Merge pull request #51 from olhado/3.2-changes

3.2 changes

Chart.yaml

@@ -1,6 +1,6 @@
 # MIT License
 #
-# Copyright (c) 2020-2022 F5, Inc.
+# Copyright (c) 2020-2023 F5, Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -22,8 +22,8 @@
 #######
 apiVersion: v1
 name: threatstack-agent
-version: 3.1.1
-appVersion: 3.1.1
+version: 3.2.0
+appVersion: 3.2.0
 description: A Helm chart for the Threat Stack Cloud Security Agent
 keywords:
 - security

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2020-2022 F5, Inc.
+Copyright (c) 2020-2023 F5, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -53,6 +53,7 @@ The following kubernetes objects are created when the chart is installed:
 | daemonset.customLuaFilter | string | `""` |  |
 | daemonset.customTsAuditdConfig | string | `""` |  |
 | daemonset.enableContainerd | bool | `unset` | Configures the daemonset agents to listen to the containerd daemon socket. **By default in agent 2.4.0+, the agent detects if containerd is running at startup**  |
+| daemonset.enableCrio | bool | `unset` | Configures the daemonset agents to listen to the CRI-O daemon socket. |
 | daemonset.enableDocker | bool | `unset` | Configures the daemonset agents to listen to the docker daemon socket. **By default in agent 2.4.0+, the agent detects if docker is running at startup** |
 | daemonset.enableLowPowerMode | bool | false | Configures the daemonset agents to perform better in tightly-resourced environments. The agent trades some telemetry reporting for reduced CPU and memory consumption. Ref: https://threatstack.zendesk.com/hc/en-us/articles/360016132692-Threat-Stack-Kubernetes-Deployment |
 | daemonset.nodeSelector | object | `{}` |  |
@@ -78,6 +79,7 @@ The following kubernetes objects are created when the chart is installed:
 | image.version | string | `""` | The docker tag for the container image to install. It defaults to Threat Stack's latest offical docker image version for the agent at the time the chart was released. **NOTE:** Changing this could lead to pulling an unofficial, incorrect, or incompatible image, and is strongly discouraged. >>> **Warning:** Setting `customDaemonsetCmd` improperly can result in the Threat Stack agent not running correctly >>> |
 | imagePullSecrets | list | `[]` | If pulling the agent from a private/internal docker registry that requires credentials, you will need to add the name of your docker credentials secret to this array. *This secret needs to be defined outside of installing this helm chart.* Defaults to an empty array which will only work with public registries. * For more guidance with using private container registries, please review the following kubernetes documentation for details around how to set this upcorrectly with your registry service: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry |
 | nameOverride | string | `""` |  |
+| openShift | bool | `false` | If `true`, the default memory limit for the daemonset agent pods will be increased to `1Gi`, as OpenShift appears to require more memory for the agent to work properly. |
 | podSecurityPolicyEnabled | bool | `false` | Deploy Threat Stack with the Pod Security Policy for clusters with strict admission control requirements. |
 | rbac.create | bool | `true` | If `true`, will create the needed service account to run. If false, the chart will leverage the service account defined in `rbac.serviceAccountName` |
 | rbac.serviceAccountName | string | `"threatstack-agent"` |  |

templates/NOTES.txt

@@ -1,7 +1,7 @@
 {{/*
 MIT License
 
-Copyright (c) 2020-2022 F5, Inc.
+Copyright (c) 2020-2023 F5, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

templates/_helpers.tpl

@@ -1,7 +1,7 @@
 {{/*
 MIT License
 
-Copyright (c) 2020-2022 F5, Inc.
+Copyright (c) 2020-2023 F5, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -75,6 +75,17 @@ Return capabilities required for api-reader pod
 {{- range .Values.capabilities -}}"{{- . -}}", {{ end -}}
 {{- end -}}
 
+{{/*
+Return higher memory limit for agent if OpenShift is enabled
+*/}}
+{{- define "threatstack-agent.daemonset-openshift-default-memlimit" -}}
+{{- if .Values.openShift -}}
+{{- "1Gi" -}}
+{{- else -}}
+{{- "512Mi" -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return eBPF configuration required if enabled
 */}}
@@ -125,6 +136,20 @@ Return runtime config if containerd is disabled
 {{- end -}}
 {{- end -}}
 
