kubernetes
/
minikube
mirror of https://github.com/kubernetes/minikube.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

CI: Auto update inspektor-gadget YAMLs (#19717) 

* CI: Auto update inspektor-gadget YAMLs

* use automation to generate new YAMLs
pull/19783/head
Steven Powell 2024-10-09 13:31:47 -05:00 committed by GitHub
parent a220f0e4f0
commit 48cd79581a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
12 changed files with 423 additions and 323 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
deploy/addons/inspektor-gadget/ig-clusterrole.yaml
View File

@ -1,32 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gadget-cluster-role
rules:
- apiGroups: [""]
resources: ["namespaces", "nodes", "pods"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["services"]
# list services is needed by network-policy gadget.
verbs: ["list"]
- apiGroups: ["gadget.kinvolk.io"]
resources: ["traces", "traces/status"]
# For traces, we need all rights on them as we define this resource.
verbs: ["delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"]
- apiGroups: ["*"]
resources: ["deployments", "replicasets", "statefulsets", "daemonsets", "jobs", "cronjobs", "replicationcontrollers"]
# Required to retrieve the owner references used by the seccomp gadget.
verbs: ["get"]
- apiGroups: ["security-profiles-operator.x-k8s.io"]
resources: ["seccompprofiles"]
# Required for integration with the Kubernetes Security Profiles Operator
verbs: ["list", "watch", "create"]
- apiGroups: ["security.openshift.io"]
# It is necessary to use the 'privileged' security context constraints to be
# able mount host directories as volumes, use the host networking, among others.
# This will be used only when running on OpenShift:
# https://docs.openshift.com/container-platform/4.9/authentication/managing-security-context-constraints.html#default-sccs_configuring-internal-oauth
resources: ["securitycontextconstraints"]
resourceNames: ["privileged"]
verbs: ["use"]

12
deploy/addons/inspektor-gadget/ig-clusterrolebinding.yaml
View File

@ -1,12 +0,0 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: gadget-cluster-role-binding
subjects:
- kind: ServiceAccount
name: gadget
namespace: gadget
roleRef:
kind: ClusterRole
name: gadget-cluster-role
apiGroup: rbac.authorization.k8s.io

26
deploy/addons/inspektor-gadget/ig-configmap.yaml
View File

@ -1,26 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: gadget
namespace: gadget
data:
config.yaml: |-
hook-mode: auto
fallback-pod-informer: true
events-buffer-length: 16384
containerd-socketpath: /run/containerd/containerd.sock
crio-socketpath: /run/crio/crio.sock
docker-socketpath: /run/docker.sock
podman-socketpath: /run/podman/podman.sock
operator:
oci:
verify-image: true
public-keys:
- |
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoDOC0gYSxZTopenGmX3ZFvQ1DSfh
Ir4EKRt5jC+mXaJ7c7J+oREskYMn/SfZdRHNSOjLTZUMDm60zpXGhkFecg==
-----END PUBLIC KEY-----
allowed-gadgets:
[]
disallow-pulling: false

5
deploy/addons/inspektor-gadget/ig-crd.yaml
View File

@ -1,8 +1,11 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: traces.gadget.kinvolk.io
spec:
group: gadget.kinvolk.io
@ -123,4 +126,4 @@ status:
kind: ""
plural: ""
conditions: []
storedVersions: []
storedVersions: []

