Skip to content

feat(shield): add the enable_prometheus_scraping flag also to host sections #2301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(shield): add the enable_prometheus_scraping flag also to host sections #2301

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/shield/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,5 @@ maintainers:
- name: mavimo
email: [email protected]
type: application
version: 1.12.4
version: 1.12.5
appVersion: "1.0.0"
2 changes: 2 additions & 0 deletions charts/shield/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@ The following table lists the configurable parameters of the `shield` chart and
| features.monitor.kubernetes_events.enabled | Enable the Kubernetes Events feature | <code>false</code> |
| host_windows.enabled | Enable the host shield for Windows | <code>false</code> |
| host_windows.additional_settings.monitoring_port | | <code>8081</code> |
| host_windows.enable_prometheus_scraping | Automatically adds the Prometheus annotations to the Host Shield Windows pods | <code>true</code> |
| host_windows.agent_runtime_additional_settings | Additional settings to be passed to the agent-runtime component (overrides dragent.yaml generated by helm) | <code>{}</code> |
| host_windows.image.registry | The registry where the host shield images are stored | <code>quay.io</code> |
| host_windows.image.repository | The repository where the host shield images are stored | <code>sysdig</code> |
Expand Down Expand Up @@ -185,6 +186,7 @@ The following table lists the configurable parameters of the `shield` chart and
| host.node_selector | The node selector for the host shield | <code>{}</code> |
| host.tolerations | The tolerations for the host shield | <code>[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/controlplane","operator":"Equal","value":"true"},{"effect":"NoExecute","key":"node-role.kubernetes.io/etcd","operator":"Equal","value":"true"},{"effect":"NoExecute","key":"CriticalAddonsOnly","operator":"Equal","value":"true"}]</code> |
| host.affinity | The affinity for the host shield | <code>{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"kubernetes.io/arch","operator":"In","values":["amd64","arm64","ppc64le","s390x"]},{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]}}}</code> |
| host.enable_prometheus_scraping | Automatically adds the Prometheus annotations to the Host Shield Windows pods | <code>true</code> |
| host.probes.readiness.initialDelaySeconds | The readiness probe initial delay | <code>90</code> |
| host.probes.readiness.periodSeconds | The readiness probe period | <code>10</code> |
| host.probes.readiness.failureThreshold | The readiness probe failure threshold | <code>9</code> |
Expand Down
4 changes: 3 additions & 1 deletion charts/shield/templates/host/_annotations.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,7 @@
{{- if not .Values.host.privileged -}}
{{- $_ := set $podAnnotations "container.apparmor.security.beta.kubernetes.io/sysdig-host-shield" "unconfined" -}}
{{- end -}}
{{- $podAnnotations | toYaml -}}
{{- with $podAnnotations -}}
{{- . | toYaml -}}
{{- end -}}
{{- end -}}
10 changes: 10 additions & 0 deletions charts/shield/templates/host/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -277,3 +277,13 @@ true
true
{{- end }}
{{- end }}

{{- define "host.prometheus_exporter_enabled" }}
{{- if dig "prometheus_exporter" "enabled" false .Values.host.additional_settings }}
true
{{- end }}
{{- end }}

{{- define "host.metrics_port" }}
{{- regexFind "[0-9]+$" (dig "prometheus_exporter" "listen_url" "0.0.0.0:9544" .Values.host.additional_settings) -}}
{{- end }}
4 changes: 3 additions & 1 deletion charts/shield/templates/host/_windows_annotations.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@

{{- define "host.windows.pod_annotations" -}}
{{- $podAnnotations := merge (dict) .Values.pod_annotations .Values.host_windows.pod_annotations -}}
{{- $podAnnotations | toYaml -}}
{{- with $podAnnotations -}}
{{- . | toYaml -}}
{{- end -}}
{{- end -}}
5 changes: 5 additions & 0 deletions charts/shield/templates/host/daemonset-windows.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,11 @@ spec:
{{- include "host.windows.pod_labels" . | nindent 8 }}
annotations:
{{- include "host.windows.pod_annotations" . | nindent 8 }}
{{- if .Values.host_windows.enable_prometheus_scraping }}
prometheus.io/scrape: "true"
prometheus.io/path: "/metrics"
prometheus.io/port: {{ .Values.host_windows.additional_settings.monitoring_port | quote }}
{{- end }}
spec:
securityContext:
windowsOptions:
Expand Down
9 changes: 7 additions & 2 deletions charts/shield/templates/host/daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,11 @@ spec:
{{- include "host.pod_labels" . | nindent 8 }}
annotations:
{{- include "host.pod_annotations" . | nindent 8 }}
{{- if and (include "host.prometheus_exporter_enabled" .) .Values.host.enable_prometheus_scraping }}
prometheus.io/scrape: "true"
prometheus.io/path: "/metrics"
prometheus.io/port: {{ (include "host.metrics_port" .) | quote }}
{{- end }}
spec:
hostNetwork: true
dnsPolicy: {{ default "ClusterFirstWithHostNet" .Values.host.dns_policy }}
Expand Down Expand Up @@ -151,8 +156,8 @@ spec:
- containerPort: {{ dig "kspm_analyzer" "port" 12000 .Values.host.additional_settings }}
name: kspm-analyzer
{{- end }}
{{- if (dig "prometheus_exporter" "enabled" false .Values.host.additional_settings) }}
- containerPort: {{ regexFind "[0-9]+$" (dig "prometheus_exporter" "listen_url" "0.0.0.0:9544" .Values.host.additional_settings) }}
{{- if include "host.prometheus_exporter_enabled" . }}
- containerPort: {{ include "host.metrics_port" . }}
name: metrics
{{- end }}
readinessProbe:
Expand Down
47 changes: 47 additions & 0 deletions charts/shield/tests/host/daemonset-windows_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -436,3 +436,50 @@ tests:
asserts:
- isNullOrEmpty:
path: spec.template.spec.imagePullSecrets

