kubernetes
/
minikube
mirror of https://github.com/kubernetes/minikube.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
minikube/deploy/addons/inspektor-gadget/ig-deployment.yaml.tmpl

377 lines
14 KiB
Cheetah
Raw Blame History

---
# This file is generated by 'make generate-manifests'; DO NOT EDIT.
apiVersion: v1
kind: Namespace
metadata:
name: gadget
---
# Source: gadget/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: gadget
namespace: gadget
---
# Source: gadget/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: gadget
namespace: gadget
data:
config.yaml: |-
hook-mode: auto
fallback-pod-informer: true
events-buffer-length: 16384
containerd-socketpath: /run/containerd/containerd.sock
crio-socketpath: /run/crio/crio.sock
docker-socketpath: /run/docker.sock
podman-socketpath: /run/podman/podman.sock
operator:
oci:
verify-image: true
public-keys:
- |
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoDOC0gYSxZTopenGmX3ZFvQ1DSfh
Ir4EKRt5jC+mXaJ7c7J+oREskYMn/SfZdRHNSOjLTZUMDm60zpXGhkFecg==
-----END PUBLIC KEY-----
allowed-gadgets:
[]
disallow-pulling: false
---
# Source: gadget/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gadget-cluster-role
rules:
- apiGroups: [""]
resources: ["nodes/proxy"]
verbs: ["get"]
- apiGroups: [""]
resources: ["namespaces", "nodes", "pods"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["services"]
# list is needed by network-policy gadget
# watch is needed by operators enriching with service informations
verbs: ["list", "watch"]
- apiGroups: ["gadget.kinvolk.io"]
resources: ["traces", "traces/status"]
# For traces, we need all rights on them as we define this resource.
verbs: ["delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"]
- apiGroups: ["*"]
resources: ["deployments", "replicasets", "statefulsets", "daemonsets", "jobs", "cronjobs", "replicationcontrollers"]
# Required to retrieve the owner references used by the seccomp gadget.
verbs: ["get"]
- apiGroups: ["security-profiles-operator.x-k8s.io"]
resources: ["seccompprofiles"]
# Required for integration with the Kubernetes Security Profiles Operator
verbs: ["list", "watch", "create"]
- apiGroups: ["security.openshift.io"]
# It is necessary to use the 'privileged' security context constraints to be
# able mount host directories as volumes, use the host networking, among others.
# This will be used only when running on OpenShift:
# https://docs.openshift.com/container-platform/4.9/authentication/managing-security-context-constraints.html#default-sccs_configuring-internal-oauth
resources: ["securitycontextconstraints"]
resourceNames: ["privileged"]
verbs: ["use"]
---
# Source: gadget/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gadget-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: gadget-cluster-role
subjects:
- kind: ServiceAccount
name: gadget
namespace: gadget
---
# Source: gadget/templates/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: gadget-role
namespace: gadget
rules:
- apiGroups: [ "" ]
resources: [ "secrets" ]
# get secrets is needed for retrieving pull secret.
verbs: [ "get" ]
---
# Source: gadget/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: gadget-role-binding
namespace: gadget
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: gadget-role
subjects:
- kind: ServiceAccount
name: gadget
---
# Source: gadget/templates/daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
k8s-app: gadget
name: gadget
namespace: gadget
spec:
selector:
matchLabels:
k8s-app: gadget
template:
metadata:
labels:
k8s-app: gadget
annotations:
