Skip to content

Commit

Permalink
2.0.8: misc runtime daemon updates
Browse files Browse the repository at this point in the history 
Runtime daemon updates (0.0.301 --> 0.0.347):
 * improved telemetry
 * better recovery from unexpected failures
 * improved updates of signatures
 * fixed memory leak in profiling
  • Loading branch information
@chkp-alexgl
chkp-alexgl authored Mar 11, 2021
1 parent 6d33a25 commit f989935
Show file tree
Hide file tree
Showing 9 changed files with 120 additions and 109 deletions.
4 changes: 2 additions & 2 deletions checkpoint/cloudguard/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v2
appVersion: v1.3.2
version: 2.0.7
appVersion: v2.0.8
version: 2.0.8
description: A Helm chart for Check Point CloudGuard Workload Security
name: cloudguard
keywords:
Expand Down
2 changes: 1 addition & 1 deletion checkpoint/cloudguard/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ The following tables list the configurable parameters of this chart and their de
| `addons.runtimeProtection.enabled` | Specifies whether the Runtime Protection addon should be | `false` |
| | installed | |
| `addons.runtimeProtection.daemon.image` | Specify image for the agent | `checkpoint/consec-runtime-daemon` |
| `addons.runtimeProtection.daemon.tag` | Specify image tag for the agent |`0.0.301` |
| `addons.runtimeProtection.daemon.tag` | Specify image tag for the agent |`0.0.347` |
| `addons.runtimeProtection.daemon.serviceAccountName` | Specify custom Service Account for the agent | `` |
| `addons.runtimeProtection.daemon.env` | Additional environmental variables for the agent | `{}` |
| `addons.runtimeProtection.daemon.resources` | Resources restriction (e.g. CPU, memory) | `requests.cpu: 100m` |
Expand Down
26 changes: 15 additions & 11 deletions checkpoint/cloudguard/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,20 @@ imagePullSecrets:
{{- end -}}
{{- end -}}

{{- /* fluentbit http output parametes */ -}}
{{- define "fluentbit-http-output-param.conf" }}
Name http
Format json_lines
Host ${CP_KUBERNETES_DOME9_URL}
Header Kubernetes-Account ${CP_KUBERNETES_CLUSTER_ID}
Header Node-Name ${NODE_NAME}
Compress gzip
http_User ${CP_KUBERNETES_USER}
http_Passwd ${CP_KUBERNETES_PASS}
Port 443
tls On
tls.verify On
{{- end -}}

{{- /* fluentbit configmap to send metric */ -}}
{{- define "fluentbit-metric.conf" -}}
Expand All @@ -172,21 +186,11 @@ imagePullSecrets:
Interval_Sec 30
Interval_NSec 0
[OUTPUT]
Name http
Match metrics
Format json_lines
Host ${CP_KUBERNETES_DOME9_URL}
Uri ${CP_KUBERNETES_METRIC_URI}
Header Kubernetes-Account ${CP_KUBERNETES_CLUSTER_ID}
Header Agent-Version {{ .agentVersion }}
Header Node-Name ${NODE_NAME}
Header Telemetry-Version ${TELEMETRY_VERSION}
Compress gzip
http_User ${CP_KUBERNETES_USER}
http_Passwd ${CP_KUBERNETES_PASS}
Port 443
tls On
tls.verify On
{{ include "fluentbit-http-output-param.conf" . | indent 4 }}
{{- end -}}

{{/*
Expand Down
12 changes: 1 addition & 11 deletions checkpoint/cloudguard/templates/admission/enforcer/configmap-fluentbit.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,19 +19,9 @@ data:
Tag ac-alert
[OUTPUT]
Name http
Match ac-alert
Format json_stream
Host ${CP_KUBERNETES_DOME9_URL}
Uri ${CP_KUBERNETES_ADMISSION_CONTROLLER_ALERTS_URI}
Port 443
Compress gzip
tls On
tls.verify On
tls.debug 0
http_User ${CP_KUBERNETES_USER}
http_Passwd ${CP_KUBERNETES_PASS}
Header Kubernetes-Account ${CP_KUBERNETES_CLUSTER_ID}
{{ include "fluentbit-http-output-param.conf" . | indent 8 }}

{{ $params := dict "metricPath" "/metric" "agentVersion" $config.agentConfig.tag }}
{{ include "fluentbit-metric.conf" $params | indent 4 }}
Expand Down
36 changes: 12 additions & 24 deletions checkpoint/cloudguard/templates/runtime/daemon/configmap-fluentbit.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,37 +24,25 @@ data:
Path /rp4c/profiling/profiling.log
Tag rp-profiling
[INPUT]
Name tail
Path /rp4c/telemetry/telemetry.log
Tag rp-telemetry
[OUTPUT]
Name http
Match rp-alert
Format json_lines
Host ${CP_KUBERNETES_DOME9_URL}
Uri ${CP_KUBERNETES_RUNTIME_ALERT_URI}
Port 443
Compress gzip
tls On
tls.verify On
tls.debug 0
http_User ${CP_KUBERNETES_USER}
http_Passwd ${CP_KUBERNETES_PASS}
Header Kubernetes-Account ${CP_KUBERNETES_CLUSTER_ID}
Header Node-Name ${HOSTNAME}
{{ include "fluentbit-http-output-param.conf" . | indent 8 }}

[OUTPUT]
Name http
Match rp-profiling
Format json_lines
Host ${CP_KUBERNETES_DOME9_URL}
Uri ${CP_KUBERNETES_RUNTIME_PROFILING_URI}
Port 443
Compress gzip
tls On
tls.verify On
tls.debug 0
http_User ${CP_KUBERNETES_USER}
http_Passwd ${CP_KUBERNETES_PASS}
Header Kubernetes-Account ${CP_KUBERNETES_CLUSTER_ID}
Header Node-Name ${HOSTNAME}
{{ include "fluentbit-http-output-param.conf" . | indent 8 }}

