From 0d4e361851b8a95535dc7b9ef7b2f1162d9cbf55 Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Thu, 12 Dec 2024 12:38:21 +0100 Subject: [PATCH 1/6] feat(shield): allow ebpf on gke autopilot --- charts/shield/templates/host/daemonset.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/shield/templates/host/daemonset.yaml b/charts/shield/templates/host/daemonset.yaml index ff3f6a8b6..7d50dfe52 100644 --- a/charts/shield/templates/host/daemonset.yaml +++ b/charts/shield/templates/host/daemonset.yaml @@ -123,10 +123,10 @@ spec: - name: SYSDIG_BPF_PROBE value: {{- end }} - {{- if and (include "host.driver.is_universal_ebpf" .) (not (include "common.cluster_type.is_gke_autopilot" .)) }} + {{- if (include "host.driver.is_universal_ebpf" .) }} - name: SYSDIG_AGENT_DRIVER value: universal_ebpf - {{- else if and (include "host.driver.is_legacy_ebpf" .) (not (include "common.cluster_type.is_gke_autopilot" .)) }} + {{- else if (include "host.driver.is_legacy_ebpf" .) }} - name: SYSDIG_AGENT_DRIVER value: legacy_ebpf {{- end }} From 4d501053a156aad3f99a8ee688974e8b66461c2a Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Mon, 20 Jan 2025 14:42:36 +0100 Subject: [PATCH 2/6] chore(shield): remove /root/.sysdig on gke autopilot and restore legacy_ebpf check for autopilot --- charts/shield/templates/host/daemonset.yaml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/charts/shield/templates/host/daemonset.yaml b/charts/shield/templates/host/daemonset.yaml index 7d50dfe52..01bbb3dd0 100644 --- a/charts/shield/templates/host/daemonset.yaml +++ b/charts/shield/templates/host/daemonset.yaml @@ -98,8 +98,6 @@ spec: - mountPath: /host/etc/os-release name: osrel readOnly: true - - mountPath: /root/.sysdig - name: bpf-probes {{- end }} {{- end }} containers: @@ -126,7 +124,7 @@ spec: {{- if (include "host.driver.is_universal_ebpf" .) }} - name: SYSDIG_AGENT_DRIVER value: universal_ebpf - {{- else if (include "host.driver.is_legacy_ebpf" .) }} + {{- else if and (include "host.driver.is_legacy_ebpf" .) (not (include "common.cluster_type.is_gke_autopilot" .)) }} - name: SYSDIG_AGENT_DRIVER value: legacy_ebpf {{- end }} @@ -214,8 +212,6 @@ spec: readOnly: true - mountPath: /host/var/run/containerd/containerd.sock name: containerdsock-vol - - mountPath: /root/.sysdig - name: bpf-probes {{- end }} {{- if (include "host.need_host_root" .) }} @@ -313,8 +309,6 @@ spec: - name: osrel hostPath: path: /etc/os-release - - name: bpf-probes - emptyDir: {} - name: containerdsock-vol hostPath: path: /var/run/containerd/containerd.sock From 960127e053afe4777be4e59ca0bc329484c3cb0d Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Tue, 25 Mar 2025 20:58:02 +0100 Subject: [PATCH 3/6] chore: bump --- charts/shield/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml index 3ce29be85..56e3e1b11 100644 --- a/charts/shield/Chart.yaml +++ b/charts/shield/Chart.yaml @@ -13,5 +13,5 @@ maintainers: - name: mavimo email: marcovito.moscaritolo@sysdig.com type: application -version: 1.0.0 +version: 1.1.0 appVersion: "1.0.0" From 6a85fdd8c1d252a5751362e9b89a2d8f87002f13 Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Tue, 25 Mar 2025 21:17:57 +0100 Subject: [PATCH 4/6] chore: add AllowlistSynchronizer for gke-autopilot --- .../host/gke-allowlist-synchronizer.yaml | 14 +++++++++++ .../host/gke-allowlist-synchronizer_test.yaml | 25 +++++++++++++++++++ charts/shield/tests/values/gke-autopilot.yaml | 11 ++++++++ 3 files changed, 50 insertions(+) create mode 100644 charts/shield/templates/host/gke-allowlist-synchronizer.yaml create mode 100644 charts/shield/tests/host/gke-allowlist-synchronizer_test.yaml create mode 100644 charts/shield/tests/values/gke-autopilot.yaml diff --git a/charts/shield/templates/host/gke-allowlist-synchronizer.yaml b/charts/shield/templates/host/gke-allowlist-synchronizer.yaml new file mode 100644 index 000000000..5e46287bd --- /dev/null +++ b/charts/shield/templates/host/gke-allowlist-synchronizer.yaml @@ -0,0 +1,14 @@ +{{- if (include "common.cluster_type.is_gke_autopilot" .) -}} +apiVersion: auto.gke.io/v1 +kind: AllowlistSynchronizer +metadata: + name: sysdig-agent-allowlist-synchronizer + namespace: {{ .Release.Namespace }} + annotations: + helm.sh/hook: "pre-install,pre-upgrade" + labels: + {{- include "host.labels" . | nindent 4 }} +spec: + allowlistPaths: + - "Sysdig/agent/*" +{{- end -}} diff --git a/charts/shield/tests/host/gke-allowlist-synchronizer_test.yaml b/charts/shield/tests/host/gke-allowlist-synchronizer_test.yaml new file mode 100644 index 000000000..9e9a39e57 --- /dev/null +++ b/charts/shield/tests/host/gke-allowlist-synchronizer_test.yaml @@ -0,0 +1,25 @@ +suite: Host - Service +templates: + - templates/host/gke-allowlist-synchronizer.yaml +release: + name: release-name + namespace: shield-namespace +values: + - ../values/gke-autopilot.yaml +tests: + - it: Contains the agent GKE AllowlistSynchronizer resource + asserts: + - containsDocument: + kind: AllowlistSynchronizer + apiVersion: auto.gke.io/v1 + name: sysdig-agent-allowlist-synchronizer + - equal: + path: metadata.namespace + value: shield-namespace + - equal: + path: metadata.annotations["helm.sh/hook"] + value: pre-install,pre-upgrade + - equal: + path: spec.allowlistPaths + value: + - "Sysdig/agent/*" diff --git a/charts/shield/tests/values/gke-autopilot.yaml b/charts/shield/tests/values/gke-autopilot.yaml new file mode 100644 index 000000000..f3f5840b1 --- /dev/null +++ b/charts/shield/tests/values/gke-autopilot.yaml @@ -0,0 +1,11 @@ +cluster_config: + name: test-cluster + cluster_type: gke-autopilot + +sysdig_endpoint: + region: custom + access_key: 12345678-1234-1234-1234-123456789012 + api_url: https://www.example.com + collector: + host: example.com + port: 6443 From ed1606482dcfc9f0e4556cf693ff2a9f12a1cc92 Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Wed, 26 Mar 2025 14:02:30 +0100 Subject: [PATCH 5/6] chore: use universal_ebpf for gke-autopilot --- charts/shield/templates/host/_helpers.tpl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/shield/templates/host/_helpers.tpl b/charts/shield/templates/host/_helpers.tpl index d2ecbe09d..fe22e375c 100644 --- a/charts/shield/templates/host/_helpers.tpl +++ b/charts/shield/templates/host/_helpers.tpl @@ -83,21 +83,21 @@ If release name contains chart name it will be used as a full name. {{- end }} {{- define "host.driver.is_ebpf" }} -{{- if or (include "host.driver.is_legacy_ebpf" .) (include "host.driver.is_universal_ebpf" .) }} +{{- if or (include "host.driver.is_legacy_ebpf" .) (include "common.cluster_type.is_gke_autopilot" .) }} true {{- else }} {{- end }} {{- end }} {{- define "host.driver.is_legacy_ebpf" }} -{{- if eq "legacy_ebpf" .Values.host.driver }} +{{- if and (eq "legacy_ebpf" .Values.host.driver) (not (include "common.cluster_type.is_gke_autopilot" .)) }} true {{- else }} {{- end }} {{- end }} {{- define "host.driver.is_universal_ebpf" }} -{{- if eq "universal_ebpf" .Values.host.driver }} +{{- if or (eq "universal_ebpf" .Values.host.driver) (include "common.cluster_type.is_gke_autopilot" .) }} true {{- else }} {{- end }} From f83587268d70d2892b35b879ee324ca76ec38556 Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Thu, 27 Mar 2025 11:20:23 +0100 Subject: [PATCH 6/6] chroe: revert is_ebpf --- charts/shield/templates/host/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/shield/templates/host/_helpers.tpl b/charts/shield/templates/host/_helpers.tpl index fe22e375c..399addee5 100644 --- a/charts/shield/templates/host/_helpers.tpl +++ b/charts/shield/templates/host/_helpers.tpl @@ -83,7 +83,7 @@ If release name contains chart name it will be used as a full name. {{- end }} {{- define "host.driver.is_ebpf" }} -{{- if or (include "host.driver.is_legacy_ebpf" .) (include "common.cluster_type.is_gke_autopilot" .) }} +{{- if or (include "host.driver.is_legacy_ebpf" .) (include "host.driver.is_universal_ebpf" .) }} true {{- else }} {{- end }}