feat(shield): Add support for hostAliases (#2370)

Author: mavimo

charts/shield/Chart.yaml

@@ -13,5 +13,5 @@ maintainers:
   - name: mavimo
     email: [email protected]
 type: application
-version: 1.18.1
+version: 1.19.0
 appVersion: "1.0.0"

charts/shield/README.md

@@ -64,6 +64,10 @@ spec:
       {{- else if .Values.cluster.dns_policy }}
       dnsPolicy: {{ .Values.cluster.dns_policy }}
       {{- end }}
+      {{- if .Values.cluster.host_aliases }}
+      hostAliases:
+        {{ toYaml .Values.cluster.host_aliases | nindent 8 }}
+      {{- end }}
       containers:
         - name: "cluster-shield"
           imagePullPolicy: {{ .Values.cluster.image.pull_policy }}

charts/shield/templates/cluster/deployment.yaml

@@ -27,6 +27,10 @@ spec:
           hostProcess: true
           runAsUserName: "NT AUTHORITY\\SYSTEM"
       hostNetwork: true
+      {{- if .Values.host_windows.host_aliases }}
+      hostAliases:
+        {{ toYaml .Values.host_windows.host_aliases | nindent 8 }}
+      {{- end }}
       serviceAccountName: {{ include "host.service_account_name" . }}
       {{- if (include "host.has_priority_class" .) }}
       priorityClassName: "{{ include "host.priority_class_name" . }}"

charts/shield/templates/host/daemonset-windows.yaml

@@ -24,6 +24,10 @@ spec:
       hostNetwork: true
       dnsPolicy: {{ default "ClusterFirstWithHostNet" .Values.host.dns_policy }}
       hostPID: true
+      {{- if .Values.host.host_aliases }}
+      hostAliases:
+        {{ toYaml .Values.host.host_aliases | nindent 8 }}
+      {{- end }}
       serviceAccountName: {{ include "host.service_account_name" . }}
       {{- if (include "host.has_priority_class" .) }}
       priorityClassName: "{{ include "host.priority_class_name" . }}"

charts/shield/templates/host/daemonset.yaml

@@ -1438,3 +1438,59 @@ tests:
             name: my-cluster-volume
             mountPath: /host/my-cluster-mount-path
     template: templates/cluster/deployment.yaml
+
+  - it: Host Alias are not included by default
+    asserts:
+      - notContains:
+          path: spec.template.spec.hostAliases
+    template: templates/cluster/deployment.yaml
+
+  - it: Single Host Alias is included if configured
+    set:
+      cluster:
+        host_aliases:
+          - ip: 1.2.3.4
+            hostnames:
+              - acme.public
+              - acme.internal
+    asserts:
+      - equal:
+          path: spec.template.spec.hostAliases[0].ip
+          value: 1.2.3.4
+      - equal:
+          path: spec.template.spec.hostAliases[0].hostnames
+          value:
+            - acme.public
+            - acme.internal
+    template: templates/cluster/deployment.yaml
+
+  - it: Multiple Host Alias are included if configured
+    set:
+      cluster:
+        host_aliases:
+          - ip: 1.2.3.4
+            hostnames:
+              - acme.public
+              - acme.internal
+          - ip: 4.3.2.1
+            hostnames:
+              - company.public
+              - company.internal
+    asserts:
+      - equal:
+          path: spec.template.spec.hostAliases[0].ip
+          value: 1.2.3.4
+      - equal:
+          path: spec.template.spec.hostAliases[0].hostnames
+          value:
+            - acme.public
+            - acme.internal
+      - equal:
+          path: spec.template.spec.hostAliases[1].ip
+          value: 4.3.2.1
+      - equal:
+          path: spec.template.spec.hostAliases[1].hostnames
+          value:
+              - company.public
+              - company.internal
+    template: templates/cluster/deployment.yaml

charts/shield/tests/cluster/deployment_test.yaml

@@ -463,3 +463,57 @@ tests:
       - equal:
           path: metadata.labels["sysdig/component-version"]
           value: sha256_61fdf83f6ec198919d595ea1e6dc093258dfcdc3d75db81fe060b65c
+
+
+  - it: Host Alias are not included by default
+    asserts:
+      - notContains:
+          path: spec.template.spec.hostAliases
+
+  - it: Single Host Alias is included if configured
+    set:
+      host_windows:
+        host_aliases:
+          - ip: 1.2.3.4
+            hostnames:
+              - acme.public
+              - acme.internal
+    asserts:
+      - equal:
+          path: spec.template.spec.hostAliases[0].ip
+          value: 1.2.3.4
+      - equal:
+          path: spec.template.spec.hostAliases[0].hostnames
+          value:
+            - acme.public
+            - acme.internal
+
+  - it: Multiple Host Alias are included if configured
+    set:
+      host_windows:
+        host_aliases:
+          - ip: 1.2.3.4
+            hostnames:
+              - acme.public
+              - acme.internal
+          - ip: 4.3.2.1
+            hostnames:
+              - company.public
+              - company.internal
+    asserts:
+      - equal:
+          path: spec.template.spec.hostAliases[0].ip
+          value: 1.2.3.4
+      - equal:
+          path: spec.template.spec.hostAliases[0].hostnames
+          value:
+            - acme.public
+            - acme.internal
+      - equal:
+          path: spec.template.spec.hostAliases[1].ip
+          value: 4.3.2.1
+      - equal:
+          path: spec.template.spec.hostAliases[1].hostnames
+          value:
+              - company.public
+              - company.internal