213
deploy/addons/inspektor-gadget/ig-daemonset.yaml.tmpl
View File

@ -1,213 +0,0 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: gadget
namespace: gadget
labels:
k8s-app: gadget
spec:
selector:
matchLabels:
k8s-app: gadget
template:
metadata:
labels:
k8s-app: gadget
annotations:
# We need to set gadget container as unconfined so it is able to write
# /sys/fs/bpf as well as /sys/kernel/debug/tracing.
# Otherwise, we can have error like:
# "failed to create server failed to create folder for pinning bpf maps: mkdir /sys/fs/bpf/gadget: permission denied"
# (For reference, see: https://github.com/inspektor-gadget/inspektor-gadget/runs/3966318270?check_suite_focus=true#step:20:221)
container.apparmor.security.beta.kubernetes.io/gadget: "unconfined"
inspektor-gadget.kinvolk.io/option-hook-mode: "auto"
spec:
serviceAccount: gadget
hostPID: true
hostNetwork: true
nodeSelector:
kubernetes.io/os: "linux"
containers:
- name: gadget
terminationMessagePolicy: FallbackToLogsOnError
image: {{.CustomRegistries.InspektorGadget | default .ImageRepository | default .Registries.InspektorGadget }}{{.Images.InspektorGadget}}
imagePullPolicy: "Always"
command: [ "/entrypoint" ]
lifecycle:
preStop:
exec:
command:
- "/cleanup"
readinessProbe:
periodSeconds: 5
timeoutSeconds: 2
exec:
command:
- /bin/gadgettracermanager
- -liveness
livenessProbe:
periodSeconds: 5
timeoutSeconds: 2
exec:
command:
- /bin/gadgettracermanager
- -liveness
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: GADGET_POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
- name: TRACELOOP_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: TRACELOOP_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: TRACELOOP_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: GADGET_IMAGE
value: "ghcr.io/inspektor-gadget/inspektor-gadget"
- name: INSPEKTOR_GADGET_VERSION
value: "v0.16.1"
- name: INSPEKTOR_GADGET_OPTION_HOOK_MODE
value: "auto"
- name: INSPEKTOR_GADGET_OPTION_FALLBACK_POD_INFORMER
value: "true"
# Make sure to keep these settings in sync with pkg/container-utils/runtime-client/interface.go
- name: INSPEKTOR_GADGET_CONTAINERD_SOCKETPATH
value: "/run/containerd/containerd.sock"
- name: INSPEKTOR_GADGET_CRIO_SOCKETPATH
value: "/run/crio/crio.sock"
- name: INSPEKTOR_GADGET_DOCKER_SOCKETPATH
value: "/run/docker.sock"
- name: HOST_ROOT
value: "/host"
securityContext:
capabilities:
add:
# We need CAP_NET_ADMIN to be able to create BPF link.
# Indeed, link_create is called with prog->type which equals
# BPF_PROG_TYPE_CGROUP_SKB.
# This value is then checked in
# bpf_prog_attach_check_attach_type() which also checks if we have
# CAP_NET_ADMIN:
# https://elixir.bootlin.com/linux/v5.14.14/source/kernel/bpf/syscall.c#L4099
# https://elixir.bootlin.com/linux/v5.14.14/source/kernel/bpf/syscall.c#L2967
- NET_ADMIN
