Skip to content

Commit fd27a06

Browse files
mavimoaroberts87
mavimo
and
aroberts87
authored
feature(agent): add support for Universal eBPF - CA (#1270)
Co-authored-by: Adam Roberts <[email protected]>
1 parent 3329a0d commit fd27a06

File tree

8 files changed

+173
-9
lines changed

8 files changed

+173
-9
lines changed

charts/agent/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,4 +30,4 @@ sources:
3030
- https://app.sysdigcloud.com/#/settings/user
3131
- https://github.com/draios/sysdig
3232
type: application
33-
version: 1.13.15
33+
version: 1.14.0

charts/agent/README.md

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -88,8 +88,8 @@ The following table lists the configurable parameters of the Sysdig chart and th
8888
| Parameter | Description | Default |
8989
|---------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------|
9090
| `global.clusterConfig.name` | Sets a unique name to the cluster. You can then use the cluster name to identify events using the `kubernetes.cluster.name` tag. | `quay.io` |
91-
| `global.sysdig.accessKey` | Specify your Sysdig Agent Access Key. | Either `accessKey` or `accessKeySecret` is required |
92-
| `global.sysdig.accessKeySecret` | An alternative to using the Sysdig Agent access key. Specify the name of a Kubernetes secret containing an `access-key` entry. | Either `accessKey` or `accessKeySecret` is required |
91+
| `global.sysdig.accessKey` | Specify your Sysdig Agent Access Key. | Either `accessKey` or `accessKeySecret` is required |
92+
| `global.sysdig.accessKeySecret` | An alternative to using the Sysdig Agent access key. Specify the name of a Kubernetes secret containing an `access-key` entry. | Either `accessKey` or `accessKeySecret` is required |
9393
| `global.sysdig.region` | The SaaS region for these agents. Possible values: `"us1"`, `"us2"`, `"us3"`, `"us4"`, `"eu1"`, `"au1"`, and `"custom"` | `"us1"` |
9494
| `global.proxy.httpProxy` | Sets `http_proxy` on the `agent` container. | `""` |
9595
| `global.proxy.httpsProxy` | Sets `https_proxy` on the `agent` container. | `""` |
@@ -146,6 +146,7 @@ The following table lists the configurable parameters of the Sysdig chart and th
146146
| `slim.resources.limits.cpu` | Specifies the CPU limit for building the kernel module | `1000m` |
147147
| `slim.resources.limits.memory` | Specifies the memory limit for building the kernel module. | `512Mi` |
148148
| `ebpf.enabled` | Enables eBPF support for Sysdig instead of `sysdig-probe` kernel module. | `false` |
149+
| `ebpf.kind` | Define which eBPF driver to use, can be `legacy_ebpf` or `universal_ebpf` | `legacy_ebpf` |
149150
| `clusterName` | Sets a unique cluster name which is used to identify events with the `kubernetes.cluster.name` tag. Overrides `global.clusterConfig.name`. | ` ` |
150151
| `sysdig.accessKey` | Your Sysdig Agent Access Key. Overrides `global.sysdig.accessKey` | Either `accessKey` or `existingAccessKeySecret` is required |
151152
| `sysdig.existingAccessKeySecret` | Specifies the name of a Kubernetes secret containing an `access-key ` entry. Overrides `global.sysdig.existingAccessKeySecret` | Either `accessKey` or `existingAccessKeySecret` is required |
@@ -158,7 +159,7 @@ The following table lists the configurable parameters of the Sysdig chart and th
158159
| `auditLog.auditServerUrl` | Specifies the URL where Sysdig Agent listens for the Kubernetes audit log events. | `0.0.0.0` |
159160
| `auditLog.auditServerPort` | Specifies the port where Sysdig Agent listens for the Kubernetes audit log events. | `7765` |
160161
| `auditLog.dynamicBackend.enabled` | Deploys the Audit Sink where Sysdig listens for Kubernetes audit log events. | `false` |
161-
| `tolerations` | Specifies the tolerations for scheduling. | <pre>node-role.kubernetes.io/master:NoSchedule,<br>node-role.kubernetes.io/control-plane:NoSchedule</pre> | |
162+
| `tolerations` | Specifies the tolerations for scheduling. | <pre>node-role.kubernetes.io/master:NoSchedule,<br>node-role.kubernetes.io/control-plane:NoSchedule</pre> |
162163
| `leaderelection.enable` | Enables the agent leader election algorithm. | `false` |
163164
| `prometheus.file` | Specifies the file to configure promscrape. | `false` |
164165
| `prometheus.yaml` | Configures the Prometheus metric collection. Performs relabelling and filtering. | ` ` |

charts/agent/templates/_helpers.tpl

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,11 +54,15 @@ Define the proper imageRegistry to use for agent and kmodule image
5454
{{- end -}}
5555

