docs: add example for security agent readiness#101
docs: add example for security agent readiness#101arnab-logs wants to merge 4 commits intokubernetes-sigs:mainfrom
Conversation
✅ Deploy Preview for node-readiness-controller ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: arnab-logs The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
k8s-ci-robot
added
cncf-cla: yes
ajaysundark
requested review from
ajaysundark
and removed request for
SergeyKanzhelev and
haircommander
| 2. **Install Falco and Apply the RBAC**: | ||
| ```sh | ||
| chmod +x apply-falco.sh | ||
| sh apply-falco.sh | ||
| ``` |
There was a problem hiding this comment.
These scripts are not included in this PR. I wonder if you're still working on these or missed to update here.
|
I looked into a couple of approaches for handling the falco.sh file and made updates based on that. Happy to rework anything after review if there’s a preferred direction. |
|
|
||
| ### 1. Deploy the Readiness Condition Reporter | ||
|
|
||
| To bridge the security agent’s internal health signal to Kubernetes, we deploy a readiness reporter that updates a Node Condition. This reporter is typically deployed as a sidecar container in the Falco DaemonSet. |
There was a problem hiding this comment.
Calling this as 'typical' is misleading. This just details how this example managed this readiness condition. If a component, eg: Falco, implements a node-status update in-tree this side-car reporter is unnecessary.
| memory: "32Mi" | ||
| ``` | ||
|
|
||
| > Note: In this example, the security agent’s health is monitored by a side-car, so the reporter’s lifecycle is the same as the pod lifecycle. If the Falco pod is crashlooping, the sidecar will not run and cannot report readiness. For robust `continuous` readiness reporting, the reporter should be deployed `external` to the pod. |
There was a problem hiding this comment.
nit: this could add a reference to npd for clarity, to clarify what do you mean as 'external' here.
| metadata: | ||
| name: node-status-patch-role | ||
| rules: | ||
| - apiGroups: [""] |
There was a problem hiding this comment.
Did you verify if this RBAC is sufficient for Falco? does it not need a node/get permissions?
| spec: | ||
| # Conditions that must be satisfied before the taint is removed | ||
| conditions: | ||
| - type: "security.k8s.io/FalcoReady" |
There was a problem hiding this comment.
we dont need to use the "k8s.io" domain here, as the condition is what is set by Falco. preferably this is in the component's domain name.
3 participants
This PR adds a new documentation example demonstrating how to use the Node Readiness Controller to gate node scheduling on the readiness of a security agent (for example, Falco).
The following files were changed:
docs/book/src/examples/security-agent-readiness.mddocs/book/src/SUMMARY.mdFixes #100