- it: Default pod annotations with prometheus scraping enabled
asserts:
- equal:
path: spec.template.metadata.annotations["prometheus.io/scrape"]
value: "true"
- equal:
path: spec.template.metadata.annotations["prometheus.io/path"]
value: "/metrics"
- equal:
path: spec.template.metadata.annotations["prometheus.io/port"]
value: "8081"

- it: Default pod annotations with prometheus scraping disabled
set:
host_windows:
enable_prometheus_scraping: false
asserts:
- notExists:
path: spec.template.metadata.annotations["prometheus.io/scrape"]
- notExists:
path: spec.template.metadata.annotations["prometheus.io/path"]
- notExists:
path: spec.template.metadata.annotations["prometheus.io/port"]

- it: Custom pod annotations
set:
host_windows:
pod_annotations:
custom/annotation1: "custom-value1"
custom/annotation2: "custom-value2"
asserts:
- equal:
path: spec.template.metadata.annotations["prometheus.io/scrape"]
value: "true"
- equal:
path: spec.template.metadata.annotations["prometheus.io/path"]
value: "/metrics"
- equal:
path: spec.template.metadata.annotations["prometheus.io/port"]
value: "8081"
- equal:
path: spec.template.metadata.annotations["custom/annotation1"]
value: "custom-value1"
- equal:
path: spec.template.metadata.annotations["custom/annotation2"]
value: "custom-value2"
79 changes: 79 additions & 0 deletions charts/shield/tests/host/daemonset_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -737,3 +737,82 @@ tests:
- equal:
path: spec.template.spec.dnsPolicy
value: ClusterFirst

- it: Default pod annotations with prometheus scraping enabled
set:
host:
additional_settings:
prometheus_exporter:
enabled: true
asserts:
- equal:
path: spec.template.metadata.annotations["prometheus.io/scrape"]
value: "true"
- equal:
path: spec.template.metadata.annotations["prometheus.io/path"]
value: "/metrics"
- equal:
path: spec.template.metadata.annotations["prometheus.io/port"]
value: "9544"

- it: Default pod annotations with prometheus exporter not enabled
asserts:
- notExists:
path: spec.template.metadata.annotations["prometheus.io/scrape"]
- notExists:
path: spec.template.metadata.annotations["prometheus.io/path"]
- notExists:
path: spec.template.metadata.annotations["prometheus.io/port"]

- it: Default pod annotations with prometheus exporter and prometheus scraping not enabled
set:
host:
enable_prometheus_scraping: false
asserts:
- notExists:
path: spec.template.metadata.annotations["prometheus.io/scrape"]
- notExists:
path: spec.template.metadata.annotations["prometheus.io/path"]
- notExists:
path: spec.template.metadata.annotations["prometheus.io/port"]

- it: Default pod annotations with prometheus scraping not enabled
set:
host:
enable_prometheus_scraping: false
additional_settings:
prometheus_exporter:
enabled: true
asserts:
- notExists:
path: spec.template.metadata.annotations["prometheus.io/scrape"]
- notExists:
path: spec.template.metadata.annotations["prometheus.io/path"]
- notExists:
path: spec.template.metadata.annotations["prometheus.io/port"]

- it: Custom pod annotations
set:
host:
additional_settings:
prometheus_exporter:
enabled: true # Enabling this to add the neeeded annotations and verify that the template has no issues
pod_annotations:
custom/annotation1: "custom-value1"
custom/annotation2: "custom-value2"
asserts:
- equal:
path: spec.template.metadata.annotations["prometheus.io/scrape"]
value: "true"
- equal:
path: spec.template.metadata.annotations["prometheus.io/path"]
value: "/metrics"
- equal:
path: spec.template.metadata.annotations["prometheus.io/port"]
value: "9544"
- equal:
path: spec.template.metadata.annotations["custom/annotation1"]
value: "custom-value1"
- equal:
path: spec.template.metadata.annotations["custom/annotation2"]
value: "custom-value2"
Loading
Loading