DEV-7170 (#27)

* init runtime agent * add runtime agent ds * change to fileorcreate * remove subpath * change tetragon sa name * test alias * remove alias * add podname and nodename and cluster-agent suffix * add resources * change chart version * add container to mika and cilium permissions * fix * updated runtime_agent image build number --------- Co-authored-by: [email protected] <[email protected]>
lightlytics · Feb 4, 2025 · 6d18505 · 6d18505
1 parent 447792a
commit 6d18505
Show file tree

Hide file tree

Showing 7 changed files with 147 additions and 25 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1 +1,5 @@
-helm-docs
+helm-docs
+
+charts/streamsec-agent/charts
+
+test.yaml
diff --git a/charts/streamsec-agent/Chart.yaml b/charts/streamsec-agent/Chart.yaml
@@ -16,9 +16,15 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.2
+version: 1.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 1.0.1
+appVersion: 1.1.0
+
+dependencies:
+  - name: tetragon
+    condition: streamsec.runtime_agent.enabled
+    version: 1.3.0
+    repository: "https://helm.cilium.io"
diff --git a/charts/streamsec-agent/templates/_helpers.tpl b/charts/streamsec-agent/templates/_helpers.tpl
@@ -19,6 +19,10 @@ define ECR url based on the AWS account
   {{ .Values.registry }}/{{ .Values.streamsec.process_discovery_image.name }}:{{ .Values.streamsec.process_discovery_image.tag }}
 {{- end -}}
 
+{{- define "streamsec.runtime-agent-image-path" -}}
+  {{ .Values.registry }}/{{ .Values.streamsec.runtime_agent.image.name }}:{{ .Values.streamsec.runtime_agent.image.tag }}
+{{- end -}}
+
 {{/*
 Expand the name of the chart.
 */}}

diff --git a/charts/streamsec-agent/templates/cluster_agent_deployment.yaml b/charts/streamsec-agent/templates/cluster_agent_deployment.yaml
@@ -2,7 +2,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ template "streamsec.fullname" . }}
+  name: {{ template "streamsec.fullname" . }}-cluster-agent
   namespace: {{ .Release.Namespace }}
   labels:
   {{- include "streamsec.labels" . | nindent 4 }}
@@ -29,7 +29,7 @@ spec:
       {{- end }}
       containers:
       {{- range $container_name, $container_values := .Values.streamsec.cluster_agent_containers.containers }}
-      {{- if $container_values.enabled }}
+      {{- if or ($container_values.enabled) (and (eq $container_name "tracing-policy") ($.Values.streamsec.runtime_agent.enabled)) }}
         - name: {{ $container_name }}
           image: {{ template "streamsec.image-path" $}}
           imagePullPolicy: {{ $.Values.streamsec.image.pullPolicy }}

diff --git a/charts/streamsec-agent/templates/rbac.yaml b/charts/streamsec-agent/templates/rbac.yaml
@@ -78,6 +78,14 @@ rules:
       - get
       - list
       - watch
+  {{- if .Values.streamsec.runtime_agent.enabled }}
+  - apiGroups:
+      - cilium.io
+    resources:
+      - '*'
+    verbs:
+      - '*'
+  {{- end }}
 