# We need CAP_SYS_ADMIN to use Python-BCC gadgets because bcc
# internally calls bpf_get_map_fd_by_id() which contains the
# following snippet:
# if (!capable(CAP_SYS_ADMIN))
# return -EPERM;
# (https://elixir.bootlin.com/linux/v5.10.73/source/kernel/bpf/syscall.c#L3254)
#
# Details about this are given in:
# > The important design decision is to allow ID->FD transition for
# CAP_SYS_ADMIN only. What it means that user processes can run
# with CAP_BPF and CAP_NET_ADMIN and they will not be able to affect each
# other unless they pass FDs via scm_rights or via pinning in bpffs.
# ID->FD is a mechanism for human override and introspection.
# An admin can do 'sudo bpftool prog ...'. It's possible to enforce via LSM that
# only bpftool binary does bpf syscall with CAP_SYS_ADMIN and the rest of user
# space processes do bpf syscall with CAP_BPF isolating bpf objects (progs, maps,
# links) that are owned by such processes from each other.
# (https://lwn.net/Articles/820560/)
#
# Note that even with a kernel providing CAP_BPF, the above
# statement is still true.
- SYS_ADMIN
# We need this capability to get addresses from /proc/kallsyms.
# Without it, addresses displayed when reading this file will be
# 0.
# Thus, bcc_procutils_each_ksym will never call callback, so KSyms
# syms_ vector will be empty and it will return false.
# As a consequence, no prefix will be found in
# get_syscall_prefix(), so a default prefix (_sys) will be
# returned.
# Sadly, this default prefix is not used by the running kernel,
# which instead uses: __x64_sys_
- SYSLOG
# traceloop gadget uses strace which in turns use ptrace()
# syscall.
# Within kernel code, ptrace() calls ptrace_attach() which in
# turns calls __ptrace_may_access() which calls ptrace_has_cap()
# where CAP_SYS_PTRACE is finally checked:
# https://elixir.bootlin.com/linux/v5.14.14/source/kernel/ptrace.c#L284
- SYS_PTRACE
# Needed by setrlimit in gadgettracermanager and by the traceloop
# gadget.
- SYS_RESOURCE
# Needed for gadgets that don't dumb the memory rlimit.
# (Currently only applies to BCC python-based gadgets)
- IPC_LOCK
# Needed by BCC python-based gadgets to load the kheaders module:
# https://github.com/iovisor/bcc/blob/v0.24.0/src/cc/frontends/clang/kbuild_helper.cc#L158
- SYS_MODULE
# Needed by gadgets that open a raw sock like dns and snisnoop
- NET_RAW
volumeMounts:
- name: host
mountPath: /host
- name: run
mountPath: /run
- name: modules
mountPath: /lib/modules
- name: debugfs
mountPath: /sys/kernel/debug
- name: cgroup
mountPath: /sys/fs/cgroup
- name: bpffs
mountPath: /sys/fs/bpf
# We need to add a dedicated volume to store OCI image otherwise it
# will fail as the container root filesystem is read only.
# For this, we use an emptyDir without size limit.
- mountPath: /var/lib/ig
name: oci
- mountPath: /etc/ig
name: config
readOnly: true
tolerations:
- effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists
volumes:
- name: host
hostPath:
path: /
- name: run
hostPath:
path: /run
- name: cgroup
hostPath:
path: /sys/fs/cgroup
- name: modules
hostPath:
path: /lib/modules
- name: bpffs
hostPath:
path: /sys/fs/bpf
- name: debugfs
hostPath:
path: /sys/kernel/debug
- name: oci
emptyDir:
- name: config
configMap:
name: gadget
defaultMode: 0o400

