: containerdsock-vol
-            - mountPath: /root/.sysdig
-              name: bpf-probes
           {{- end }}
 
           {{- if (include "host.need_host_root" .) }}
@@ -313,8 +309,6 @@ spec:
         - name: osrel
           hostPath:
             path: /etc/os-release
-        - name: bpf-probes
-          emptyDir: {}
         - name: containerdsock-vol
           hostPath:
             path: /var/run/containerd/containerd.sock

charts/shield/templates/host/gke-allowlist-synchronizer.yaml

@@ -0,0 +1,14 @@
+{{- if (include "common.cluster_type.is_gke_autopilot" .) -}}
+apiVersion: auto.gke.io/v1
+kind: AllowlistSynchronizer
+metadata:
+  name: sysdig-agent-allowlist-synchronizer
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    helm.sh/hook: "pre-install,pre-upgrade"
+  labels:
+    {{- include "host.labels" . | nindent 4 }}
+spec:
+  allowlistPaths:
+    - "Sysdig/agent/*"
+{{- end -}}

charts/shield/tests/host/gke-allowlist-synchronizer_test.yaml

@@ -0,0 +1,25 @@
+suite: Host - Service
+templates:
+  - templates/host/gke-allowlist-synchronizer.yaml
+release:
+  name: release-name
+  namespace: shield-namespace
+values:
+  - ../values/gke-autopilot.yaml
+tests:
+  - it: Contains the agent GKE AllowlistSynchronizer resource
+    asserts:
+      - containsDocument:
+          kind: AllowlistSynchronizer
+          apiVersion: auto.gke.io/v1
+          name: sysdig-agent-allowlist-synchronizer
+      - equal:
+          path: metadata.namespace
+          value: shield-namespace
+      - equal:
+          path: metadata.annotations["helm.sh/hook"]
+          value: pre-install,pre-upgrade
+      - equal:
+          path: spec.allowlistPaths
+          value:
+            - "Sysdig/agent/*"

charts/shield/tests/values/gke-autopilot.yaml

@@ -0,0 +1,11 @@
+cluster_config:
+  name: test-cluster
+  cluster_type: gke-autopilot
+
+sysdig_endpoint:
+  region: custom
+  access_key: 12345678-1234-1234-1234-123456789012
+  api_url: https://www.example.com
+  collector:
+    host: example.com
+    port: 6443