feat(node-analyzer/runtime-scanner): added configurable size for ephemeralVolumeRequestStorage when specifying a storageClassName

michele-mangili · michele-mangili · commit d07372baeb6d · 2025-09-26T12:00:17.000+02:00
diff --git a/charts/node-analyzer/Chart.yaml b/charts/node-analyzer/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: node-analyzer
 description: Sysdig Node Analyzer
 # currently matching Sysdig's appVersion 1.14.34
-version: 1.36.11
+version: 1.37.0
 appVersion: 12.9.2
 keywords:
   - monitoring
diff --git a/charts/node-analyzer/README.md b/charts/node-analyzer/README.md
@@ -220,6 +220,7 @@ The following table lists the configurable parameters of the Sysdig Node Analyze
 | `nodeAnalyzer.runtimeScanner.deploy`                                 | Deploys the Runtime Scanner.                                                                                                                                                                | `false`                                                                                                                                                               |
 | `nodeAnalyzer.runtimeScanner.extraMounts`                            | Specifies a container engine custom socket path (docker, containerd, CRI-O).                                                                                                                |                                                                                                                                                                       |
 | `nodeAnalyzer.runtimeScanner.storageClassName`                       | Specifies the Runtime Scanner storage class to use instead of emptyDir for ephemeral storage.                                                                                               | ``                                                                                                                                                                    |
+| `nodeAnalyzer.runtimeScanner.ephemeralVolumeRequestStorage`          | Specifies the size of the ephemeral storage volume to be used by the Runtime Scanner when the storageClassName is provided.                                                                 | `4Gi`                                                                                                                                                                 |
 | `nodeAnalyzer.runtimeScanner.image.repository`                       | Specifies the  image repository to pull the Runtime Scanner from.                                                                                                                           | `sysdig/vuln-runtime-scanner`                                                                                                                                         |
 | `nodeAnalyzer.runtimeScanner.image.tag`                              | Specifies the  image tag to pull the Runtime Scanner.                                                                                                                                       | `1.8.4`                                                                                                                                                               |
 | `nodeAnalyzer.runtimeScanner.image.digest`                           | Specifies the  image digest to pull.                                                                                                                                                        | ` `                                                                                                                                                                   |
diff --git a/charts/node-analyzer/templates/daemonset-node-analyzer.yaml b/charts/node-analyzer/templates/daemonset-node-analyzer.yaml
@@ -114,9 +114,7 @@ spec:
                 storageClassName: {{ .Values.nodeAnalyzer.runtimeScanner.storageClassName }}
                 resources:
                   requests:
-                    storage: {{ index .Values.nodeAnalyzer.runtimeScanner.resources.requests "ephemeral-storage" }}
-                  limits:
-                    storage: {{ index .Values.nodeAnalyzer.runtimeScanner.resources.limits "ephemeral-storage" }}
+                    storage: {{ .Values.nodeAnalyzer.runtimeScanner.ephemeralVolumeRequestStorage }}
           {{- else }}
           emptyDir: {}
           {{- end }}
@@ -683,7 +681,18 @@ spec:
         securityContext:
             privileged: true
         resources:
-{{ toYaml .Values.nodeAnalyzer.runtimeScanner.resources | indent 10 }}
+          requests:
+            cpu: {{ .Values.nodeAnalyzer.runtimeScanner.resources.requests.cpu }}
+            memory: {{ .Values.nodeAnalyzer.runtimeScanner.resources.requests.memory }}
+            {{- if not .Values.nodeAnalyzer.runtimeScanner.storageClassName }}
+            ephemeral-storage: {{ index .Values.nodeAnalyzer.runtimeScanner.resources.requests "ephemeral-storage" | quote }}
+            {{- end }}
+          limits:
+            cpu: {{ .Values.nodeAnalyzer.runtimeScanner.resources.limits.cpu }}
+            memory: {{ .Values.nodeAnalyzer.runtimeScanner.resources.limits.memory }}
+            {{- if not .Values.nodeAnalyzer.runtimeScanner.storageClassName }}
+            ephemeral-storage: {{ index .Values.nodeAnalyzer.runtimeScanner.resources.limits "ephemeral-storage" | quote }}
+            {{- end }}
         # Custom volume mount here
         env:
           - name: TMPDIR
diff --git a/charts/node-analyzer/tests/runtimescanner_test.yaml b/charts/node-analyzer/tests/runtimescanner_test.yaml