376
deploy/addons/inspektor-gadget/ig-deployment.yaml.tmpl Normal file
View File

@ -0,0 +1,376 @@
---
# This file is generated by 'make generate-manifests'; DO NOT EDIT.
apiVersion: v1
kind: Namespace
metadata:
name: gadget
---
# Source: gadget/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: gadget
namespace: gadget
---
# Source: gadget/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: gadget
namespace: gadget
data:
config.yaml: |-
hook-mode: auto
fallback-pod-informer: true
events-buffer-length: 16384
containerd-socketpath: /run/containerd/containerd.sock
crio-socketpath: /run/crio/crio.sock
docker-socketpath: /run/docker.sock
podman-socketpath: /run/podman/podman.sock
operator:
oci:
verify-image: true
public-keys:
- |
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoDOC0gYSxZTopenGmX3ZFvQ1DSfh
Ir4EKRt5jC+mXaJ7c7J+oREskYMn/SfZdRHNSOjLTZUMDm60zpXGhkFecg==
-----END PUBLIC KEY-----
allowed-gadgets:
[]
disallow-pulling: false
---
# Source: gadget/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gadget-cluster-role
rules:
- apiGroups: [""]
resources: ["nodes/proxy"]
verbs: ["get"]
- apiGroups: [""]
resources: ["namespaces", "nodes", "pods"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["services"]
# list is needed by network-policy gadget
# watch is needed by operators enriching with service informations
verbs: ["list", "watch"]
- apiGroups: ["gadget.kinvolk.io"]
resources: ["traces", "traces/status"]
# For traces, we need all rights on them as we define this resource.
verbs: ["delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"]
- apiGroups: ["*"]
resources: ["deployments", "replicasets", "statefulsets", "daemonsets", "jobs", "cronjobs", "replicationcontrollers"]
# Required to retrieve the owner references used by the seccomp gadget.
verbs: ["get"]
- apiGroups: ["security-profiles-operator.x-k8s.io"]
resources: ["seccompprofiles"]
# Required for integration with the Kubernetes Security Profiles Operator
verbs: ["list", "watch", "create"]
- apiGroups: ["security.openshift.io"]
# It is necessary to use the 'privileged' security context constraints to be
# able mount host directories as volumes, use the host networking, among others.
# This will be used only when running on OpenShift:
# https://docs.openshift.com/container-platform/4.9/authentication/managing-security-context-constraints.html#default-sccs_configuring-internal-oauth
resources: ["securitycontextconstraints"]
resourceNames: ["privileged"]
verbs: ["use"]
---
# Source: gadget/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gadget-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: gadget-cluster-role
subjects:
- kind: ServiceAccount
name: gadget
namespace: gadget
---
# Source: gadget/templates/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: gadget-role
namespace: gadget
rules:
- apiGroups: [ "" ]
resources: [ "secrets" ]
# get secrets is needed for retrieving pull secret.
verbs: [ "get" ]
---
# Source: gadget/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: gadget-role-binding
namespace: gadget
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: gadget-role
subjects:
- kind: ServiceAccount
name: gadget
---
# Source: gadget/templates/daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
k8s-app: gadget
name: gadget
namespace: gadget
spec:
selector:
matchLabels:
k8s-app: gadget
template:
metadata:
labels:
k8s-app: gadget
annotations:
# We need to set gadget container as unconfined so it is able to write
# /sys/fs/bpf as well as /sys/kernel/debug/tracing.
# Otherwise, we can have error like:
# "failed to create server failed to create folder for pinning bpf maps: mkdir /sys/fs/bpf/gadget: permission denied"
# (For reference, see: https://github.com/inspektor-gadget/inspektor-gadget/runs/3966318270?check_suite_focus=true#step:20:221)
container.apparmor.security.beta.kubernetes.io/gadget: "unconfined"
inspektor-gadget.kinvolk.io/option-hook-mode: "auto"
# keep aligned with values in pkg/operators/prometheus/prometheus.go
prometheus.io/scrape: "true"
prometheus.io/port: "2223"
prometheus.io/path: "/metrics"
spec:
serviceAccount: gadget
hostPID: false
hostNetwork: false
containers:
- name: gadget
terminationMessagePolicy: FallbackToLogsOnError
image: {{.CustomRegistries.InspektorGadget | default .ImageRepository | default .Registries.InspektorGadget }}{{.Images.InspektorGadget}}
imagePullPolicy: Always
command: [ "/entrypoint" ]
lifecycle:
preStop:
exec:
command:
- "/cleanup"
livenessProbe:
exec:
command:
- /bin/gadgettracermanager
- -liveness
periodSeconds: 5
timeoutSeconds: 2
readinessProbe:
exec:
command:
- /bin/gadgettracermanager
- -liveness
periodSeconds: 5
timeoutSeconds: 2
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: GADGET_POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
- name: GADGET_IMAGE
value: "ghcr.io/inspektor-gadget/inspektor-gadget"
- name: INSPEKTOR_GADGET_VERSION
value: "latest"
- name: INSPEKTOR_GADGET_OPTION_HOOK_MODE
value: "auto"
- name: INSPEKTOR_GADGET_OPTION_FALLBACK_POD_INFORMER
value: "true"
- name: HOST_ROOT
value: "/host"
- name: IG_EXPERIMENTAL
value: "false"
- name: EVENTS_BUFFER_LENGTH
value: "16384"
- name: GADGET_TRACER_MANAGER_LOG_LEVEL
value: "info"
securityContext:
readOnlyRootFilesystem: true
# With hostPID/hostNetwork/privileged [1] set to false, we need to set appropriate
# SELinux context [2] to be able to mount host directories with correct permissions.
# This option is ignored if hostPID/hostNetwork/privileged is set to true or SELinux isn't enabled.
# See:
# 1 - https://github.com/cri-o/cri-o/blob/v1.27.0/server/sandbox_run_linux.go#L537
# 2 - https://github.com/cri-o/cri-o/blob/v1.27.0/server/container_create_linux.go#L310
seLinuxOptions:
type: "spc_t"
capabilities:
drop:
- ALL
add:
# We need CAP_SYS_ADMIN for gadgettracermanager due to several
# syscalls:
# - bpf(): It often checks if SYS_ADMIN is set, among others
# there:
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/kernel/bpf/syscall.c#L2602
# - perf_event_open(): The kernel checks if CAP_PERFMON or
# CAP_SYS_ADMIN is set:
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/kernel/events/core.c#L12406-L12409
# - fanotify_init(): CAP_SYS_ADMIN is required to use all the
# functionalities offered by fanotify:
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/notify/fanotify/fanotify_user.c#L1404
# - fanotify_mark(): This capability is required to setup mount
# or filesystem marks:
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/notify/fanotify/fanotify_user.c#L1745-L1754
# - mount(): We need this capability to modify the caller
# namespace:
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/namespace.c#L1844-L1846
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/namespace.c#L3609
# - setns(): SYS_ADMIN is needed to install various namespace:
# https://github.com/torvalds/linux/blob/c42d9eeef8e5ba9292eda36fd8e3c11f35ee065c/kernel/nsproxy.c#L574
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/kernel/cgroup/namespace.c#L103-L105
- SYS_ADMIN
# We need this capability to get addresses from /proc/kallsyms.
# Without it, addresses displayed when reading this file will be
# 0.
# Indeed, the socket-enricher needs to get the socket_file_ops
# to work correctly:
# https://github.com/inspektor-gadget/inspektor-gadget/blob/69692d54d951/pkg/gadgets/internal/socketenricher/tracer.go#L75
- SYSLOG