5656
{{/*
57-
Return the proper Sysdig Agent image name
57+
Return the proper Sysdig Agent repository name
58+
59+
Force the slim version if customer specify enable the slim mode or if the Universal eBPF driver is enforced
5860
*/}}
5961
{{- define "agent.repositoryName" -}}
6062
{{- if .Values.slim.enabled -}}
6163
{{- .Values.slim.image.repository -}}
64+
{{- else if (include "agent.universalEbpfEnforced" . ) -}}
65+
{{- .Values.slim.image.repository -}}
6266
{{- else -}}
6367
{{- .Values.image.repository -}}
6468
{{- end -}}
@@ -219,6 +223,18 @@ it can act like a boolean
219223
{{- end -}}
220224
{{- end -}}
221225

226+
{{- define "agent.universalEbpfEnforced" -}}
227+
{{- if (and (eq "true" (include "agent.ebpfEnabled" .)) (eq "universal_ebpf" .Values.ebpf.kind )) -}}
228+
true
229+
{{- end -}}
230+
{{- end -}}
231+
232+
{{- define "agent.legacyEbpfEnforced" -}}
233+
{{- if (and (eq "true" (include "agent.ebpfEnabled" .)) (eq "legacy_ebpf" .Values.ebpf.kind )) -}}
234+
true
235+
{{- end -}}
236+
{{- end -}}
237+
222238
{{/*
223239
to help the maxUnavailable pick a reasonable value depending on the cluster size
224240
*/}}

charts/agent/templates/daemonset.yaml

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,8 @@ spec:
7777
imagePullSecrets:
7878
{{ toYaml .Values.global.image.pullSecrets | nindent 8 }}
7979
{{- end }}
80-
{{- if .Values.slim.enabled }}
80+
{{/* When the Universal eBPF is enforced by customer choice there is no reason to start the init container to build the driver */}}
81+
{{- if and .Values.slim.enabled (not (include "agent.universalEbpfEnforced" . )) }}
8182
initContainers:
8283
- name: sysdig-agent-kmodule
8384
image: {{ template "agent.image.kmodule" . }}
@@ -95,6 +96,10 @@ spec:
9596
- name: SYSDIG_BPF_PROBE
9697
value:
9798
{{- end }}
99+
{{- if (include "agent.legacyEbpfEnforced" .) }}
100+
- name: SYSDIG_AGENT_DRIVER
101+
value: legacy_ebpf
102+
{{- end }}
98103
{{- range $key, $value := .Values.daemonset.kmodule.env }}
99104
- name: {{ $key | quote }}
100105
value: {{ $value | quote }}
@@ -178,10 +183,17 @@ spec:
178183
valueFrom:
179184
fieldRef:
180185
fieldPath: spec.nodeName
181-
{{- if or (include "agent.ebpfEnabled" .) (include "agent.gke.autopilot" .)}}
186+
{{- if and (or (include "agent.ebpfEnabled" .) (include "agent.gke.autopilot" .)) (not (include "agent.universalEbpfEnforced" . )) }}
182187
- name: SYSDIG_BPF_PROBE
183188
value:
184189
{{- end }}
190+
{{- if (include "agent.universalEbpfEnforced" .) }}
191+
- name: SYSDIG_AGENT_DRIVER
192+
value: universal_ebpf
193+
{{- else if (include "agent.legacyEbpfEnforced" .) }}
194+
- name: SYSDIG_AGENT_DRIVER
195+
value: legacy_ebpf
196+
{{- end }}
185197
{{- if (.Values.proxy.httpProxy | default .Values.global.proxy.httpProxy) }}
186198
- name: http_proxy
187199
value: {{ .Values.proxy.httpProxy | default .Values.global.proxy.httpProxy }}

