Merge pull request #37 from olhado/ebpf-enhancements

patcable · web-flow · commit 3999ec61c0a2 · 2022-05-16T11:16:12.000-04:00
Backwards incompatible change: Changed capabilities definition to yaml list
diff --git a/README.md b/README.md
@@ -48,7 +48,7 @@ The following kubernetes objects are created when the chart is installed:
 | apiReader.tolerations | list | `[]` |  |
 | apiReader.podAnnotations | string | {} |  |
 | apiReader.priorityClassName | string | `""` | Optionally set the priority class name for the daemonset pods. Note that priority classes are not created via this helm chart. Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
-| capabilities | string | `"[\"AUDIT_CONTROL\", \"SYS_ADMIN\", \"SYS_PTRACE\"]\n"` | Docker capabilites required for the proper operation of the agent |
+| capabilities | list | `["AUDIT_CONTROL", "SYS_ADMIN", "SYS_PTRACE", "SYS_NICE"]` | Docker capabilites required for the proper operation of the agent |
 | customDaemonsetCmd | object | `{}` | Uncomment the `command` and `args` sub-attributes, and define them as desired to run custom commands in the daemonset. |
 | daemonset.additionalRuntimeConfig | string | `"log.level info"` |  |
 | daemonset.affinity | object | `{}` |  |
@@ -57,6 +57,7 @@ The following kubernetes objects are created when the chart is installed:
 | daemonset.customTsAuditdConfig | string | `""` |  |
 | daemonset.enableContainerd | bool | `unset` | Configures the daemonset agents to listen to the containerd daemon socket. **By default in agent 2.4.0+, the agent detects if containerd is running at startup**  |
 | daemonset.enableDocker | bool | `unset` | Configures the daemonset agents to listen to the docker daemon socket. **By default in agent 2.4.0+, the agent detects if docker is running at startup** |
+| daemonset.enableLowPowerMode | bool | false | Configures the daemonset agents to perform better in tightly-resourced environments. The agent trades some telemetry reporting for reduced CPU and memory consumption. Ref: https://threatstack.zendesk.com/hc/en-us/articles/360016132692-Threat-Stack-Kubernetes-Deployment |
 | daemonset.nodeSelector | object | `{}` |  |
 | daemonset.podAnnotations."container.apparmor.security.beta.kubernetes.io/threatstack-agent" | string | `"unconfined"` |  |
 | daemonset.priorityClassName | string | `""` | Optionally set the priority class name for the daemonset pods. Note that priority classes are not created via this helm chart. Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -31,6 +31,35 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Return capabilities required for daemonset agent pods
+*/}}
+{{- define "threatstack-agent.daemonset-capabilities" -}}
+{{- $ebpf_caps := list "SYS_RESOURCE" "IPC_LOCK" -}}
+{{- if .Values.ebpfEnabled -}}
+{{- $cap_list := concat .Values.capabilities $ebpf_caps -}}
+{{- range $cap_list -}}"{{- . -}}", {{ end -}}
+{{- else -}}
+{{- range .Values.capabilities -}}"{{- . -}}", {{ end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return capabilities required for api-reader pod
+*/}}
+{{- define "threatstack-agent.apireader-capabilities" -}}
+{{- range .Values.capabilities -}}"{{- . -}}", {{ end -}}
+{{- end -}}
+
+{{/*
+Return eBPF configuration required if enabled
+*/}}
+{{- define "threatstack-agent.daemonset-ebpf-config" -}}
+{{- if .Values.ebpfEnabled -}}
+{{- "enable_bpf_sensors 1" -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return runtime config if docker is disabled
 */}}
@@ -58,3 +87,16 @@ Return runtime config if containerd is disabled
 {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Return low-power config if setting is enabled
+*/}}
+{{- define "threatstack-agent.daemonset-lowpower-config" -}}
+{{- if kindIs "invalid" .Values.daemonset.enableLowPowerMode -}}
+{{- else -}}
+{{- if eq .Values.daemonset.enableLowPowerMode false -}}
+{{- else -}}
+{{- default "--low-power=true" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/templates/configmap.yaml b/templates/configmap.yaml
@@ -8,7 +8,7 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 data:
-  config-args: {{ include "threatstack-agent.docker-config" . }} {{ include "threatstack-agent.containerd-config" . }} {{ .Values.daemonset.additionalRuntimeConfig}}
+  config-args: {{ include "threatstack-agent.docker-config" . }} {{ include "threatstack-agent.containerd-config" . }} {{ include "threatstack-agent.daemonset-ebpf-config" . }} {{ .Values.daemonset.additionalRuntimeConfig}}
   kubernetes-api-config-args: enable_kubes_master 1 {{ .Values.apiReader.additionalRuntimeConfig }}