# Accessing some procfs files such as /proc/$pid/ns/mnt
# requires ptrace capability:
# https://github.com/inspektor-gadget/inspektor-gadget/blob/3c51ff5e9f5b/pkg/utils/host/namespaces.go#L65
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/proc/namespaces.c#L58
- SYS_PTRACE
# Needed by RemoveMemlock in gadgettracermanager:
# https://github.com/inspektor-gadget/inspektor-gadget/blob/f2b9826fc4ae046415cdee30ee4a25322fd3f0c0/pkg/gadgettracermanager/gadgettracermanager.go#L258
- SYS_RESOURCE
# Needed by mmap() called by gadgettracermanager:
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/mm/mmap.c#L1281
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/mm/mmap.c#L1161-L1162
- IPC_LOCK
# Needed by gadgets that open a raw sock like dns and snisnoop:
# https://github.com/inspektor-gadget/inspektor-gadget/blob/3c51ff5e9f5b/gadgets/trace_dns/program.bpf.c#L365-L366
- NET_RAW
# Needed to attach qdiscs and filters to network interfaces. See createClsActQdisc()
# and addTCFilter() in pkg/gadgets/internal/tcnetworktracer/tc.go
- NET_ADMIN
volumeMounts:
- mountPath: /host/bin
name: bin
readOnly: true
# We need to have read/write as we write NRI and OCI config files
# here.
- mountPath: /host/etc
name: etc
readOnly: false
# We need to have read/write as we write NRI and OCI binaries here.
- mountPath: /host/opt
name: opt
readOnly: false
- mountPath: /host/usr
name: usr
readOnly: true
- mountPath: /host/run
name: run
readOnly: true
- mountPath: /host/var
name: var
readOnly: true
# WARNING Despite mounting host proc as readonly, it is possible to
# write host file system using symlinks under /host/proc. The
# following command, ran from gadget pod, will result in writing to
# the host filesystem:
# touch /host/proc/1/root/foobar
# This limitation comes from Inspektor Gadget needing to be run as
# unconfined with regard to AppArmor and having the SYS_PTRACE
# capability.
- mountPath: /host/proc
name: proc
readOnly: true
- mountPath: /run
name: run
- mountPath: /sys/kernel/debug
name: debugfs
- mountPath: /sys/fs/cgroup
name: cgroup
readOnly: true
- mountPath: /sys/fs/bpf
name: bpffs
# We need to add a dedicated volume to store OCI image otherwise it
# will fail as the container root filesystem is read only.
# For this, we use an emptyDir without size limit.
- mountPath: /var/lib/ig
name: oci
- mountPath: /etc/ig
name: config
readOnly: true
nodeSelector:
kubernetes.io/os: linux
affinity:
{}
tolerations:
- effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists
volumes:
# /bin is needed to find runc.
- name: bin
hostPath:
path: /bin
# /etc is needed for several reasons:
# 1. entrypoint needs /etc/os-release to print information.
# 2. entrypoint needs /etc/nri to handle NRI hooks
# 3. entrypoint needs /etc/containers/oci to handle OCI hooks.
- name: etc
hostPath:
path: /etc
# /opt is needed for several reasons:
# 1. entrypoint needs /opt/nri to handle NRI hooks.
# 2. entrypoint needs /opt/hooks/oci to handle OCI hooks.
- name: opt
hostPath:
path: /opt
# /usr is needed to find runc.
- name: usr
hostPath:
path: /usr
- name: proc
hostPath:
path: /proc
- name: run
hostPath:
path: /run
# /var is needed by container-hook to fanoitfy mark certain directories
# e.g. needed in case of docker runtime on minikube (driver=kvm2)
- name: var
hostPath:
path: /var
- name: cgroup
hostPath:
path: /sys/fs/cgroup
- name: bpffs
hostPath:
path: /sys/fs/bpf
- name: debugfs
hostPath:
path: /sys/kernel/debug
- name: oci
emptyDir:
- name: config
configMap:
name: gadget
defaultMode: 0o400

