Update container daemon logic and extend liveness probe period

Starting in agent 2.4.0, the agent will attempt to detect which container daemon services are running. So the two existing settings are now to override this behavior explicitly.

Author: Michael Chmielewski

README.md

@@ -53,8 +53,8 @@ The following kubernetes objects are created when the chart is installed:
 | daemonset.customAuditRules | string | `""` |  |
 | daemonset.customLuaFilter | string | `""` |  |
 | daemonset.customTsAuditdConfig | string | `""` |  |
-| daemonset.enableContainerd | bool | `false` | Defaults to `false`, configures the daemonset agents to listen to the containerd daemon socket |
-| daemonset.enableDocker | bool | `true` | Defaults to `true`, configures the daemonset agents to listen to the docker daemon socket |
+| daemonset.enableContainerd | bool | `unset` | Configures the daemonset agents to listen to the containerd daemon socket. **By default in agent 2.4.0+, the agent detects if containerd is running at startup**  |
+| daemonset.enableDocker | bool | `unset` | Configures the daemonset agents to listen to the docker daemon socket. **By default in agent 2.4.0+, the agent detects if docker is running at startup** |
 | daemonset.nodeSelector | object | `{}` |  |
 | daemonset.podAnnotations."container.apparmor.security.beta.kubernetes.io/threatstack-agent" | string | `"unconfined"` |  |
 | daemonset.priorityClassName | string | `""` | Optionally set the priority class name for the daemonset pods. Note that priority classes are not created via this helm chart. Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |

templates/_helpers.tpl

@@ -32,19 +32,29 @@ Create chart name and version as used by the chart label.
 {{- end -}}
 
 {{/*
-Return runtime config if docker enabled
+Return runtime config if docker is disabled
 */}}
 {{- define "threatstack-agent.docker-config" -}}
-{{- if .Values.daemonset.enableDocker -}}
+{{- if kindIs "invalid" .Values.daemonset.enableDocker -}}
+{{- else -}}
+{{- if eq .Values.daemonset.enableDocker false -}}
+{{- default "container_runtimes.docker.enabled false container_runtimes.docker.kubernetes_enabled false" -}}
+{{- else -}}
 {{- default "container_runtimes.docker.enabled true container_runtimes.docker.kubernetes_enabled true" -}}
 {{- end -}}
 {{- end -}}
+{{- end -}}
 
 {{/*
-Return runtime config if containerd enabled
+Return runtime config if containerd is disabled
 */}}
 {{- define "threatstack-agent.containerd-config" -}}
-{{- if .Values.daemonset.enableContainerd -}}
+{{- if kindIs "invalid" .Values.daemonset.enableContainerd -}}
+{{- else -}}
+{{- if eq .Values.daemonset.enableContainerd false -}}
+{{- default "container_runtimes.containerd.enabled false container_runtimes.containerd.kubernetes_enabled false" -}}
+{{- else -}}
 {{- default "container_runtimes.containerd.enabled true container_runtimes.containerd.kubernetes_enabled true" -}}
 {{- end -}}
 {{- end -}}
+{{- end -}}

templates/daemonset.yaml

@@ -76,7 +76,7 @@ spec:
           exec:
             command: [ "sh", "-c", "tsagent status" ]
           initialDelaySeconds: 15
-          periodSeconds: 60
+          periodSeconds: 360
           timeoutSeconds: 5
           successThreshold: 1
           failureThreshold: 5

templates/deployment-api-reader.yaml

@@ -59,7 +59,7 @@ spec:
           exec:
             command: [ "sh", "-c", "tsagent status" ]
           initialDelaySeconds: 15
-          periodSeconds: 60
+          periodSeconds: 360
           timeoutSeconds: 5
           successThreshold: 1
           failureThreshold: 5

values.yaml

@@ -145,8 +145,11 @@ apiReader:
 #
 ########
 daemonset:
-  enableDocker: true
-  enableContainerd: false
+  # Override the agent's default detection behavior that determines
+  # which docker service to monitor
+  #
+  # enableDocker: false
+  # enableContainerd: false
 
   additionalRuntimeConfig: "log.level info"
   # Override the agent's liveness probe logic from the default: