From 5a5f5dd751dd6605b239cb2a2a77d0fb0a1bb354 Mon Sep 17 00:00:00 2001 From: nold Date: Wed, 18 May 2022 18:07:59 +0200 Subject: [PATCH] Add(tetragon) --- projects/tetragon/project.yml | 8 ++ projects/tetragon/values/tetragon.yaml | 175 +++++++++++++++++++++++++ 2 files changed, 183 insertions(+) create mode 100644 projects/tetragon/project.yml create mode 100644 projects/tetragon/values/tetragon.yaml diff --git a/projects/tetragon/project.yml b/projects/tetragon/project.yml new file mode 100644 index 00000000..80b205bc --- /dev/null +++ b/projects/tetragon/project.yml @@ -0,0 +1,8 @@ +config: + description: Cilium Tetragon + +apps: +- name: tetragon + repoURL: https://github.com/cilium/tetragon + targetRevision: main + path: install/kubernetes diff --git a/projects/tetragon/values/tetragon.yaml b/projects/tetragon/values/tetragon.yaml new file mode 100644 index 00000000..a00d9f09 --- /dev/null +++ b/projects/tetragon/values/tetragon.yaml @@ -0,0 +1,175 @@ +enabled: true +imagePullPolicy: IfNotPresent +imagePullSecrets: [] +serviceAccount: + create: true + annotations: {} + name: "" +podAnnotations: {} +podSecurityContext: {} +nodeSelector: {} +tolerations: +- operator: Exists +affinity: {} +extraHostPathMounts: [] +extraConfigmapMounts: [] +daemonSetAnnotations: {} +extraVolumes: [] +updateStrategy: {} +daemonSetLabelsOverride: {} +selectorLabelsOverride: {} +podLabelsOverride: {} +serviceLabelsOverride: {} + +# Set DNS policy for tetragon pods. +# +# Recommended DNS policy for tetragon pod depends on whether the export container +# needs to resolve external DNS names (e.g. an S3 URL) or internal ones (e.g. a Kubernetes +# DNS name for elasticsearch service). +# +# - For external DNS names, use "Default" so that the export container continues to function +# properly in case there is a connectivity issue between the export container and core-dns. +# - For internal DNS names, use "ClusterFirstWithHostNet" so that the export container can +# resolve them. +# +# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +dnsPolicy: Default + +# exportDirectory specifies directory to put Hubble and FGS JSON export files. +exportDirectory: "/var/run/cilium/tetragon" +# exportFileRotationInterval specifies file creation interval for hubble-export-s3. +exportFileCreationInterval: "120s" + +# +# Configures whether Tetragon pods run on the host network. +# +# IMPORTANT: Tetragon must be on the host network for the process visibility to +# function properly. +# +hostNetwork: true + +tetragon: + enabled: true + image: + override: ~ + repository: quay.io/cilium/tetragon + tag: v0.8.0 + resources: {} + extraArgs: {} + extraEnv: [] + # extraEnv: + # - name: foo + # value: bar + extraVolumeMounts: [] + securityContext: + privileged: true + + # Tetragon puts processes in an LRU cache. The cache is used to find ancestors for subsequently exec'ed + # processes. + processCacheSize: 65536 + + # JSON export filename. Set it to an empty string to disable JSON export altogether. + exportFilename: tetragon.log + + # Size in megabytes at which to rotate JSON export files. + exportFileMaxSizeMB: 10 + + # Number of rotated files to retain. + exportFileMaxBackups: 5 + + # Compress rotated JSON export files. + exportFileCompress: false + + # Rate-limit event export (events per minute), Set to -1 to export all events. + exportRateLimit: -1 + + # Allowlist for JSON export. For example, to export only process_connect events from + # the default namespace: + # + # exportAllowList: | + # {"namespace":["default"],"event_set":["PROCESS_EXEC"]} + exportAllowList: |- + {"event_set":["PROCESS_EXEC", "PROCESS_EXIT", "PROCESS_KPROBE"]} + + # Denylist for JSON export. For example, to exclude exec events that look similar to + # Kubernetes health checks and all the events from kube-system namespace and the host: + # + # exportDenyList: | + # {"health_check":true} + # {"namespace":["kube-system",""]} + # + exportDenyList: |- + {"health_check":true} + {"namespace":["", "cilium", "kube-system"]} + + # Access Kubernetes API to associate Tetragon events with Kubernetes pods. + enableK8sAPI: true + + # Access Cilium API to associate Tetragon events with Cilium endpoints and DNS cache. + enableCiliumAPI: true + + # enableProcessCred enables Capabilities visibility in exec and kprobe events. + enableProcessCred: true + + # enableProcessNs enables Namespaces visibility in exec and kprobe events. + enableProcessNs: true + + # Set --btf option to explicitly specify an absolute path to a btf file. For advanced users only. + btf: "" + + # Override the command. For advanced users only. + commandOverride: [] + + # Override the arguments. For advanced users only. + argsOverride: [] + + prometheus: + # -- Whether to enable exposing Tetragon metrics. + enabled: true + # -- The port at which to expose metrics. + port: 2112 + serviceMonitor: + # -- Whether to create a 'ServiceMonitor' resource targeting the 'tetragon' pods. + enabled: false + # -- The set of labels to place on the 'ServiceMonitor' resource. + labelsOverride: {} + +tetragonOperator: + # -- Enable the tetragon-operator component (required). + enabled: true + + # -- tetragon-operator image. + image: + override: ~ + repository: quay.io/cilium/tetragon-operator + tag: v0.8.0 + # tetragon-operator image-digest + suffix: "" + +export: + # "stdout". "" to disable. + mode: "stdout" + resources: {} + extraArgs: {} + extraEnv: [] + # extraEnv: + # - name: foo + # value: bar + extraVolumeMounts: [] + securityContext: {} + + # Override the command. For advanced users only. + commandOverride: [ ] + + # Override the arguments. For advanced users only. + argsOverride: [ ] + + # filenames defines list of files for fluentd to tail and export. + filenames: + - tetragon.log + + stdout: + image: + override: ~ + repository: quay.io/cilium/hubble-export-stdout + tag: v1.0.2