From 922e285fa7cc0ff018cc3faf3d389c6b681de31a Mon Sep 17 00:00:00 2001 From: Michael Chmielewski Date: Mon, 25 Oct 2021 07:23:40 -0400 Subject: [PATCH 1/4] Update container daemon logic and extend liveness probe period Starting in agent 2.4.0, the agent will attempt to detect which container daemon services are running. So the two existing settings are now to override this behavior explicitly. --- README.md | 4 ++-- templates/_helpers.tpl | 18 ++++++++++++++---- templates/daemonset.yaml | 2 +- templates/deployment-api-reader.yaml | 2 +- values.yaml | 7 +++++-- 5 files changed, 23 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index f968994..000a211 100644 --- a/README.md +++ b/README.md @@ -53,8 +53,8 @@ The following kubernetes objects are created when the chart is installed: | daemonset.customAuditRules | string | `""` | | | daemonset.customLuaFilter | string | `""` | | | daemonset.customTsAuditdConfig | string | `""` | | -| daemonset.enableContainerd | bool | `false` | Defaults to `false`, configures the daemonset agents to listen to the containerd daemon socket | -| daemonset.enableDocker | bool | `true` | Defaults to `true`, configures the daemonset agents to listen to the docker daemon socket | +| daemonset.enableContainerd | bool | `unset` | Configures the daemonset agents to listen to the containerd daemon socket. **By default in agent 2.4.0+, the agent detects if containerd is running at startup** | +| daemonset.enableDocker | bool | `unset` | Configures the daemonset agents to listen to the docker daemon socket. **By default in agent 2.4.0+, the agent detects if docker is running at startup** | | daemonset.nodeSelector | object | `{}` | | | daemonset.podAnnotations."container.apparmor.security.beta.kubernetes.io/threatstack-agent" | string | `"unconfined"` | | | daemonset.priorityClassName | string | `""` | Optionally set the priority class name for the daemonset pods. Note that priority classes are not created via this helm chart. Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 1c00b7d..f7bf107 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -32,19 +32,29 @@ Create chart name and version as used by the chart label. {{- end -}} {{/* -Return runtime config if docker enabled +Return runtime config if docker is disabled */}} {{- define "threatstack-agent.docker-config" -}} -{{- if .Values.daemonset.enableDocker -}} +{{- if kindIs "invalid" .Values.daemonset.enableDocker -}} +{{- else -}} +{{- if eq .Values.daemonset.enableDocker false -}} +{{- default "container_runtimes.docker.enabled false container_runtimes.docker.kubernetes_enabled false" -}} +{{- else -}} {{- default "container_runtimes.docker.enabled true container_runtimes.docker.kubernetes_enabled true" -}} {{- end -}} {{- end -}} +{{- end -}} {{/* -Return runtime config if containerd enabled +Return runtime config if containerd is disabled */}} {{- define "threatstack-agent.containerd-config" -}} -{{- if .Values.daemonset.enableContainerd -}} +{{- if kindIs "invalid" .Values.daemonset.enableContainerd -}} +{{- else -}} +{{- if eq .Values.daemonset.enableContainerd false -}} +{{- default "container_runtimes.containerd.enabled false container_runtimes.containerd.kubernetes_enabled false" -}} +{{- else -}} {{- default "container_runtimes.containerd.enabled true container_runtimes.containerd.kubernetes_enabled true" -}} {{- end -}} {{- end -}} +{{- end -}} diff --git a/templates/daemonset.yaml b/templates/daemonset.yaml index 7d7ccd0..c5ea9cd 100644 --- a/templates/daemonset.yaml +++ b/templates/daemonset.yaml @@ -76,7 +76,7 @@ spec: exec: command: [ "sh", "-c", "tsagent status" ] initialDelaySeconds: 15 - periodSeconds: 60 + periodSeconds: 360 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 diff --git a/templates/deployment-api-reader.yaml b/templates/deployment-api-reader.yaml index 7eec5ed..656ffd6 100644 --- a/templates/deployment-api-reader.yaml +++ b/templates/deployment-api-reader.yaml @@ -59,7 +59,7 @@ spec: exec: command: [ "sh", "-c", "tsagent status" ] initialDelaySeconds: 15 - periodSeconds: 60 + periodSeconds: 360 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 diff --git a/values.yaml b/values.yaml index c4a3268..ec0087f 100644 --- a/values.yaml +++ b/values.yaml @@ -145,8 +145,11 @@ apiReader: # ######## daemonset: - enableDocker: true - enableContainerd: false + # Override the agent's default detection behavior that determines + # which docker service to monitor + # + # enableDocker: false + # enableContainerd: false additionalRuntimeConfig: "log.level info" # Override the agent's liveness probe logic from the default: From 14c48fc28750e347a3bf35a316a67a3e50f6232c Mon Sep 17 00:00:00 2001 From: Michael Chmielewski Date: Mon, 25 Oct 2021 08:32:16 -0400 Subject: [PATCH 2/4] Remove mounts that are no long needed with the release of agent 2.4.0 --- Chart.yaml | 4 ++-- templates/daemonset.yaml | 10 ---------- values.yaml | 4 ---- 3 files changed, 2 insertions(+), 16 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 6a54147..4194a07 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: threatstack-agent -version: 2.1.3 -appVersion: 2.3.4 +version: 2.2.0 +appVersion: 2.4.0 description: A Helm chart for the Threat Stack Cloud Security Agent keywords: - security diff --git a/templates/daemonset.yaml b/templates/daemonset.yaml index c5ea9cd..684c176 100644 --- a/templates/daemonset.yaml +++ b/templates/daemonset.yaml @@ -117,10 +117,6 @@ spec: volumeMounts: - name: hostfs mountPath: /threatstackfs - - name: dockersocket - mountPath: /var/run/docker.sock - - name: containerdsocket - mountPath: /run/containerd/containerd.sock - name: oldcontainerdsocket mountPath: /var/run/docker/containerd/docker-containerd.sock {{- if .Values.daemonset.customAuditRules }} @@ -142,12 +138,6 @@ spec: - hostPath: path: / name: hostfs - - hostPath: - path: {{ .Values.daemonset.volumes.dockersocket.hostPath }} - name: dockersocket - - hostPath: - path: {{ .Values.daemonset.volumes.containerdsocket.hostPath }} - name: containerdsocket - hostPath: path: {{ .Values.daemonset.volumes.oldcontainerdsocket.hostPath }} name: oldcontainerdsocket diff --git a/values.yaml b/values.yaml index ec0087f..7a1b0a1 100644 --- a/values.yaml +++ b/values.yaml @@ -193,10 +193,6 @@ daemonset: # Configure hostPaths for docker and containerd sockets volumes: - dockersocket: - hostPath: "/var/run/docker.sock" - containerdsocket: - hostPath: "/run/containerd/containerd.sock" oldcontainerdsocket: hostPath: "/var/run/docker/containerd/docker-containerd.sock" From 7a215965741aa8b13115a79bcb426e0769bf1040 Mon Sep 17 00:00:00 2001 From: Michael Chmielewski Date: Mon, 25 Oct 2021 10:21:33 -0400 Subject: [PATCH 3/4] Remove this old colume mount that is not needed --- templates/daemonset.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/templates/daemonset.yaml b/templates/daemonset.yaml index 684c176..9b5a056 100644 --- a/templates/daemonset.yaml +++ b/templates/daemonset.yaml @@ -117,8 +117,6 @@ spec: volumeMounts: - name: hostfs mountPath: /threatstackfs - - name: oldcontainerdsocket - mountPath: /var/run/docker/containerd/docker-containerd.sock {{- if .Values.daemonset.customAuditRules }} - name: custom-audit-rules mountPath: /opt/threatstack/etc/audit-custom.rules @@ -138,9 +136,6 @@ spec: - hostPath: path: / name: hostfs - - hostPath: - path: {{ .Values.daemonset.volumes.oldcontainerdsocket.hostPath }} - name: oldcontainerdsocket {{- if .Values.daemonset.customAuditRules }} - name: custom-audit-rules configMap: From 1481df6c4acf3548748e9eaaf3beee33890b000f Mon Sep 17 00:00:00 2001 From: Michael Chmielewski Date: Mon, 25 Oct 2021 10:29:04 -0400 Subject: [PATCH 4/4] Cleanup the last few references to old configuration --- README.md | 3 --- values.yaml | 5 ----- 2 files changed, 8 deletions(-) diff --git a/README.md b/README.md index 000a211..20acb10 100644 --- a/README.md +++ b/README.md @@ -59,9 +59,6 @@ The following kubernetes objects are created when the chart is installed: | daemonset.podAnnotations."container.apparmor.security.beta.kubernetes.io/threatstack-agent" | string | `"unconfined"` | | | daemonset.priorityClassName | string | `""` | Optionally set the priority class name for the daemonset pods. Note that priority classes are not created via this helm chart. Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ | | daemonset.tolerations | list | `[]` | | -| daemonset.volumes.containerdsocket.hostPath | string | `"/run/containerd/containerd.sock"` | Path to docker daemon's socket | -| daemonset.volumes.dockersocket.hostPath | string | `"/var/run/docker.sock"` | Path to docker daemon's socket | -| daemonset.volumes.oldcontainerdsocket.hostPath | string | `"/var/run/docker/containerd/docker-containerd.sock"` | Path to older containerd daemon's socket | | eksAmazon2 | bool | `false` | If `true`, the Daemonset definition will be modified to execute commands for the agent to work correctly on EKS with Amazon Linux 2 nodes. Defaults to `false` | | eksAmazon2Cmd.args[0] | string | `"-c"` | | | eksAmazon2Cmd.args[1] | string | `"chroot /threatstackfs /bin/bash -c 'service auditd stop; systemctl disable auditd'; eval tsagent setup $THREATSTACK_SETUP_ARGS; eval tsagent config --set $THREATSTACK_CONFIG_ARGS; sleep 5; /opt/threatstack/sbin/tsagentd -logstdout"` | | diff --git a/values.yaml b/values.yaml index 7a1b0a1..2686618 100644 --- a/values.yaml +++ b/values.yaml @@ -191,11 +191,6 @@ daemonset: # Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ priorityClassName: "" - # Configure hostPaths for docker and containerd sockets - volumes: - oldcontainerdsocket: - hostPath: "/var/run/docker/containerd/docker-containerd.sock" - ## Annotations to add to the threatstack daemonset pod(s) # # To remove the apparmor annotation, add a comment as the attribute value,