 {{- if .Values.daemonset.customAuditRules }}
   custom-audit-rules-content: {{ toYaml .Values.daemonset.customAuditRules | indent 4 }}
diff --git a/templates/daemonset.yaml b/templates/daemonset.yaml
@@ -110,7 +110,7 @@ spec:
         securityContext:
           {{- toYaml .Values.daemonset.securityContext | nindent 10 }}
           capabilities:
-            add: {{ .Values.capabilities | trim }}
+            add: [{{ include "threatstack-agent.daemonset-capabilities" . | trimSuffix ", " }}]
 {{- if .Values.daemonset.resources }}
         resources:
 {{ toYaml .Values.daemonset.resources | trim | indent 10 }}
@@ -140,6 +140,14 @@ spec:
           - name: custom-luafilter-config
             mountPath: /opt/threatstack/etc/tsauditd-custom.lua
             subPath: tsauditd-custom.lua
+{{- end }}
+{{- if .Values.ebpfEnabled }}
+          - name: kernel-debug
+            mountPath: /sys/kernel/debug
+          - name: cgroup
+            mountPath: /sys/fs/cgroup
+          - name: bpf
+            mountPath: /sys/fs/bpf
 {{- end }}
       volumes:
         - hostPath:
@@ -168,4 +176,15 @@ spec:
             items:
               - key: custom-luafilter-content
                 path: tsauditd-custom.lua
+{{- end }}
+{{- if .Values.ebpfEnabled }}
+        - hostPath:
+            path: /sys/kernel/debug
+          name: kernel-debug
+        - hostPath:
+            path: /sys/fs/cgroup
+          name: cgroup
+        - hostPath:
+            path: /sys/fs/bpf
+          name: bpf
 {{- end }}
diff --git a/templates/deployment-api-reader.yaml b/templates/deployment-api-reader.yaml
@@ -99,7 +99,7 @@ spec:
         securityContext:
           {{- toYaml .Values.apiReader.securityContext | nindent 10 }}
           capabilities:
-            add: {{ .Values.capabilities | trim }}
+            add: [{{ include "threatstack-agent.apireader-capabilities" . | trimSuffix ", " }}]
 {{- if .Values.apiReader.resources }}
         resources:
 {{ toYaml .Values.apiReader.resources | trim | indent 10 }}
diff --git a/templates/pod-security-policy.yaml b/templates/pod-security-policy.yaml
@@ -19,6 +19,14 @@ spec:
       readOnly: false
     - pathPrefix: "/run/containerd/containerd.sock"
       readOnly: false
+{{- if .Values.ebpfEnabled }}
+    - pathPrefix: "/sys/kernel/debug"
+      readOnly: false
+    - pathPrefix: "/sys/fs/cgroup"
+      readOnly: false
+    - pathPrefix: "/sys/fs/bpf"
+      readOnly: false
+{{- end }}
   hostNetwork: true
   hostPID: true
   seLinux:
diff --git a/templates/secrets.yaml b/templates/secrets.yaml
@@ -10,5 +10,5 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 type: Opaque
 stringData:
-  ts-setup-args: "--deploy-key {{ .Values.agentDeployKey }} --ruleset '{{ .Values.rulesets }}' {{ .Values.additionalSetupConfig }}"
+  ts-setup-args: "--deploy-key {{ .Values.agentDeployKey }} --ruleset '{{ .Values.rulesets }}' {{ include "threatstack-agent.daemonset-lowpower-config" . }} {{ .Values.additionalSetupConfig }}"
 {{- end -}}
diff --git a/values.yaml b/values.yaml
@@ -46,10 +46,14 @@ rbac:
 #
 # rulesets              :: Define what rules will be applied to the agent by default
 # additionalSetupConfig :: Additional parameters passed to the backend during initial agent registration
-# additionalConfig      :: Additional parameters to configure the running agent
 # capabilities          :: Docker capabilites required for the proper operation of the agent
-capabilities: |
-  ["AUDIT_CONTROL", "SYS_ADMIN", "SYS_PTRACE", "SYS_NICE"]
+rulesets: "Base Rule Set, Docker Rule Set, Kubernetes Rule Set"
+additionalSetupConfig: ""
+capabilities:
+  - AUDIT_CONTROL
+  - SYS_ADMIN
+  - SYS_PTRACE
+  - SYS_NICE
 
 #####
 # WARNING!
@@ -62,8 +66,6 @@ capabilities: |
 #####
 agentDeployKey: ""
 
-rulesets: "Base Rule Set, Docker Rule Set, Kubernetes Rule Set"
-additionalSetupConfig: ""
 
 #####
 #
@@ -167,6 +169,15 @@ daemonset:
   # enableDocker: false
   # enableContainerd: false
 
+  # Enable low-power mode
+  # Configures the daemonset agents to perform better in 
+  # tightly-resourced environments. The agent trades some telemetry
+  # reporting for reduced CPU and memory consumption.
+  #
+  # Ref: https://threatstack.zendesk.com/hc/en-us/articles/360016132692-Threat-Stack-Kubernetes-Deployment
+  #
+  enableLowPowerMode: true
+
   additionalRuntimeConfig: "log.level info"
   # Override the agent's liveness probe logic from the default:
   # In case of issues with the probe, you can disable it with the