# We need to set gadget container as unconfined so it is able to write
# /sys/fs/bpf as well as /sys/kernel/debug/tracing.
# Otherwise, we can have error like:
# "failed to create server failed to create folder for pinning bpf maps: mkdir /sys/fs/bpf/gadget: permission denied"
# (For reference, see: https://github.com/inspektor-gadget/inspektor-gadget/runs/3966318270?check_suite_focus=true#step:20:221)
container.apparmor.security.beta.kubernetes.io/gadget: "unconfined"
inspektor-gadget.kinvolk.io/option-hook-mode: "auto"
# keep aligned with values in pkg/operators/prometheus/prometheus.go
prometheus.io/scrape: "true"
prometheus.io/port: "2223"
prometheus.io/path: "/metrics"
spec:
serviceAccount: gadget
hostPID: false
hostNetwork: false
containers:
- name: gadget
terminationMessagePolicy: FallbackToLogsOnError
image: {{.CustomRegistries.InspektorGadget | default .ImageRepository | default .Registries.InspektorGadget }}{{.Images.InspektorGadget}}
imagePullPolicy: Always
command: [ "/entrypoint" ]
lifecycle:
preStop:
exec:
command:
- "/cleanup"
livenessProbe:
exec:
command:
- /bin/gadgettracermanager
- -liveness
periodSeconds: 5
timeoutSeconds: 2
readinessProbe:
exec:
command:
- /bin/gadgettracermanager
- -liveness
periodSeconds: 5
timeoutSeconds: 2
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: GADGET_POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
- name: GADGET_IMAGE
value: "ghcr.io/inspektor-gadget/inspektor-gadget"
- name: INSPEKTOR_GADGET_VERSION
value: "latest"
- name: INSPEKTOR_GADGET_OPTION_HOOK_MODE
value: "auto"
- name: INSPEKTOR_GADGET_OPTION_FALLBACK_POD_INFORMER
value: "true"
- name: HOST_ROOT
value: "/host"
- name: IG_EXPERIMENTAL
value: "false"
- name: EVENTS_BUFFER_LENGTH
value: "16384"
- name: GADGET_TRACER_MANAGER_LOG_LEVEL
value: "info"
securityContext:
readOnlyRootFilesystem: true
# With hostPID/hostNetwork/privileged [1] set to false, we need to set appropriate
# SELinux context [2] to be able to mount host directories with correct permissions.
# This option is ignored if hostPID/hostNetwork/privileged is set to true or SELinux isn't enabled.
# See:
# 1 - https://github.com/cri-o/cri-o/blob/v1.27.0/server/sandbox_run_linux.go#L537
# 2 - https://github.com/cri-o/cri-o/blob/v1.27.0/server/container_create_linux.go#L310
seLinuxOptions:
type: "spc_t"
capabilities:
drop:
- ALL
add:
# We need CAP_SYS_ADMIN for gadgettracermanager due to several
# syscalls:
# - bpf(): It often checks if SYS_ADMIN is set, among others
# there:
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/kernel/bpf/syscall.c#L2602
# - perf_event_open(): The kernel checks if CAP_PERFMON or
# CAP_SYS_ADMIN is set:
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/kernel/events/core.c#L12406-L12409
# - fanotify_init(): CAP_SYS_ADMIN is required to use all the
# functionalities offered by fanotify:
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/notify/fanotify/fanotify_user.c#L1404
# - fanotify_mark(): This capability is required to setup mount
# or filesystem marks:
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/notify/fanotify/fanotify_user.c#L1745-L1754
# - mount(): We need this capability to modify the caller
# namespace:
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/namespace.c#L1844-L1846
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/namespace.c#L3609
# - setns(): SYS_ADMIN is needed to install various namespace:
# https://github.com/torvalds/linux/blob/c42d9eeef8e5ba9292eda36fd8e3c11f35ee065c/kernel/nsproxy.c#L574
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/kernel/cgroup/namespace.c#L103-L105