 ---
 apiVersion: v1

diff --git a/charts/streamsec-agent/templates/runtime_agent_ds.yaml b/charts/streamsec-agent/templates/runtime_agent_ds.yaml
@@ -0,0 +1,85 @@
+{{- if and (.Values.streamsec.cluster_agent_containers.enabled) (.Values.streamsec.runtime_agent.enabled) }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ template "streamsec.fullname" . }}-runtime-agent
+  labels:
+  {{- include "streamsec.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+  {{- include "streamsec.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+    {{- include "streamsec.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.streamsec.runtime_agent.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.streamsec.runtime_agent.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.streamsec.runtime_agent.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: runtime-agent
+          image: {{ template "streamsec.runtime-agent-image-path" $}}
+          imagePullPolicy: {{ .Values.streamsec.runtime_agent.image.pullPolicy }}
+          {{- with .Values.streamsec.runtime_agent.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: EVENTS_FILENAME
+              value: {{ .Values.streamsec.runtime_agent.tetragonFilePath }}
+            - name: API_URL
+              value: {{ .Values.streamsec.apiUrl | quote }}
+            - name: API_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "streamsec.apiTokenSecretName" $ }}
+                  key: api-key
+          securityContext:
+            privileged: true
+          terminationMessagePolicy: FallbackToLogsOnError
+          volumeMounts:
+            - mountPath: /sys/kernel
+              name: sys-kernel
+            - mountPath: {{ .Values.streamsec.runtime_agent.tetragonFilePath }}
+              name: export-logs
+      dnsPolicy: {{ .Values.dnsPolicy }}
+      hostNetwork: true
+      hostPID: true
+      hostIPC: true
+      {{- with .Values.streamsec.runtime_agent.priorityClassName }}
+      priorityClassName: "{{ . }}"
+      {{- end }}
+      serviceAccountName: {{ template "streamsec.serviceAccountName" . }}
+      terminationGracePeriodSeconds: 1
+      volumes:
+        - hostPath:
+            path: {{ .Values.streamsec.runtime_agent.tetragonFilePath }}
+            type: FileOrCreate
+          name: export-logs
+        - hostPath:
+            path: /sys/kernel
+            type: DirectoryOrCreate
+          name: sys-kernel
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/charts/streamsec-agent/values.yaml b/charts/streamsec-agent/values.yaml
@@ -8,6 +8,8 @@ fullnameOverride:  # ""
 
 registry: public.ecr.aws/k6v9y5g3
 
+dnsPolicy: Default
+
 streamsec:
   #streamsec.apiToken --  Stream Security API token for your Kubernetes cluster
   #Required: Set your Stream Security API token here
@@ -69,7 +71,7 @@ streamsec:
     name: cluster-agent
 
     #streamsec.image.tag -- Stream Security agent tag to use.
-    tag: master.584
+    tag: master.586
 
     #streamsec.image.pullPolicy -- Stream Security agent image pullPolicy
     pullPolicy: IfNotPresent
@@ -80,7 +82,7 @@ streamsec:
     name: cluster-agent
 
     #streamsec.cost_image.tag -- Stream Security cost agent tag to use.
-    tag: master.584
+    tag: master.586
 
     #streamsec.cost_image.pullPolicy -- Stream Security cost agent image pullPolicy
     pullPolicy: IfNotPresent
@@ -166,40 +168,53 @@ streamsec:
           - /usr/local/bin/python
           - main.py
           - events
-        requests:
-          cpu: 800m
-          memory: 1024Mi
-        limits:
-          cpu: 2000m
-          memory: 2048Mi
+        resources: {}
       network-policy:
         enabled: false
         name: network-policy
         command:
           - /usr/local/bin/python
           - main.py
           - network_policy
-        requests:
-          cpu: 800m
-          memory: 1024Mi
-        limits:
-          cpu: 2000m
-          memory: 2048Mi
+        resources: {}
+      tracing-policy:
+        name: tracing-policy
+        command:
+          - /usr/local/bin/python
+          - main.py
+          - tracing_policy
+        resources: {}
 
   process_discovery_containers:
     enabled: false
     containers:
       process-discovery:
         name: process-discovery
-        requests:
-          cpu: 800m
-          memory: 1024Mi
-        limits:
-          cpu: 2000m
-          memory: 2048Mi
+        resources: {}
+
+  runtime_agent:
+    enabled: false
+    tetragonFilePath: /var/run/cilium/tetragon/tetragon.log
+    nodeSelector: {}
+    tolerations:
+      - operator: Exists
+    affinity: {}
+    resources: {}
+    updateStrategy: {}
+    image:
+      name: runtime-agent
+      tag: 0.0.3
+      pullPolicy: IfNotPresent
 
   env:
     LOGLEVEL: INFO
     DEBUG: False
 
+tetragon:
+  serviceAccount:
+    name: "tetragon"
+  tetragon:
+    exportFileMaxSizeMB: 50
+    fieldFilters: |
+      {"fields": "parent", "action": "EXCLUDE"}