charts/shield/tests/host/daemonset-windows_test.yaml

@@ -794,3 +794,56 @@ tests:
       - equal:
           path: spec.template.spec.dnsPolicy
           value: ClusterFirst
+
+  - it: Host Alias are not included by default
+    asserts:
+      - notContains:
+          path: spec.template.spec.hostAliases
+
+  - it: Single Host Alias is included if configured
+    set:
+      host:
+        host_aliases:
+          - ip: 1.2.3.4
+            hostnames:
+              - acme.public
+              - acme.internal
+    asserts:
+      - equal:
+          path: spec.template.spec.hostAliases[0].ip
+          value: 1.2.3.4
+      - equal:
+          path: spec.template.spec.hostAliases[0].hostnames
+          value:
+            - acme.public
+            - acme.internal
+
+  - it: Multiple Host Alias are included if configured
+    set:
+      host:
+        host_aliases:
+          - ip: 1.2.3.4
+            hostnames:
+              - acme.public
+              - acme.internal
+          - ip: 4.3.2.1
+            hostnames:
+              - company.public
+              - company.internal
+    asserts:
+      - equal:
+          path: spec.template.spec.hostAliases[0].ip
+          value: 1.2.3.4
+      - equal:
+          path: spec.template.spec.hostAliases[0].hostnames
+          value:
+            - acme.public
+            - acme.internal
+      - equal:
+          path: spec.template.spec.hostAliases[1].ip
+          value: 4.3.2.1
+      - equal:
+          path: spec.template.spec.hostAliases[1].hostnames
+          value:
+              - company.public
+              - company.internal

charts/shield/tests/host/daemonset_test.yaml

@@ -335,6 +335,9 @@
         "env": {
           "$ref": "#/$defs/EnvVars"
         },
+        "host_aliases": {
+          "$ref": "#/$defs/HostAliases"
+        },
         "pod_disruption_budget": {
           "type": "object",
           "description": "Pod disruption budget configuration for the Cluster Shield pods",
@@ -401,6 +404,9 @@
         "env": {
           "$ref": "#/$defs/EnvVars"
         },
+        "host_aliases": {
+          "$ref": "#/$defs/HostAliases"
+        },
         "volumes": {
           "$ref": "#/$defs/Volumes"
         },
@@ -419,6 +425,9 @@
         "env": {
           "$ref": "#/$defs/EnvVars"
         },
+        "host_aliases": {
+          "$ref": "#/$defs/HostAliases"
+        },
         "volumes": {
           "$ref": "#/$defs/Volumes"
         },
@@ -1215,6 +1224,38 @@
         }
       },
       "additionalProperties": false
+    },
+    "HostAliases": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "description": "Define host aliases for the pod",
+        "properties": {
+          "ip": {
+            "type": "string",
+            "description": "The IP address to alias"
+          },
+          "hostnames": {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "description": "The list of hostname to be assicated to the IP addresses"
+          }
+        },
+        "required": [
+          "ip",
+          "hostnames"
+        ]
+      },
+      "examples": [
+        [
+          {
+            "ip": "1.2.3.4",
+            "hostnames": ["acme.internal", "acme.alias"]
+          }
+        ]
+      ]
     }
   }
 }

charts/shield/values.schema.json

@@ -196,6 +196,8 @@ host_windows:
       cpu: 250m
       # The memory request for the host shield
       memory: 384Mi
+  # The host aliases for the windows host shield workloads
+  host_aliases: []
   # The annotations for the host shield workloads (metadata.annotations)
   workload_annotations: {}
   # The labels for the host shield workloads (metadata.labels)
@@ -304,6 +306,8 @@ host:
         cpu: 250m
         # The memory request for the host shield
         memory: 384Mi
+  # The host aliases for the linux host shield workloads
+  host_aliases: []
   # The annotations for the host shield workloads (metadata.annotations)
   workload_annotations: {}
   # The labels for the host shield workloads (metadata.labels)
@@ -438,6 +442,8 @@ cluster:
       cpu: 1500m
       # The memory limit for the cluster shield
       memory: 1536Mi
+  # The host aliases for the cluster shield workloads
+  host_aliases: []
   # The annotations for the cluster shield workloads (metadata.annotations)
   workload_annotations: {}
   # The labels for the cluster shield workloads (metadata.labels)