- SYS_ADMIN
# We need this capability to get addresses from /proc/kallsyms.
# Without it, addresses displayed when reading this file will be
# 0.
# Indeed, the socket-enricher needs to get the socket_file_ops
# to work correctly:
# https://github.com/inspektor-gadget/inspektor-gadget/blob/69692d54d951/pkg/gadgets/internal/socketenricher/tracer.go#L75
- SYSLOG
# Accessing some procfs files such as /proc/$pid/ns/mnt
# requires ptrace capability:
# https://github.com/inspektor-gadget/inspektor-gadget/blob/3c51ff5e9f5b/pkg/utils/host/namespaces.go#L65
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/proc/namespaces.c#L58
- SYS_PTRACE
# Needed by RemoveMemlock in gadgettracermanager:
# https://github.com/inspektor-gadget/inspektor-gadget/blob/f2b9826fc4ae046415cdee30ee4a25322fd3f0c0/pkg/gadgettracermanager/gadgettracermanager.go#L258
- SYS_RESOURCE
# Needed by mmap() called by gadgettracermanager:
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/mm/mmap.c#L1281
# https://github.com/torvalds/linux/blob/c42d9eeef8e5/mm/mmap.c#L1161-L1162
- IPC_LOCK
# Needed by gadgets that open a raw sock like dns and snisnoop:
# https://github.com/inspektor-gadget/inspektor-gadget/blob/3c51ff5e9f5b/gadgets/trace_dns/program.bpf.c#L365-L366
- NET_RAW
# Needed to attach qdiscs and filters to network interfaces. See createClsActQdisc()
# and addTCFilter() in pkg/gadgets/internal/tcnetworktracer/tc.go
- NET_ADMIN
volumeMounts:
- mountPath: /host/bin
name: bin
readOnly: true
# We need to have read/write as we write NRI and OCI config files
# here.
- mountPath: /host/etc
name: etc
readOnly: false
# We need to have read/write as we write NRI and OCI binaries here.
- mountPath: /host/opt
name: opt
readOnly: false
- mountPath: /host/usr
name: usr
readOnly: true
- mountPath: /host/run
name: run
readOnly: true
- mountPath: /host/var
name: var
readOnly: true
# WARNING Despite mounting host proc as readonly, it is possible to
# write host file system using symlinks under /host/proc. The
# following command, ran from gadget pod, will result in writing to
# the host filesystem:
# touch /host/proc/1/root/foobar
# This limitation comes from Inspektor Gadget needing to be run as
# unconfined with regard to AppArmor and having the SYS_PTRACE
# capability.
- mountPath: /host/proc
name: proc
readOnly: true
- mountPath: /run
name: run
- mountPath: /sys/kernel/debug
name: debugfs
- mountPath: /sys/fs/cgroup
name: cgroup
readOnly: true
- mountPath: /sys/fs/bpf
name: bpffs
# We need to add a dedicated volume to store OCI image otherwise it
# will fail as the container root filesystem is read only.
# For this, we use an emptyDir without size limit.
- mountPath: /var/lib/ig
name: oci
- mountPath: /etc/ig
name: config
readOnly: true
nodeSelector:
kubernetes.io/os: linux
affinity:
{}
tolerations:
- effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists
volumes:
# /bin is needed to find runc.
- name: bin
hostPath:
path: /bin
# /etc is needed for several reasons:
# 1. entrypoint needs /etc/os-release to print information.
# 2. entrypoint needs /etc/nri to handle NRI hooks
# 3. entrypoint needs /etc/containers/oci to handle OCI hooks.
- name: etc
hostPath:
path: /etc
# /opt is needed for several reasons:
# 1. entrypoint needs /opt/nri to handle NRI hooks.
# 2. entrypoint needs /opt/hooks/oci to handle OCI hooks.
- name: opt
hostPath:
path: /opt
# /usr is needed to find runc.
- name: usr
hostPath:
path: /usr
- name: proc
hostPath:
path: /proc
- name: run
hostPath:
path: /run
# /var is needed by container-hook to fanoitfy mark certain directories
# e.g. needed in case of docker runtime on minikube (driver=kvm2)
- name: var
hostPath:
path: /var
- name: cgroup
hostPath:
path: /sys/fs/cgroup
- name: bpffs
hostPath:
path: /sys/fs/bpf
- name: debugfs
hostPath:
path: /sys/kernel/debug
- name: oci
emptyDir:
- name: config
configMap:
name: gadget
defaultMode: 0o400
Reference in New Issue View Git Blame Copy Permalink