charts/agent/tests/universal_ebpf_test.yaml

Lines changed: 103 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,103 @@
1+
suite: Universal eBPF tests
2+
templates:
3+
- templates/daemonset.yaml
4+
tests:
5+
- it: Ensure that when the eBPF is disabled we create the sysdig container without SYSDIG_BPF_PROBE and SYSDIG_AGENT_DRIVER environment variables
6+
set:
7+
ebpf:
8+
enabled: false
9+
asserts:
10+
- isNull:
11+
path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_BPF_PROBE")]
12+
- isNull:
13+
path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")]
14+
- isNull:
15+
path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_BPF_PROBE")]
16+
- isNull:
17+
path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")]
18+
19+
- it: Ensure that when the eBPF is enabled the default driver is "legacy_ebpf" we create the sysdig container with the SYSDIG_BPF_PROBE and SYSDIG_AGENT_DRIVER=legacy_ebpf environment variables
20+
set:
21+
ebpf:
22+
enabled: true
23+
asserts:
24+
- isEmpty:
25+
path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_BPF_PROBE")].value
26+
- equal:
27+
path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value
28+
value: legacy_ebpf
29+
- isEmpty:
30+
path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_BPF_PROBE")].value
31+
- equal:
32+
path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value
33+
value: legacy_ebpf
34+
35+
- it: Ensure that when the eBPF is enabled and we specify to use the "legacy_ebpf" driver we create the sysdig container with the SYSDIG_BPF_PROBE and with SYSDIG_AGENT_DRIVER environment variables
36+
set:
37+
ebpf:
38+
enabled: true
39+
kind: legacy_ebpf
40+
asserts:
41+
- isEmpty:
42+
path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_BPF_PROBE")].value
43+
- equal:
44+
path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value
45+
value: legacy_ebpf
46+
- isEmpty:
47+
path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_BPF_PROBE")].value
48+
- equal:
49+
path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value
50+
value: legacy_ebpf
51+
52+
- it: Ensure that when the eBPF is enabled and we specify to use the "universal_ebpf" driver we create the sysdig container without the SYSDIG_BPF_PROBE and with the SYSDIG_AGENT_DRIVER environment variables
53+
set:
54+
ebpf:
55+
enabled: true
56+
kind: universal_ebpf
57+
asserts:
58+
- isNull:
59+
path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_BPF_PROBE")]
60+
- equal:
61+
path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value
62+
value: universal_ebpf
63+
64+
- it: Ensure that when the eBPF is enabled and we specify to use the "universal_ebpf" driver we don't create the init container
65+
set:
66+
ebpf:
67+
enabled: true
68+
kind: universal_ebpf
69+
asserts:
70+
- isNull:
71+
path: spec.template.spec.initContainers
72+
73+
- it: Ensure that when the eBPF is enabled and we specify to use the "legacy_ebpf" driver we create the init container
74+
set:
75+
ebpf:
76+
enabled: true
77+
kind: legacy_ebpf
78+
asserts:
79+
- matchRegex:
80+
path: spec.template.spec.initContainers[*].image
81+
pattern: quay.io/sysdig/agent-kmodule:.*
82+
83+
- it: Ensure that when the eBPF is enabled and we specify to use the "universal_ebpf" driver we use the slim container
84+
set:
85+
ebpf:
86+
enabled: true
87+
kind: universal_ebpf
88+
asserts:
89+
- matchRegex:
90+
path: spec.template.spec.containers[*].image
91+
pattern: quay.io/sysdig/agent-slim:.*
92+
93+
- it: Ensure that when the eBPF is enabled and we specify to use the "universal_ebpf" driver we use the slim container also if is slim container is not enabled
94+
set:
95+
slim:
96+
enabled: false
97+
ebpf:
98+
enabled: true
99+
kind: universal_ebpf
100+
asserts:
101+
- matchRegex:
102+
path: spec.template.spec.containers[*].image
103+
pattern: quay.io/sysdig/agent-slim:.*

charts/agent/values.schema.json

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
{
2+
"$schema": "http://json-schema.org/schema#",
3+
"type": "object",
4+
"required": [
5+
"ebpf"
6+
],
7+
"properties": {
8+
"ebpf": {
9+
"type": "object",
10+
"required": [
11+
"enabled",
12+
"kind"
13+
],
14+
"properties": {
15+
"enabled": {
16+
"type": "boolean"
17+
},
18+
"kind": {
19+
"type": "string",
20+
"enum": [
21+
"legacy_ebpf",
22+
"universal_ebpf"
23+
]
24+
}
25+
}
26+
}
27+
}
28+
}

charts/agent/values.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -169,6 +169,10 @@ priorityClassValue: 10
169169
ebpf:
170170
# Enable eBPF support for Sysdig Agent
171171
enabled: false
172+
173+
# Define the kind of eBPF driver that will be used by the agent. Can be `legacy_ebpf` or `universal_ebpf`
174+
kind: legacy_ebpf
175+
172176
slim:
173177
# Uses a slim version of the Sysdig Agent
174178
enabled: true

charts/sysdig-deploy/Chart.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ apiVersion: v2
22
name: sysdig-deploy
33
description: A chart with various Sysdig components for Kubernetes
44
type: application
5-
version: 1.24.7
5+
version: 1.25.0
66
maintainers:
77
- name: AlbertoBarba
88
email: [email protected]
@@ -26,7 +26,7 @@ dependencies:
2626
- name: agent
2727
# repository: https://charts.sysdig.com
2828
repository: file://../agent
29-
version: ~1.13.15
29+
version: ~1.14.0
3030
alias: agent
3131
condition: agent.enabled
3232
- name: common

0 commit comments

Comments
 (0)