[OUTPUT]
Match rp-telemetry
Uri ${CP_KUBERNETES_RUNTIME_TELEMETRY_URI}
{{ include "fluentbit-http-output-param.conf" . | indent 8 }}

{{ $params := dict "metricPath" "/rp4c/metric" "agentVersion" $config.agentConfig.tag }}
{{ include "fluentbit-metric.conf" $params | indent 4 }}
Expand Down
75 changes: 39 additions & 36 deletions checkpoint/cloudguard/templates/runtime/daemon/daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,38 @@ spec:
mountPath: /host/dev
{{- end }}
containers:
# fluentbit
# the fluentbit container needs to be before the daemon container
# so the fluentbit will be up before the daemon to send message that daemon will send once it is up (like telemetry)
- name: fluentbit
image: {{ template "agent.fluentbit.image" $config }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
env:
{{ include "fluentbit.env" $config | indent 8 }}
- name: CP_KUBERNETES_RUNTIME_ALERT_URI
value: {{ template "cloudguardURL_path" . }}runtimeevent/alert
- name: CP_KUBERNETES_RUNTIME_PROFILING_URI
value: {{ template "cloudguardURL_path" . }}runtimeevent/profiling
- name: CP_KUBERNETES_METRIC_URI
value: {{ template "cloudguardURL_path" . }}agenttelemetry
- name: CP_KUBERNETES_RUNTIME_TELEMETRY_URI
value: {{ template "cloudguardURL_path" . }}runtimetelemetry
{{- if $config.agentConfig.fluentbit.resources }}
resources:
{{ toYaml $config.agentConfig.fluentbit.resources | indent 10}}
{{- end }}
volumeMounts:
- name: rp4c-alerts
mountPath: /rp4c/alerts
- name: rp4c-profiling
mountPath: /rp4c/profiling
- name: rp4c-metric
mountPath: /rp4c/metric
- name: rp4c-telemetry
mountPath: /rp4c/telemetry
- name: config-volume-fluentbit
mountPath: /fluent-bit/etc/fluent-bit.conf
subPath: fluent-bit.conf
# Main container
- name: {{ $config.agentName }}
image: {{ template "agent.main.image" $config }}
Expand All @@ -81,19 +113,12 @@ spec:
{{ include "user.defined.env" $config | indent 8 }}
- name: LANG
value: C.UTF-8
## TODO : Temporary solution for internal deployment - should omit #############################################################
- name: CP_KUBERNETES_CLUSTER_ID
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-cp-cloudguard-configmap
key: clusterID
- name: SBA_MANAGEMENT_URL
value: https://{{ .Release.Name }}-ClusterID-$(CP_KUBERNETES_CLUSTER_ID)
###############################################################################################################################
- name: NAMESPACE_NAME
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SBA_TELEMETRY_SAVE_TO_FILE
value: "1"
{{- if $config.featureConfig.BPF }}
- name: SYSDIG_BPF_PROBE
value: "/sysdig/.sysdig/sysdig-probe-bpf.o"
Expand All @@ -106,7 +131,9 @@ spec:
- name: rp4c-profiling
mountPath: /rp4c/profiling
- name: rp4c-metric
mountPath: /rp4c/metric
mountPath: /rp4c/metric
- name: rp4c-telemetry
mountPath: /rp4c/telemetry
- name: docker-sock
mountPath: /var/run/docker.sock
readOnly: true
Expand All @@ -127,32 +154,6 @@ spec:
- name: sys-vol
mountPath: /sys/kernel/debug/
readOnly: true
# fluentbit
- name: fluentbit
image: {{ template "agent.fluentbit.image" $config }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
env:
{{ include "fluentbit.env" $config | indent 8 }}
- name: CP_KUBERNETES_RUNTIME_ALERT_URI
value: {{ template "cloudguardURL_path" . }}runtimeevent/alert
- name: CP_KUBERNETES_RUNTIME_PROFILING_URI
value: {{ template "cloudguardURL_path" . }}runtimeevent/profiling
- name: CP_KUBERNETES_METRIC_URI
value: {{ template "cloudguardURL_path" . }}agenttelemetry
{{- if $config.agentConfig.fluentbit.resources }}
resources:
{{ toYaml $config.agentConfig.fluentbit.resources | indent 10}}
{{- end }}
volumeMounts:
- name: rp4c-alerts
mountPath: /rp4c/alerts
- name: rp4c-profiling
mountPath: /rp4c/profiling
- name: rp4c-metric
mountPath: /rp4c/metric
- name: config-volume-fluentbit
mountPath: /fluent-bit/etc/fluent-bit.conf
subPath: fluent-bit.conf
volumes:
- name: config-volume-fluentbit
configMap:
Expand All @@ -162,6 +163,8 @@ spec:
- name: rp4c-profiling
emptyDir: {}
- name: rp4c-metric
emptyDir: {}
- name: rp4c-telemetry
emptyDir: {}
- name: docker-sock
hostPath:
Expand Down
2 changes: 1 addition & 1 deletion checkpoint/cloudguard/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -291,7 +291,7 @@ addons:
## Main container settings
## Specify image and tag
image: checkpoint/consec-runtime-daemon
tag: 0.0.301
tag: 0.0.347

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down
Binary file added repository/cloudguard-2.0.8.tgz
View file
Binary file not shown.
Loading

0 comments on commit f989935

Please sign in to comment.