@@ -172,3 +172,115 @@ tests:
           path: spec.template.spec.containers[?(@.name == "sysdig-runtime-scanner")].env[?(@.name == "EVE_ENABLED")]
       - isNotNull:
           path: spec.template.spec.containers[?(@.name == "sysdig-runtime-scanner")].env[?(@.name == "EVE_INTEGRATION_ENABLED")]
+
+  - it: "sets runtime-scanner requests/limits and volumes correctly when the storageClassName is not provided"
+    set:
+      secure.vulnerabilityManagement.newEngineOnly: true
+      global:
+        clusterConfig:
+          name: "test"
+      nodeAnalyzer:
+        runtimeScanner:
+          deploy: true
+          resources:
+              requests:
+                cpu: 123m
+                memory: 456Mi
+                ephemeral-storage: "69Gi"
+              limits:
+                cpu: 789m
+                memory: 101112Mi
+                ephemeral-storage: 420Gi
+    templates:
+      - ../templates/daemonset-node-analyzer.yaml
+    asserts:
+      - equal:
+          path: "spec.template.spec.containers[1].name"
+          value: "sysdig-runtime-scanner"
+      - equal:
+          path: "spec.template.spec.containers[1].resources.requests.cpu"
+          value: "123m"
+      - equal:
+          path: "spec.template.spec.containers[1].resources.requests.memory"
+          value: "456Mi"
+      - equal:
+          path: "spec.template.spec.containers[1].resources.requests.ephemeral-storage"
+          value: "69Gi"
+      - equal:
+          path: "spec.template.spec.containers[1].resources.limits.cpu"
+          value: "789m"
+      - equal:
+          path: "spec.template.spec.containers[1].resources.limits.memory"
+          value: "101112Mi"
+      - equal:
+          path: "spec.template.spec.containers[1].resources.limits.ephemeral-storage"
+          value: "420Gi"
+      - equal:
+          path: "spec.template.spec.volumes[7].name"
+          value: "tmp-vol"
+      - equal:
+          path: "spec.template.spec.volumes[7].emptyDir"
+          value: {}
+
+  - it: "sets runtime-scanner requests/limits and volumes correctly when the storageClassName is provided"
+    set:
+      secure.vulnerabilityManagement.newEngineOnly: true
+      global:
+        clusterConfig:
+          name: "test"
+      nodeAnalyzer:
+        runtimeScanner:
+          deploy: true
+          storageClassName: "standard-rwo"
+          ephemeralVolumeRequestStorage: "90Gi"
+          resources:
+            requests:
+              cpu: 123m
+              memory: 456Mi
+              ephemeral-storage: "69Gi"
+            limits:
+              cpu: 789m
+              memory: 101112Mi
+              ephemeral-storage: 420Gi
+    templates:
+      - ../templates/daemonset-node-analyzer.yaml
+    asserts:
+      - equal:
+          path: "spec.template.spec.containers[1].name"
+          value: "sysdig-runtime-scanner"
+      - equal:
+          path: "spec.template.spec.containers[1].resources.requests.cpu"
+          value: "123m"
+      - equal:
+          path: "spec.template.spec.containers[1].resources.requests.memory"
+          value: "456Mi"
+      - notExists:
+          path: "spec.template.spec.containers[1].resources.requests.ephemeral-storage"
+      - equal:
+          path: "spec.template.spec.containers[1].resources.limits.cpu"
+          value: "789m"
+      - equal:
+          path: "spec.template.spec.containers[1].resources.limits.memory"
+          value: "101112Mi"
+      - notExists:
+          path: "spec.template.spec.containers[1].resources.limits.ephemeral-storage"
+      - equal:
+          path: "spec.template.spec.volumes[7].name"
+          value: "tmp-vol"
+      - notExists:
+          path: "spec.template.spec.volumes[7].emptyDir"
+      - equal:
+          path: "spec.template.spec.volumes[7]"
+          value:
+            name: tmp-vol
+            ephemeral:
+              volumeClaimTemplate:
+                metadata:
+                  labels:
+                    type: "standard-rwo"
+                spec:
+                  accessModes: [ "ReadWriteOnce" ]
+                  storageClassName: "standard-rwo"
+                  resources:
+                    requests:
+                      storage: 90Gi
diff --git a/charts/node-analyzer/values.yaml b/charts/node-analyzer/values.yaml
@@ -307,7 +307,15 @@ nodeAnalyzer:
     httpProxy: null
     httpsProxy: null
     noProxy: null
+    # If set, a PersistentVolumeClaim will be created to store temporary files for the runtime-scanner's ephemeral
+    # storage using this StorageClass. The data stored in this volume is temporary and not intended for long-term
+    # retention.
+    # When specified, you must also set 'ephemeralVolumeRequestStorage' to define the requested storage size.
     storageClassName: null
+    # Set the requested storage size for the ephemeral volumeClaimTemplate.
+    # This value is used as the 'requests.storage' in the volumeClaimTemplate only when storageClassName is set.
+    # Example: "4Gi"
+    ephemeralVolumeRequestStorage: "4Gi"
     extraMounts: []
     # example for bottlerocket
     # extraMounts:
diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: sysdig-deploy
 description: A chart with various Sysdig components for Kubernetes
 type: application
-version: 1.93.6
+version: 1.94.0
 maintainers:
   - name: AlbertoBarba
     email: alberto.barba@sysdig.com
@@ -36,7 +36,7 @@ dependencies:
   - name: node-analyzer
     # repository: https://charts.sysdig.com
     repository: file://../node-analyzer
-    version: ~1.36.11
+    version: ~1.37.0
     alias: nodeAnalyzer
     condition: nodeAnalyzer.enabled
   - name: cluster-scanner