+{{/*
+Return runtime config if CRI-O is disabled
+*/}}
+{{- define "threatstack-agent.crio-config" -}}
+{{- if kindIs "invalid" .Values.daemonset.enableCrio -}}
+{{- else -}}
+{{- if eq .Values.daemonset.enableCrio false -}}
+{{- default "container_runtimes.crio.enabled false" -}}
+{{- else -}}
+{{- default "container_runtimes.crio.enabled true" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return Service Account Name if rbac is enabled
 */}}
@@ -140,7 +165,7 @@ Return Service Account Name if rbac is enabled
 Return Additional Runtime Config for Daemonset
 */}}
 {{- define "threatstack-agent.daemonset-runtimeConfig" -}}
-{{- $runtimeConfig := list (include "threatstack-agent.docker-config" .) (include "threatstack-agent.containerd-config" .) -}}
+{{- $runtimeConfig := list (include "threatstack-agent.docker-config" .) (include "threatstack-agent.containerd-config" .) (include "threatstack-agent.crio-config" .) -}}
 {{- $runtimeConfig = append $runtimeConfig (include "threatstack-agent.daemonset-lowPowerMode-config" .) -}}
 {{- $runtimeConfig = append $runtimeConfig (include "threatstack-agent.daemonset-ebpf-config" .) -}}
 {{- $runtimeConfig = append $runtimeConfig .Values.daemonset.additionalRuntimeConfig -}}

templates/cluster-role.yaml

@@ -1,6 +1,6 @@
 # MIT License
 #
-# Copyright (c) 2020-2022 F5, Inc.
+# Copyright (c) 2020-2023 F5, Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal

templates/cluster-rolebinding.yaml

@@ -1,6 +1,6 @@
 # MIT License
 #
-# Copyright (c) 2020-2022 F5, Inc.
+# Copyright (c) 2020-2023 F5, Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal

templates/configmap.yaml

@@ -1,6 +1,6 @@
 # MIT License
 #
-# Copyright (c) 2020-2022 F5, Inc.
+# Copyright (c) 2020-2023 F5, Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal

templates/daemonset.yaml

@@ -1,6 +1,6 @@
 # MIT License
 #
-# Copyright (c) 2020-2022 F5, Inc.
+# Copyright (c) 2020-2023 F5, Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -89,15 +89,21 @@ spec:
         name: {{ include "threatstack-agent.name" . }}
 {{- if eq .Values.gkeContainerOs true }}
 {{ toYaml .Values.gkeContainerOsCmd | indent 8 }}
-{{- end }}
-{{- if eq .Values.gkeUbuntu true }}
+{{- else if eq .Values.gkeUbuntu true }}
 {{ toYaml .Values.gkeUbuntuCmd | indent 8 }}
-{{- end }}
-{{- if eq .Values.eksAmazon2 true }}
+{{- else if eq .Values.eksAmazon2 true }}
 {{ toYaml .Values.eksAmazon2Cmd | indent 8 }}
-{{- end }}
-{{- if .Values.customDaemonsetCmd }}
+{{- else if .Values.customDaemonsetCmd }}
 {{ toYaml .Values.customDaemonsetCmd | indent 8 }}
+{{- else }}
+        command: ["bash"]
+        args:
+          - -c
+          - >-
+              eval "tsagent setup --deploy-key $THREATSTACK_SETUP_DEPLOY_KEY $THREATSTACK_SETUP_ARGS" &&
+              tsagent config --set $THREATSTACK_CONFIG_ARGS &&
+              unset THREATSTACK_SETUP_DEPLOY_KEY THREATSTACK_SETUP_ARGS THREATSTACK_CONFIG_ARGS &&
+              exec /opt/threatstack/sbin/tsagentd -logstdout=1
 {{- end }}
 {{- if .Values.daemonset.livenessProbe }}
         livenessProbe:
@@ -146,7 +152,7 @@ spec:
             memory: "256Mi"
             cpu: "200m"
           limits:
-            memory: "512Mi"
+            memory: {{ include "threatstack-agent.daemonset-openshift-default-memlimit" . }}
             cpu: "400m"
 {{- end }}
         volumeMounts:

templates/deployment-api-reader.yaml

@@ -1,6 +1,6 @@
 # MIT License
 #
-# Copyright (c) 2020-2022 F5, Inc.
+# Copyright (c) 2020-2023 F5, Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -88,13 +88,21 @@ spec:
       - image: {{ .Values.image.repository }}:{{ if not .Values.image.version }}{{ .Chart.AppVersion }}{{ else }}{{ .Values.image.version }}{{ end }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         name: {{ include "threatstack-agent.name" . }}
+        command: ["bash"]
+        args:
+          - -c
+          - >-
+              eval "tsagent setup --deploy-key $THREATSTACK_SETUP_DEPLOY_KEY $THREATSTACK_SETUP_ARGS" &&
+              tsagent config --set $THREATSTACK_CONFIG_ARGS &&
+              unset THREATSTACK_SETUP_DEPLOY_KEY THREATSTACK_SETUP_ARGS THREATSTACK_CONFIG_ARGS &&
+              exec /opt/threatstack/sbin/tsagentd -logstdout=1
 {{- if .Values.apiReader.livenessProbe }}
         livenessProbe:
 {{ toYaml .Values.apiReader.livenessProbe | indent 10 }}
 {{- else }}
         livenessProbe:
           exec:
-            command: [ "sh", "-c", "tsagent status" ]
+            command: [ "bash", "-c", "tsagent status" ]
           initialDelaySeconds: 15
           periodSeconds: 360
           timeoutSeconds: 5

templates/pod-security-policy.yaml

@@ -1,6 +1,6 @@
 # MIT License
 #
-# Copyright (c) 2020-2022 F5, Inc.
+# Copyright (c) 2020-2023 F5, Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal

templates/secrets.yaml

@@ -1,6 +1,6 @@
 # MIT License
 #
-# Copyright (c) 2020-2022 F5, Inc.
+# Copyright (c) 2020-2023 F5, Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal

templates/service-account.yaml

@@ -1,6 +1,6 @@
 # MIT License
 #
-# Copyright (c) 2020-2022 F5, Inc.
+# Copyright (c) 2020-2023 F5, Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal

values.yaml

@@ -1,6 +1,6 @@
 # MIT License
 #
-# Copyright (c) 2020-2022 F5, Inc.
+# Copyright (c) 2020-2023 F5, Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -38,9 +38,12 @@ gkeContainerOsCmd:
     - >-
         chroot /threatstackfs /bin/bash -c 'systemctl stop systemd-journald-audit.socket;
         systemctl mask systemd-journald-audit.socket;
-        systemctl restart systemd-journald; auditctl --backlog_wait_time 0';
-        eval tsagent setup --deploy-key $THREATSTACK_SETUP_DEPLOY_KEY $THREATSTACK_SETUP_ARGS;
-        eval tsagent config --set $THREATSTACK_CONFIG_ARGS; sleep 5; /opt/threatstack/sbin/tsagentd -logstdout
+        systemctl restart systemd-journald; auditctl --backlog_wait_time 0' &&
+        eval tsagent setup --deploy-key $THREATSTACK_SETUP_DEPLOY_KEY $THREATSTACK_SETUP_ARGS &&
+        eval tsagent config --set $THREATSTACK_CONFIG_ARGS &&
+        sleep 5 &&
+        unset THREATSTACK_SETUP_DEPLOY_KEY THREATSTACK_SETUP_ARGS THREATSTACK_CONFIG_ARGS &&
+        exec /opt/threatstack/sbin/tsagentd -logstdout=1
 
