Add(tetragon)

projects/tetragon/project.yml

@@ -0,0 +1,8 @@
+config:
+  description: Cilium Tetragon
+
+apps:
+- name: tetragon
+  repoURL: https://github.com/cilium/tetragon
+  targetRevision: main
+  path: install/kubernetes

projects/tetragon/values/tetragon.yaml

@@ -0,0 +1,175 @@
+enabled: true
+imagePullPolicy: IfNotPresent
+imagePullSecrets: []
+serviceAccount:
+  create: true
+  annotations: {}
+  name: ""
+podAnnotations: {}
+podSecurityContext: {}
+nodeSelector: {}
+tolerations:
+- operator: Exists
+affinity: {}
+extraHostPathMounts: []
+extraConfigmapMounts: []
+daemonSetAnnotations: {}
+extraVolumes: []
+updateStrategy: {}
+daemonSetLabelsOverride: {}
+selectorLabelsOverride: {}
+podLabelsOverride: {}
+serviceLabelsOverride: {}
+
+# Set DNS policy for tetragon pods.
+#
+# Recommended DNS policy for tetragon pod depends on whether the export container
+# needs to resolve external DNS names (e.g. an S3 URL) or internal ones (e.g. a Kubernetes
+# DNS name for elasticsearch service).
+#
+# - For external DNS names, use "Default" so that the export container continues to function
+#   properly in case there is a connectivity issue between the export container and core-dns.
+# - For internal DNS names, use "ClusterFirstWithHostNet" so that the export container can
+#   resolve them.
+#
+# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
+dnsPolicy: Default
+
+# exportDirectory specifies directory to put Hubble and FGS JSON export files.
+exportDirectory: "/var/run/cilium/tetragon"
+# exportFileRotationInterval specifies file creation interval for hubble-export-s3.
+exportFileCreationInterval: "120s"
+
+#
+# Configures whether Tetragon pods run on the host network.
+#
+# IMPORTANT: Tetragon must be on the host network for the process visibility to
+# function properly.
+#
+hostNetwork: true
+
+tetragon:
+  enabled: true
+  image:
+    override: ~
+    repository: quay.io/cilium/tetragon
+    tag: v0.8.0
+  resources: {}
+  extraArgs: {}
+  extraEnv: []
+  # extraEnv:
+  #   - name: foo
+  #     value: bar
+  extraVolumeMounts: []
+  securityContext:
+    privileged: true
+
+  # Tetragon puts processes in an LRU cache. The cache is used to find ancestors for subsequently exec'ed
+  # processes.
+  processCacheSize: 65536
+
+  # JSON export filename. Set it to an empty string to disable JSON export altogether.
+  exportFilename: tetragon.log
+
+  # Size in megabytes at which to rotate JSON export files.
+  exportFileMaxSizeMB: 10
+
+  # Number of rotated files to retain.
+  exportFileMaxBackups: 5
+
+  # Compress rotated JSON export files.
+  exportFileCompress: false
+
+  # Rate-limit event export (events per minute), Set to -1 to export all events.
+  exportRateLimit: -1
+
+  # Allowlist for JSON export. For example, to export only process_connect events from
+  # the default namespace:
+  #
+  # exportAllowList: |
+  #   {"namespace":["default"],"event_set":["PROCESS_EXEC"]}
+  exportAllowList: |-
+    {"event_set":["PROCESS_EXEC", "PROCESS_EXIT", "PROCESS_KPROBE"]}
+
+  # Denylist for JSON export. For example, to exclude exec events that look similar to
+  # Kubernetes health checks and all the events from kube-system namespace and the host:
+  #
+  # exportDenyList: |
+  #   {"health_check":true}
+  #   {"namespace":["kube-system",""]}
+  #
+  exportDenyList: |-
+    {"health_check":true}
+    {"namespace":["", "cilium", "kube-system"]}
+
+  # Access Kubernetes API to associate Tetragon events with Kubernetes pods.
+  enableK8sAPI: true
+
+  # Access Cilium API to associate Tetragon events with Cilium endpoints and DNS cache.
+  enableCiliumAPI: true
+
+  # enableProcessCred enables Capabilities visibility in exec and kprobe events.
+  enableProcessCred: true
+
+  # enableProcessNs enables Namespaces visibility in exec and kprobe events.
+  enableProcessNs: true
+
+  # Set --btf option to explicitly specify an absolute path to a btf file. For advanced users only.
+  btf: ""
+
+  # Override the command. For advanced users only.
+  commandOverride: []
+
+  # Override the arguments. For advanced users only.
+  argsOverride: []
+
+  prometheus:
+    # -- Whether to enable exposing Tetragon metrics.
+    enabled: true
+    # -- The port at which to expose metrics.
+    port: 2112
+    serviceMonitor:
+      # -- Whether to create a 'ServiceMonitor' resource targeting the 'tetragon' pods.
+      enabled: false
+      # -- The set of labels to place on the 'ServiceMonitor' resource.
+      labelsOverride: {}
+
+tetragonOperator:
+  # -- Enable the tetragon-operator component (required).
+  enabled: true
+
+  # -- tetragon-operator image.
+  image:
+    override: ~
+    repository: quay.io/cilium/tetragon-operator
+    tag: v0.8.0
+    # tetragon-operator image-digest
+    suffix: ""
+
+export:
+  # "stdout". "" to disable.
+  mode: "stdout"
+  resources: {}
+  extraArgs: {}
+  extraEnv: []
+  # extraEnv:
+  #   - name: foo
+  #     value: bar
+  extraVolumeMounts: []
+  securityContext: {}
+
+  # Override the command. For advanced users only.
+  commandOverride: [ ]
+
+  # Override the arguments. For advanced users only.
+  argsOverride: [ ]
+
+  # filenames defines list of files for fluentd to tail and export.
+  filenames:
+  - tetragon.log
+
+  stdout:
+    image:
+      override: ~
+      repository: quay.io/cilium/hubble-export-stdout
+      tag: v1.0.2