From 097d8f7a142ca7e3dcdd451dfb3da7f0abfd17cc Mon Sep 17 00:00:00 2001 From: davidrobert Date: Tue, 24 Sep 2024 16:23:55 +0300 Subject: [PATCH 1/5] Node agent chart changes --- network-mapper/templates/_helpers.tpl | 4 + .../templates/agent-clusterrole.yaml | 25 ++++ network-mapper/templates/agent-daemonset.yaml | 137 ++++++++++++++++++ .../templates/agent-serviceaccount.yaml | 39 +++++ network-mapper/values.yaml | 12 ++ 5 files changed, 217 insertions(+) create mode 100644 network-mapper/templates/agent-clusterrole.yaml create mode 100644 network-mapper/templates/agent-daemonset.yaml create mode 100644 network-mapper/templates/agent-serviceaccount.yaml diff --git a/network-mapper/templates/_helpers.tpl b/network-mapper/templates/_helpers.tpl index 1a651d69..f0e873fb 100644 --- a/network-mapper/templates/_helpers.tpl +++ b/network-mapper/templates/_helpers.tpl @@ -1,3 +1,7 @@ +{{- define "otterize.nodeagent.fullName" -}} +otterize-node-agent +{{- end -}} + {{- define "otterize.sniffer.fullName" -}} otterize-network-sniffer {{- end -}} diff --git a/network-mapper/templates/agent-clusterrole.yaml b/network-mapper/templates/agent-clusterrole.yaml new file mode 100644 index 00000000..bbc97c0e --- /dev/null +++ b/network-mapper/templates/agent-clusterrole.yaml @@ -0,0 +1,25 @@ +{{ if .Values.nodeagent.enable }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "otterize.nodeagent.fullName" . }} + labels: + {{- with .Values.global.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} + annotations: + {{- with .Values.global.commonAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch +{{ end }} \ No newline at end of file diff --git a/network-mapper/templates/agent-daemonset.yaml b/network-mapper/templates/agent-daemonset.yaml new file mode 100644 index 00000000..eaea5c58 --- /dev/null +++ b/network-mapper/templates/agent-daemonset.yaml @@ -0,0 +1,137 @@ +{{ if .Values.nodeagent.enable }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "otterize.nodeagent.fullName" . }} + labels: + {{- with .Values.global.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} + annotations: + {{- with .Values.global.commonAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} +spec: + selector: + matchLabels: + app: {{ template "otterize.nodeagent.fullName" . }} + template: + metadata: + labels: + {{- with .Values.global.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.global.commonLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + app: {{ template "otterize.nodeagent.fullName" . }} + app.kubernetes.io/version: {{ .Chart.Version }} + annotations: + {{- with .Values.global.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.global.commonAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} + spec: + serviceAccountName: {{ template "otterize.nodeagent.fullName" . }} + {{- if .Values.nodeagent.podSecurityContext }} + securityContext: + {{- toYaml .Values.nodeagent.podSecurityContext | nindent 8 }} + {{- end }} + {{ if .Values.nodeagent.pullSecrets }} + imagePullSecrets: + - name: {{ .Values.nodeagent.pullSecrets }} + {{ end }} + {{- with .Values.nodeagent.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeagent.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + containers: + - name: {{ template "otterize.nodeagent.fullName" . }} + image: "{{ .Values.nodeagent.repository }}/{{ .Values.nodeagent.image }}:{{ default $.Chart.AppVersion .Values.nodeagent.tag }}" + {{ if .Values.nodeagent.pullPolicy }} + imagePullPolicy: {{ .Values.nodeagent.pullPolicy }} + {{ end }} + resources: + {{- toYaml .Values.nodeagent.resources | nindent 10 }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + + {{ if .Values.debug }} + - name: OTTERIZE_DEBUG + value: {{ .Values.debug | quote }} + {{ end }} + + {{ if .Values.global.otterizeCloud.apiAddress }} + - name: OTTERIZE_API_ADDRESS + value: "{{ .Values.global.otterizeCloud.apiAddress }}" + {{ end }} + {{ if .Values.global.otterizeCloud.credentials.clientId }} + - name: OTTERIZE_CLIENT_ID + value: "{{ .Values.global.otterizeCloud.credentials.clientId }}" + {{ end }} + {{ if (and .Values.global.otterizeCloud.credentials.clientSecretKeyRef.secretName .Values.global.otterizeCloud.credentials.clientSecretKeyRef.secretKey) }} + - name: OTTERIZE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: "{{ .Values.global.otterizeCloud.credentials.clientSecretKeyRef.secretName }}" + key: "{{ .Values.global.otterizeCloud.credentials.clientSecretKeyRef.secretKey }}" + {{ else if .Values.global.otterizeCloud.credentials.clientSecret }} + - name: OTTERIZE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: mapper-otterize-cloud-client-secret + key: otterize-cloud-client-secret + {{ end }} + + volumeMounts: + - name: host-proc + mountPath: /host/proc + readOnly: true + + - name: host-socket-k3s + mountPath: /run/cri/k3s.sock + - name: host-socket-containerd + mountPath: /run/cri/containerd.sock + + - mountPath: /host/sys/fs/bpf + name: host-bpffs + readOnly: false + + securityContext: + privileged: true + + volumes: + - hostPath: + path: /proc + name: host-proc + - name: component-config + configMap: + name: {{ template "otterize.mapper.componentConfigmap" . }} + - name: host-socket-k3s + hostPath: + path: "/run/k3s/containerd/containerd.sock" + - name: host-socket-containerd + hostPath: + path: "/run/containerd/containerd.sock" + - name: host-bpffs + hostPath: + path: "/sys/fs/bpf" +{{ end }} \ No newline at end of file diff --git a/network-mapper/templates/agent-serviceaccount.yaml b/network-mapper/templates/agent-serviceaccount.yaml new file mode 100644 index 00000000..3dcdf036 --- /dev/null +++ b/network-mapper/templates/agent-serviceaccount.yaml @@ -0,0 +1,39 @@ +{{ if .Values.nodeagent.enable }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "otterize.nodeagent.fullName" . }} + labels: + {{- with .Values.global.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} + annotations: + {{- with .Values.global.commonAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "otterize.nodeagent.fullName" . }} + labels: + {{- with .Values.global.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} + annotations: + {{- with .Values.global.commonAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "otterize.nodeagent.fullName" . }} +subjects: + - kind: ServiceAccount + name: {{ template "otterize.nodeagent.fullName" . }} + namespace: {{ .Release.Namespace }} +{{ end }} \ No newline at end of file diff --git a/network-mapper/values.yaml b/network-mapper/values.yaml index bf8a3e0e..2277ace5 100644 --- a/network-mapper/values.yaml +++ b/network-mapper/values.yaml @@ -39,6 +39,18 @@ mapper: # cpu: 100m # memory: 128Mi +nodeagent: + enable: false + repository: otterize + image: node-agent + tag: latest + pullPolicy: + tolerations: [] + resources: { } + podSecurityContext: + runAsNonRoot: false + pullSecrets: + priorityClassName: "" sniffer: enable: true # enable/disable entire installation of the network sniffer From 206a23914b58898fe1d7de6e7f4f03e4ab3417b2 Mon Sep 17 00:00:00 2001 From: davidrobert Date: Sun, 13 Oct 2024 16:51:37 +0300 Subject: [PATCH 2/5] Add pii detector service --- network-mapper/templates/_helpers.tpl | 4 +- .../templates/pii-detector-deployment.yaml | 63 +++++++++++++++++++ .../pii-detector-serviceaccount.yaml | 16 +++++ network-mapper/values.yaml | 8 +++ 4 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 network-mapper/templates/pii-detector-deployment.yaml create mode 100644 network-mapper/templates/pii-detector-serviceaccount.yaml diff --git a/network-mapper/templates/_helpers.tpl b/network-mapper/templates/_helpers.tpl index f0e873fb..6dab4c46 100644 --- a/network-mapper/templates/_helpers.tpl +++ b/network-mapper/templates/_helpers.tpl @@ -1,7 +1,9 @@ {{- define "otterize.nodeagent.fullName" -}} otterize-node-agent {{- end -}} - +{{- define "otterize.piidetector.fullName" -}} +otterize-pii-detector +{{- end -}} {{- define "otterize.sniffer.fullName" -}} otterize-network-sniffer {{- end -}} diff --git a/network-mapper/templates/pii-detector-deployment.yaml b/network-mapper/templates/pii-detector-deployment.yaml new file mode 100644 index 00000000..7236cdf8 --- /dev/null +++ b/network-mapper/templates/pii-detector-deployment.yaml @@ -0,0 +1,63 @@ +{{ if .Values.nodeagent.enable }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "otterize.piidetector.fullName" . }} + labels: + {{- with .Values.global.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} + annotations: + {{- with .Values.global.commonAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "otterize.piidetector.fullName" . }} + template: + metadata: + labels: + {{- with .Values.global.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} + app: {{ template "otterize.piidetector.fullName" . }} + annotations: + {{- with .Values.global.commonAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} + spec: + serviceAccountName: {{ template "otterize.piidetector.fullName" . }} + containers: + - name: piidetector + image: "{{ .Values.piidetector.repository }}/{{ .Values.piidetector.image }}:{{ default $.Chart.AppVersion .Values.piidetector.tag }}" + {{ if .Values.piidetector.pullPolicy }} + imagePullPolicy: {{ .Values.piidetector.pullPolicy }} + {{ end }} + ports: + - containerPort: 5000 + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {{- toYaml .Values.piidetector.resources | nindent 12 }} + readinessProbe: + httpGet: + path: /healthcheck + port: 5000 + initialDelaySeconds: 1 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /healthcheck + port: 5000 + initialDelaySeconds: 30 + periodSeconds: 10 +{{ end }} \ No newline at end of file diff --git a/network-mapper/templates/pii-detector-serviceaccount.yaml b/network-mapper/templates/pii-detector-serviceaccount.yaml new file mode 100644 index 00000000..dac385b4 --- /dev/null +++ b/network-mapper/templates/pii-detector-serviceaccount.yaml @@ -0,0 +1,16 @@ +{{ if .Values.nodeagent.enable }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "otterize.piidetector.fullName" . }} + labels: + {{- with .Values.global.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} + annotations: + {{- with .Values.global.commonAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} +{{ end }} \ No newline at end of file diff --git a/network-mapper/values.yaml b/network-mapper/values.yaml index 2277ace5..be677f93 100644 --- a/network-mapper/values.yaml +++ b/network-mapper/values.yaml @@ -52,6 +52,14 @@ nodeagent: pullSecrets: priorityClassName: "" +piidetector: + repository: otterize + image: node-agent + tag: latest + pullPolicy: + tolerations: [ ] + resources: { } + sniffer: enable: true # enable/disable entire installation of the network sniffer repository: otterize From 8270ee81bf2786d331dc228813b5a0bd86fce83e Mon Sep 17 00:00:00 2001 From: davidrobert Date: Sun, 20 Oct 2024 14:47:42 +0300 Subject: [PATCH 3/5] Add pii detector service --- network-mapper/templates/agent-daemonset.yaml | 3 +++ .../templates/pii-detector-service.yaml | 22 +++++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 network-mapper/templates/pii-detector-service.yaml diff --git a/network-mapper/templates/agent-daemonset.yaml b/network-mapper/templates/agent-daemonset.yaml index eaea5c58..547bb4a4 100644 --- a/network-mapper/templates/agent-daemonset.yaml +++ b/network-mapper/templates/agent-daemonset.yaml @@ -101,6 +101,9 @@ spec: key: otterize-cloud-client-secret {{ end }} + - name: OTTERIZE_PII_DETECTOR_API_URL + value: http://{{ template "otterize.piidetector.fullName" . }}:5000/ + volumeMounts: - name: host-proc mountPath: /host/proc diff --git a/network-mapper/templates/pii-detector-service.yaml b/network-mapper/templates/pii-detector-service.yaml new file mode 100644 index 00000000..c131f393 --- /dev/null +++ b/network-mapper/templates/pii-detector-service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "otterize.piidetector.fullName" . }} + labels: + {{- with .Values.global.