4
deploy/addons/inspektor-gadget/ig-namespace.yaml
View File

@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: gadget

10
deploy/addons/inspektor-gadget/ig-role.yaml
View File

@ -1,10 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: gadget
name: gadget-role
rules:
- apiGroups: [""]
resources: ["pods"]
# update is needed by traceloop gadget.
verbs: ["update"]

12
deploy/addons/inspektor-gadget/ig-rolebinding.yaml
View File

@ -1,12 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: gadget-role-binding
namespace: gadget
subjects:
- kind: ServiceAccount
name: gadget
roleRef:
kind: Role
name: gadget-role
apiGroup: rbac.authorization.k8s.io

5
deploy/addons/inspektor-gadget/ig-serviceaccount.yaml
View File

@ -1,5 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: gadget
namespace: gadget

42
hack/update/inspektor_gadget_version/update_inspektor_gadget_version.go
View File

@ -19,6 +19,10 @@ package main
import (
"context"
"fmt"
"io"
"net/http"
"os"
"regexp"
"time"
"k8s.io/klog/v2"
@ -58,4 +62,42 @@ func main() {
klog.Infof("inspektor-gadget stable version: %s", data.Version)
update.Apply(schema, data)
updateDeploymentYAML(stable)
updateCRDYAML(stable)
}
func updateDeploymentYAML(version string) {
res, err := http.Get(fmt.Sprintf("https://raw.githubusercontent.com/inspektor-gadget/inspektor-gadget/refs/tags/%s/pkg/resources/manifests/deploy.yaml", version))
if err != nil {
klog.Fatalf("failed to get yaml file: %v", err)
}
defer res.Body.Close()
yaml, err := io.ReadAll(res.Body)
if err != nil {
klog.Fatalf("failed to read body: %v", err)
}
replacements := map[string]string{
`ghcr\.io\/inspektor-gadget\/inspektor-gadget:.*`: "{{.CustomRegistries.InspektorGadget | default .ImageRepository | default .Registries.InspektorGadget }}{{.Images.InspektorGadget}}",
}
for re, repl := range replacements {
yaml = regexp.MustCompile(re).ReplaceAll(yaml, []byte(repl))
}
if err := os.WriteFile("../../../deploy/addons/inspektor-gadget/ig-deployment.yaml.tmpl", yaml, 0644); err != nil {
klog.Fatalf("failed to write to YAML file: %v", err)
}
}
func updateCRDYAML(version string) {
res, err := http.Get(fmt.Sprintf("https://raw.githubusercontent.com/inspektor-gadget/inspektor-gadget/refs/tags/%s/pkg/resources/crd/bases/gadget.kinvolk.io_traces.yaml", version))
if err != nil {
klog.Fatalf("failed to get yaml file: %v", err)
}
defer res.Body.Close()
yaml, err := io.ReadAll(res.Body)
if err != nil {
klog.Fatalf("failed to read body: %v", err)
}
if err := os.WriteFile("../../../deploy/addons/inspektor-gadget/ig-crd.yaml", yaml, 0644); err != nil {
klog.Fatalf("failed to write to YAML file: %v", err)
}
}

9
pkg/minikube/assets/addons.go
View File

@ -306,15 +306,8 @@ var Addons = map[string]*Addon{
"0640"),
}, false, "istio", "3rd party (Istio)", "", "https://istio.io/latest/docs/setup/platform-setup/minikube/", nil, nil),
"inspektor-gadget": NewAddon([]*BinAsset{
MustBinAsset(addons.InspektorGadgetAssets, "inspektor-gadget/ig-namespace.yaml", vmpath.GuestAddonsDir, "ig-namespace.yaml", "0640"),
MustBinAsset(addons.InspektorGadgetAssets, "inspektor-gadget/ig-serviceaccount.yaml", vmpath.GuestAddonsDir, "ig-serviceaccount.yaml", "0640"),
MustBinAsset(addons.InspektorGadgetAssets, "inspektor-gadget/ig-role.yaml", vmpath.GuestAddonsDir, "ig-role.yaml", "0640"),
MustBinAsset(addons.InspektorGadgetAssets, "inspektor-gadget/ig-rolebinding.yaml", vmpath.GuestAddonsDir, "ig-rolebinding.yaml", "0640"),
MustBinAsset(addons.InspektorGadgetAssets, "inspektor-gadget/ig-clusterrole.yaml", vmpath.GuestAddonsDir, "ig-clusterrole.yaml", "0640"),
MustBinAsset(addons.InspektorGadgetAssets, "inspektor-gadget/ig-clusterrolebinding.yaml", vmpath.GuestAddonsDir, "ig-clusterrolebinding.yaml", "0640"),
MustBinAsset(addons.InspektorGadgetAssets, "inspektor-gadget/ig-configmap.yaml", vmpath.GuestAddonsDir, "ig-configmap.yaml", "0640"),
MustBinAsset(addons.InspektorGadgetAssets, "inspektor-gadget/ig-crd.yaml", vmpath.GuestAddonsDir, "ig-crd.yaml", "0640"),
MustBinAsset(addons.InspektorGadgetAssets, "inspektor-gadget/ig-daemonset.yaml.tmpl", vmpath.GuestAddonsDir, "ig-daemonset.yaml", "0640"),
MustBinAsset(addons.InspektorGadgetAssets, "inspektor-gadget/ig-deployment.yaml.tmpl", vmpath.GuestAddonsDir, "ig-deployment.yaml", "0640"),
}, false, "inspektor-gadget", "3rd party (inspektor-gadget.io)", "https://github.com/orgs/inspektor-gadget/people", "https://minikube.sigs.k8s.io/docs/handbook/addons/inspektor-gadget/",
map[string]string{
"InspektorGadget": "inspektor-gadget/inspektor-gadget:v0.33.0@sha256:66a9ee9ff75b254d99ec9521af92c2aee19a0faf7bb4a5d7b89787c3817c671c",