Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add AKS/EKS instructions #1649

Merged
merged 3 commits into from
Feb 14, 2025
Merged

Add AKS/EKS instructions #1649

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cebd335
Add AKS/EKS instructions
rafaelroquetto Feb 12, 2025
1d3ab95
Update docs/sources/security.md
rafaelroquetto Feb 13, 2025
c7a4895
Update docs/sources/security.md
rafaelroquetto Feb 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 68 additions & 0 deletions docs/sources/security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,74 @@ Access to `CAP_PERFMON` is subject to `perf_events` access controls governed by

Some Linux distributions define higher levels for `kernel.perf_event_paranoid`, for example Debian based distributions [also use](https://lwn.net/Articles/696216/) `kernel.perf_event_paranoid=3`, which disallows access to `perf_event_open()` without `CAP_SYS_ADMIN`. If you are running on a distribution with `kernel.perf_event_paranoid` setting higher than `2`, you can either modify your configuration to lower it to `2` or use `CAP_SYS_ADMIN` instead of `CAP_PERFMON`.

### Deploy on AKS/EKS

Both AKS and EKS environments come with kernels that by default set `sys.perf_event_paranoid > 1`, which means Beyla needs `CAP_SYS_ADMIN` to work, refer to the section on how to [monitor task performance](#performance-monitoring-tasks) for further information.

If you prefer to use just `CAP_PERFMON`, you can configure your node to set `kernel.perf_event_paranoid = 1`. We've provided a few examples of how to do this, keep in mind that your results may vary depending on your specific setup.

#### AKS
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [vale] reported by reviewdog 🐶
[Grafana.Headings] Use sentence-style capitalization for 'AKS'. Vale considers multi-word exceptions such as Grafana Enterprise Metrics as a single correctly cased word. If your heading contains capitalized words that represent product names, you need to add those words to the Grafana dictionary or the list of static exceptions in https://github.com/grafana/writers-toolkit/blob/main/vale/Headings.jsonnet for them to be considered correctly cased.

For more information, refer to https://developers.google.com/style/capitalization#capitalization-in-titles-and-headings.

If the rule is incorrect or needs improving, report an issue.

If you have reason to diverge from the style guidance, to skip a rule, refer to Skip rules.


**Create a configuration file**

```json
{
"sysctls": {
"kernel.sys_paranoid": "1"
}
}
```

**Create or update your AKS cluster**

```sh
az aks create --name myAKSCluster --resource-group myResourceGroup --linux-os-config ./linuxosconfig.json
```

For more information, see "[Customize node configuration for Azure Kubernetes Service (AKS) node pools](https://learn.microsoft.com/en-us/azure/aks/custom-node-configuration?tabs=linux-node-pools)"
#### EKS (using EKS Anywhere Configuration)

**Create a configuration file**

```yaml
apiVersion: anywhere.eks.amazonaws.com/v1alpha1
kind: VSphereMachineConfig
metadata:
name: machine-config
spec:
hostOSConfiguration:
kernel:
sysctlSettings:
kernel.sys_paranoid: "1"
```

**Deploy or update your EKS Anywhere cluster**

```sh
eksctl create cluster --config-file hostosconfig.yaml
```

#### EKS (modifying node group settings)

**Update the node group**

```yaml
apiVersion: eks.eks.amazonaws.com/v1beta1
kind: ClusterConfig
...
nodeGroups:
- ...
os: Bottlerocket
eksconfig:
...
sysctls:
kernel.sys_paranoid: "1"
```

Use the AWS Management Console, AWS CLI, or eksctl to apply the updated configuration to your EKS cluster.

For more information refer to the [EKS host OS configuration documentation](https://anywhere.eks.amazonaws.com/docs/getting-started/optional/hostosconfig/).

## Example scenarios

The following example scenarios showcases how to run Beyla as a non-root user:
Expand Down
Loading