From 7bf709fde80040ebe4d79d38dea95f15f94e5828 Mon Sep 17 00:00:00 2001 From: Brandon Kimbrough Date: Fri, 4 Oct 2024 09:15:29 -0400 Subject: [PATCH] adding option to specify security context for kernel collector --- charts/opentelemetry-ebpf/Chart.yaml | 2 +- .../ci/security-context-values.yaml | 32 +++++++++++++++++++ .../rendered/cloud-collector-deployment.yaml | 2 +- .../cloud-collector-serviceaccount.yaml | 2 +- .../cloud-collector/rendered/configmap.yaml | 2 +- .../rendered/k8s-collector-clusterrole.yaml | 2 +- .../k8s-collector-clusterrolebinding.yaml | 2 +- .../rendered/k8s-collector-deployment.yaml | 4 +-- .../k8s-collector-serviceaccount.yaml | 2 +- .../kernel-collector-clusterrole.yaml | 2 +- .../kernel-collector-clusterrolebinding.yaml | 2 +- .../rendered/kernel-collector-daemonset.yaml | 4 +-- .../kernel-collector-serviceaccount.yaml | 2 +- .../rendered/reducer-deployment.yaml | 2 +- .../rendered/reducer-service.yaml | 2 +- .../templates/kernel-collector-daemonset.yaml | 4 +++ charts/opentelemetry-ebpf/values.yaml | 1 + 17 files changed, 53 insertions(+), 16 deletions(-) create mode 100644 charts/opentelemetry-ebpf/ci/security-context-values.yaml diff --git a/charts/opentelemetry-ebpf/Chart.yaml b/charts/opentelemetry-ebpf/Chart.yaml index e58bb8ccf..13eb55a4d 100644 --- a/charts/opentelemetry-ebpf/Chart.yaml +++ b/charts/opentelemetry-ebpf/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: opentelemetry-ebpf -version: 0.1.4 +version: 0.1.5 description: OpenTelemetry eBPF Helm chart for Kubernetes type: application home: https://opentelemetry.io/ diff --git a/charts/opentelemetry-ebpf/ci/security-context-values.yaml b/charts/opentelemetry-ebpf/ci/security-context-values.yaml new file mode 100644 index 000000000..c7d48ce9a --- /dev/null +++ b/charts/opentelemetry-ebpf/ci/security-context-values.yaml @@ -0,0 +1,32 @@ +kernelCollector: + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - AUDIT_CONTROL + - BLOCK_SUSPEND + - DAC_READ_SEARCH + - IPC_LOCK + - IPC_OWNER + - LEASE + - LINUX_IMMUTABLE + - MAC_ADMIN + - MAC_OVERRIDE + - NET_ADMIN + - NET_BROADCAST + - SYSLOG + - SYS_ADMIN + - SYS_BOOT + - SYS_MODULE + - SYS_NICE + - SYS_PACCT + - SYS_PTRACE + - SYS_RAWIO + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - WAKE_ALARM + seccompProfile: + type: Unconfined + seLinuxOptions: + type: super_t \ No newline at end of file diff --git a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/cloud-collector-deployment.yaml b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/cloud-collector-deployment.yaml index 28d5cab9a..5074129ce 100644 --- a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/cloud-collector-deployment.yaml +++ b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/cloud-collector-deployment.yaml @@ -5,7 +5,7 @@ kind: Deployment metadata: name: example-opentelemetry-ebpf-cloud-collector labels: - helm.sh/chart: opentelemetry-ebpf-0.1.4 + helm.sh/chart: opentelemetry-ebpf-0.1.5 app.kubernetes.io/name: opentelemetry-ebpf app.kubernetes.io/instance: example app.kubernetes.io/version: "v0.10.2" diff --git a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/cloud-collector-serviceaccount.yaml b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/cloud-collector-serviceaccount.yaml index 31a002e48..94f0c426b 100644 --- a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/cloud-collector-serviceaccount.yaml +++ b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/cloud-collector-serviceaccount.yaml @@ -5,7 +5,7 @@ kind: ServiceAccount metadata: name: example-opentelemetry-ebpf-cloud-collector labels: - helm.sh/chart: opentelemetry-ebpf-0.1.4 + helm.sh/chart: opentelemetry-ebpf-0.1.5 app.kubernetes.io/name: opentelemetry-ebpf app.kubernetes.io/instance: example app.kubernetes.io/version: "v0.10.2" diff --git a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/configmap.yaml b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/configmap.yaml index 91a84a3da..1b361a594 100644 --- a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/configmap.yaml +++ b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/configmap.yaml @@ -5,7 +5,7 @@ kind: ConfigMap metadata: name: example-opentelemetry-ebpf-config labels: - helm.sh/chart: opentelemetry-ebpf-0.1.4 + helm.sh/chart: opentelemetry-ebpf-0.1.5 app.kubernetes.io/name: opentelemetry-ebpf