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} + annotations: + {{- with .Values.global.commonAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/version: {{ .Chart.Version }} +spec: + selector: + app: {{ template "otterize.piidetector.fullName" . }} + ports: + - protocol: TCP + port: 5000 + name: http + targetPort: 5000 \ No newline at end of file From eb55f78702c3dd45341e1544329f02fd57230692 Mon Sep 17 00:00:00 2001 From: davidrobert Date: Sun, 20 Oct 2024 14:48:50 +0300 Subject: [PATCH 4/5] new line fix --- network-mapper/templates/pii-detector-serviceaccount.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network-mapper/templates/pii-detector-serviceaccount.yaml b/network-mapper/templates/pii-detector-serviceaccount.yaml index dac385b4..6b0fe6c2 100644 --- a/network-mapper/templates/pii-detector-serviceaccount.yaml +++ b/network-mapper/templates/pii-detector-serviceaccount.yaml @@ -13,4 +13,4 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} app.kubernetes.io/version: {{ .Chart.Version }} -{{ end }} \ No newline at end of file +{{ end }} From f44ea35141aa11c8072c94b5774867dbde425c06 Mon Sep 17 00:00:00 2001 From: davidrobert Date: Sun, 20 Oct 2024 14:50:00 +0300 Subject: [PATCH 5/5] new line fix --- network-mapper/templates/agent-clusterrole.yaml | 2 +- network-mapper/templates/agent-daemonset.yaml | 2 +- network-mapper/templates/agent-serviceaccount.yaml | 2 +- network-mapper/templates/pii-detector-deployment.yaml | 2 +- network-mapper/templates/pii-detector-service.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/network-mapper/templates/agent-clusterrole.yaml b/network-mapper/templates/agent-clusterrole.yaml index bbc97c0e..8a2f9608 100644 --- a/network-mapper/templates/agent-clusterrole.yaml +++ b/network-mapper/templates/agent-clusterrole.yaml @@ -22,4 +22,4 @@ rules: - get - list - watch -{{ end }} \ No newline at end of file +{{ end }} diff --git a/network-mapper/templates/agent-daemonset.yaml b/network-mapper/templates/agent-daemonset.yaml index 547bb4a4..f8d663c9 100644 --- a/network-mapper/templates/agent-daemonset.yaml +++ b/network-mapper/templates/agent-daemonset.yaml @@ -137,4 +137,4 @@ spec: - name: host-bpffs hostPath: path: "/sys/fs/bpf" -{{ end }} \ No newline at end of file +{{ end }} diff --git a/network-mapper/templates/agent-serviceaccount.yaml b/network-mapper/templates/agent-serviceaccount.yaml index 3dcdf036..ff20e38d 100644 --- a/network-mapper/templates/agent-serviceaccount.yaml +++ b/network-mapper/templates/agent-serviceaccount.yaml @@ -36,4 +36,4 @@ subjects: - kind: ServiceAccount name: {{ template "otterize.nodeagent.fullName" . }} namespace: {{ .Release.Namespace }} -{{ end }} \ No newline at end of file +{{ end }} diff --git a/network-mapper/templates/pii-detector-deployment.yaml b/network-mapper/templates/pii-detector-deployment.yaml index 7236cdf8..ced12322 100644 --- a/network-mapper/templates/pii-detector-deployment.yaml +++ b/network-mapper/templates/pii-detector-deployment.yaml @@ -60,4 +60,4 @@ spec: port: 5000 initialDelaySeconds: 30 periodSeconds: 10 -{{ end }} \ No newline at end of file +{{ end }} diff --git a/network-mapper/templates/pii-detector-service.yaml b/network-mapper/templates/pii-detector-service.yaml index c131f393..9f265313 100644 --- a/network-mapper/templates/pii-detector-service.yaml +++ b/network-mapper/templates/pii-detector-service.yaml @@ -19,4 +19,4 @@ spec: - protocol: TCP port: 5000 name: http - targetPort: 5000 \ No newline at end of file + targetPort: 5000