 # Using Ubuntu nodes
 gkeUbuntu: false
@@ -49,11 +52,12 @@ gkeUbuntuCmd:
   args:
     - -c
     - >-
-        chroot /threatstackfs /bin/bash -c 'systemctl stop auditd; systemctl disable auditd';
-        eval tsagent setup --deploy-key $THREATSTACK_SETUP_DEPLOY_KEY $THREATSTACK_SETUP_ARGS;
-        eval tsagent config --set $THREATSTACK_CONFIG_ARGS;
-        sleep 5;
-        /opt/threatstack/sbin/tsagentd -logstdout
+        chroot /threatstackfs /bin/bash -c 'systemctl stop auditd; systemctl disable auditd' &&
+        eval tsagent setup --deploy-key $THREATSTACK_SETUP_DEPLOY_KEY $THREATSTACK_SETUP_ARGS &&
+        eval tsagent config --set $THREATSTACK_CONFIG_ARGS &&
+        sleep 5 &&
+        unset THREATSTACK_SETUP_DEPLOY_KEY THREATSTACK_SETUP_ARGS THREATSTACK_CONFIG_ARGS &&
+        exec /opt/threatstack/sbin/tsagentd -logstdout=1
 
 # Using EKS Amazon Linux 2 nodes
 eksAmazon2: false
@@ -62,11 +66,12 @@ eksAmazon2Cmd:
   args:
     - -c
     - >-
-        chroot /threatstackfs /bin/bash -c 'service auditd stop; systemctl disable auditd';
-        eval tsagent setup --deploy-key $THREATSTACK_SETUP_DEPLOY_KEY $THREATSTACK_SETUP_ARGS;
-        eval tsagent config --set $THREATSTACK_CONFIG_ARGS;
-        sleep 5;
-        /opt/threatstack/sbin/tsagentd -logstdout
+        chroot /threatstackfs /bin/bash -c 'service auditd stop; systemctl disable auditd' &&
+        eval tsagent setup --deploy-key $THREATSTACK_SETUP_DEPLOY_KEY $THREATSTACK_SETUP_ARGS &&
+        eval tsagent config --set $THREATSTACK_CONFIG_ARGS &&
+        sleep 5 &&
+        unset THREATSTACK_SETUP_DEPLOY_KEY THREATSTACK_SETUP_ARGS THREATSTACK_CONFIG_ARGS &&
+        exec /opt/threatstack/sbin/tsagentd -logstdout=1
 
 # Uncomment the command and args sub-attributes, and define them as desired to run custom commands in the Daemonset.
 #
@@ -79,11 +84,19 @@ customDaemonsetCmd: {}
   #   - -c
   #   - >-
   #       chroot /threatstackfs /bin/bash -c 'service auditd stop >/dev/null || systemctl stop auditd;
-  #       systemctl disable auditd';
-  #       eval tsagent setup --deploy-key $THREATSTACK_SETUP_DEPLOY_KEY $THREATSTACK_SETUP_ARGS;
-  #       eval tsagent config --set $THREATSTACK_CONFIG_ARGS;
-  #       sleep 5;
-  #       /opt/threatstack/sbin/tsagentd -logstdout
+  #       systemctl disable auditd' &&
+  #       eval tsagent setup --deploy-key $THREATSTACK_SETUP_DEPLOY_KEY $THREATSTACK_SETUP_ARGS &&
+  #       eval tsagent config --set $THREATSTACK_CONFIG_ARGS &&
+  #       sleep 5 &&
+  #       unset THREATSTACK_SETUP_DEPLOY_KEY THREATSTACK_SETUP_ARGS THREATSTACK_CONFIG_ARGS &&
+  #       exec /opt/threatstack/sbin/tsagentd -logstdout=1
+
+# Using OpenShift
+#
+# If you are using OpenShift, and set this value to true, the Daemonset will increase it's memory limit to `1Gi`
+#
+# Important: Make sure to set the privileged attribute to `true` in the DaemonSet's securityContext configuration below
+openShift: false
 
 # Use ebpf monitoring where applicable
 # Enabling this setting has been observed to cause an increase in resource usage by the agent with some workloads,
@@ -127,7 +140,6 @@ capabilities:
 #####
 agentDeployKey: ""
 
-
 #####
 #
 # Alterntatively, define your own secret, and put the secret's name/key in the child values
@@ -229,6 +241,7 @@ daemonset:
   #
   # enableDocker: false
   # enableContainerd: false
+  # enableCrio: false
 
   # Enable low-power mode
   # Configures the daemonset agents to perform better in