app.kubernetes.io/instance: example app.kubernetes.io/version: "v0.10.2" diff --git a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/k8s-collector-clusterrole.yaml b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/k8s-collector-clusterrole.yaml index 7aec573f9..fe953a596 100644 --- a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/k8s-collector-clusterrole.yaml +++ b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/k8s-collector-clusterrole.yaml @@ -5,7 +5,7 @@ kind: ClusterRole metadata: name: example-opentelemetry-ebpf-k8s-collector labels: - helm.sh/chart: opentelemetry-ebpf-0.1.4 + helm.sh/chart: opentelemetry-ebpf-0.1.5 app.kubernetes.io/name: opentelemetry-ebpf app.kubernetes.io/instance: example app.kubernetes.io/version: "v0.10.2" diff --git a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/k8s-collector-clusterrolebinding.yaml b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/k8s-collector-clusterrolebinding.yaml index 6372b6e25..b23da66cd 100644 --- a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/k8s-collector-clusterrolebinding.yaml +++ b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/k8s-collector-clusterrolebinding.yaml @@ -5,7 +5,7 @@ kind: ClusterRoleBinding metadata: name: example-opentelemetry-ebpf-k8s-collector labels: - helm.sh/chart: opentelemetry-ebpf-0.1.4 + helm.sh/chart: opentelemetry-ebpf-0.1.5 app.kubernetes.io/name: opentelemetry-ebpf app.kubernetes.io/instance: example app.kubernetes.io/version: "v0.10.2" diff --git a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/k8s-collector-deployment.yaml b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/k8s-collector-deployment.yaml index 4d067717e..68eed76ab 100644 --- a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/k8s-collector-deployment.yaml +++ b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/k8s-collector-deployment.yaml @@ -10,7 +10,7 @@ kind: Deployment metadata: name: example-opentelemetry-ebpf-k8s-collector labels: - helm.sh/chart: opentelemetry-ebpf-0.1.4 + helm.sh/chart: opentelemetry-ebpf-0.1.5 app.kubernetes.io/name: opentelemetry-ebpf app.kubernetes.io/instance: example app.kubernetes.io/version: "v0.10.2" @@ -30,7 +30,7 @@ spec: annotations: # This is here to allow us to do "zero-downtime" updates without an image change. rollingUpdateVersion: "1" - charts.flowmill.com/version: 0.1.4 + charts.flowmill.com/version: 0.1.5 labels: app.kubernetes.io/name: example-opentelemetry-ebpf-k8s-collector app.kubernetes.io/instance: example diff --git a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/k8s-collector-serviceaccount.yaml b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/k8s-collector-serviceaccount.yaml index 46e87c537..f22a3753d 100644 --- a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/k8s-collector-serviceaccount.yaml +++ b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/k8s-collector-serviceaccount.yaml @@ -5,7 +5,7 @@ kind: ServiceAccount metadata: name: example-opentelemetry-ebpf-k8s-collector labels: - helm.sh/chart: opentelemetry-ebpf-0.1.4 + helm.sh/chart: opentelemetry-ebpf-0.1.5 app.kubernetes.io/name: opentelemetry-ebpf app.kubernetes.io/instance: example app.kubernetes.io/version: "v0.10.2" diff --git a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/kernel-collector-clusterrole.yaml b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/kernel-collector-clusterrole.yaml index f9a5bf6c6..e449f47c9 100644 --- a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/kernel-collector-clusterrole.yaml +++ b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/kernel-collector-clusterrole.yaml @@ -5,7 +5,7 @@ kind: ClusterRole metadata: name: example-opentelemetry-ebpf-kernel-collector labels: - helm.sh/chart: opentelemetry-ebpf-0.1.4 + helm.sh/chart: opentelemetry-ebpf-0.1.5 app.kubernetes.io/name: opentelemetry-ebpf app.kubernetes.io/instance: example app.kubernetes.io/version: "v0.10.2" diff --git a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/kernel-collector-clusterrolebinding.yaml b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/kernel-collector-clusterrolebinding.yaml index 7ba924070..401f90010 100644 --- a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/kernel-collector-clusterrolebinding.yaml +++ b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/kernel-collector-clusterrolebinding.yaml @@ -5,7 +5,7 @@ kind: ClusterRoleBinding metadata: name: example-opentelemetry-ebpf-kernel-collector labels: - helm.sh/chart: opentelemetry-ebpf-0.1.4 + helm.sh/chart: opentelemetry-ebpf-0.1.5 app.kubernetes.io/name: opentelemetry-ebpf app.kubernetes.io/instance: example app.kubernetes.io/version: "v0.10.2" diff --git a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/kernel-collector-daemonset.yaml b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/kernel-collector-daemonset.yaml index 68a5d37e6..c569c0aa5 100644 --- a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/kernel-collector-daemonset.yaml +++ b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/kernel-collector-daemonset.yaml @@ -9,7 +9,7 @@ kind: DaemonSet metadata: name: example-opentelemetry-ebpf-kernel-collector labels: - helm.sh/chart: opentelemetry-ebpf-0.1.4 + helm.sh/chart: opentelemetry-ebpf-0.1.5 app.kubernetes.io/name: opentelemetry-ebpf app.kubernetes.io/instance: example app.kubernetes.io/version: "v0.10.2" @@ -22,7 +22,7 @@ spec: template: metadata: annotations: - charts.flowmill.com/version: 0.1.4 + charts.flowmill.com/version: 0.1.5 labels: app.kubernetes.io/name: example-opentelemetry-ebpf-kernel-collector app.kubernetes.io/instance: example diff --git a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/kernel-collector-serviceaccount.yaml b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/kernel-collector-serviceaccount.yaml index 0c5000bb1..23abfd1b4 100644 --- a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/kernel-collector-serviceaccount.yaml +++ b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/kernel-collector-serviceaccount.yaml @@ -5,7 +5,7 @@ kind: ServiceAccount metadata: name: example-opentelemetry-ebpf-kernel-collector labels: - helm.sh/chart: opentelemetry-ebpf-0.1.4 + helm.sh/chart: opentelemetry-ebpf-0.1.5 app.kubernetes.io/name: opentelemetry-ebpf app.kubernetes.io/instance: example app.kubernetes.io/version: "v0.10.2" diff --git a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/reducer-deployment.yaml b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/reducer-deployment.yaml index 3d8efcafc..5cd2a51fb 100644 --- a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/reducer-deployment.yaml +++ b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/reducer-deployment.yaml @@ -5,7 +5,7 @@ kind: Deployment metadata: name: example-opentelemetry-ebpf-reducer labels: - helm.sh/chart: opentelemetry-ebpf-0.1.4 + helm.sh/chart: opentelemetry-ebpf-0.1.5 app.kubernetes.io/name: opentelemetry-ebpf app.kubernetes.io/instance: example app.kubernetes.io/version: "v0.10.2" diff --git a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/reducer-service.yaml b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/reducer-service.yaml index 3c9fd19e3..8e0e33edc 100644 --- a/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/reducer-service.yaml +++ b/charts/opentelemetry-ebpf/examples/cloud-collector/rendered/reducer-service.yaml @@ -5,7 +5,7 @@ kind: Service metadata: name: example-opentelemetry-ebpf-reducer labels: - helm.sh/chart: opentelemetry-ebpf-0.1.4 + helm.sh/chart: opentelemetry-ebpf-0.1.5 app.kubernetes.io/name: opentelemetry-ebpf app.kubernetes.io/instance: example app.kubernetes.io/version: "v0.10.2" diff --git a/charts/opentelemetry-ebpf/templates/kernel-collector-daemonset.yaml b/charts/opentelemetry-ebpf/templates/kernel-collector-daemonset.yaml index ed3764403..50f08a995 100644 --- a/charts/opentelemetry-ebpf/templates/kernel-collector-daemonset.yaml +++ b/charts/opentelemetry-ebpf/templates/kernel-collector-daemonset.yaml @@ -123,7 +123,11 @@ spec: {{ toYaml .Values.kernelCollector.resources | indent 12 }} {{- end }} securityContext: +{{- if .Values.kernelCollector.securityContext }} +{{ toYaml .Values.kernelCollector.securityContext | indent 12 }} +{{- else }} privileged: true +{{- end }} volumeMounts: - mountPath: /hostfs/ name: host-root diff --git a/charts/opentelemetry-ebpf/values.yaml b/charts/opentelemetry-ebpf/values.yaml index c0bd9fabb..5fe29435f 100644 --- a/charts/opentelemetry-ebpf/values.yaml +++ b/charts/opentelemetry-ebpf/values.yaml @@ -51,6 +51,7 @@ kernelCollector: affinity: {} resources: {} + securityContext: {} # uncomment the line below to disable automatic kernel headers fetching # fetchKernelHeaders: false