Merge remote-tracking branch 'upstream/master'

Michael Chmielewski · Michael Chmielewski · commit c8e6a5571b70 · 2022-02-11T12:00:58.000-05:00
diff --git a/Chart.yaml b/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 name: threatstack-agent
-version: 2.1.3
-appVersion: 2.3.4
+version: 2.2.1
+appVersion: 2.4.1
 description: A Helm chart for the Threat Stack Cloud Security Agent
 keywords:
 - security
diff --git a/README.md b/README.md
@@ -53,15 +53,12 @@ The following kubernetes objects are created when the chart is installed:
 | daemonset.customAuditRules | string | `""` |  |
 | daemonset.customLuaFilter | string | `""` |  |
 | daemonset.customTsAuditdConfig | string | `""` |  |
-| daemonset.enableContainerd | bool | `false` | Defaults to `false`, configures the daemonset agents to listen to the containerd daemon socket |
-| daemonset.enableDocker | bool | `true` | Defaults to `true`, configures the daemonset agents to listen to the docker daemon socket |
+| daemonset.enableContainerd | bool | `unset` | Configures the daemonset agents to listen to the containerd daemon socket. **By default in agent 2.4.0+, the agent detects if containerd is running at startup**  |
+| daemonset.enableDocker | bool | `unset` | Configures the daemonset agents to listen to the docker daemon socket. **By default in agent 2.4.0+, the agent detects if docker is running at startup** |
 | daemonset.nodeSelector | object | `{}` |  |
 | daemonset.podAnnotations."container.apparmor.security.beta.kubernetes.io/threatstack-agent" | string | `"unconfined"` |  |
 | daemonset.priorityClassName | string | `""` | Optionally set the priority class name for the daemonset pods. Note that priority classes are not created via this helm chart. Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
 | daemonset.tolerations | list | `[]` |  |
-| daemonset.volumes.containerdsocket.hostPath | string | `"/run/containerd/containerd.sock"` | Path to docker daemon's socket |
-| daemonset.volumes.dockersocket.hostPath | string | `"/var/run/docker.sock"` | Path to docker daemon's socket |
-| daemonset.volumes.oldcontainerdsocket.hostPath | string | `"/var/run/docker/containerd/docker-containerd.sock"` | Path to older containerd daemon's socket |
 | eksAmazon2 | bool | `false` | If `true`, the Daemonset definition will be modified to execute commands for the agent to work correctly on EKS with Amazon Linux 2 nodes. Defaults to `false` |
 | eksAmazon2Cmd.args[0] | string | `"-c"` |  |
 | eksAmazon2Cmd.args[1] | string | `"chroot /threatstackfs /bin/bash -c 'service auditd stop; systemctl disable auditd'; eval tsagent setup $THREATSTACK_SETUP_ARGS; eval tsagent config --set $THREATSTACK_CONFIG_ARGS; sleep 5; /opt/threatstack/sbin/tsagentd -logstdout"` |  |
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -32,19 +32,29 @@ Create chart name and version as used by the chart label.
 {{- end -}}
 
 {{/*
-Return runtime config if docker enabled
+Return runtime config if docker is disabled
 */}}
 {{- define "threatstack-agent.docker-config" -}}
-{{- if .Values.daemonset.enableDocker -}}
+{{- if kindIs "invalid" .Values.daemonset.enableDocker -}}
+{{- else -}}
+{{- if eq .Values.daemonset.enableDocker false -}}
+{{- default "container_runtimes.docker.enabled false container_runtimes.docker.kubernetes_enabled false" -}}
+{{- else -}}
 {{- default "container_runtimes.docker.enabled true container_runtimes.docker.kubernetes_enabled true" -}}
 {{- end -}}
 {{- end -}}
+{{- end -}}
 
 {{/*
-Return runtime config if containerd enabled
+Return runtime config if containerd is disabled
 */}}
 {{- define "threatstack-agent.containerd-config" -}}
-{{- if .Values.daemonset.enableContainerd -}}
+{{- if kindIs "invalid" .Values.daemonset.enableContainerd -}}
+{{- else -}}
+{{- if eq .Values.daemonset.enableContainerd false -}}
+{{- default "container_runtimes.containerd.enabled false container_runtimes.containerd.kubernetes_enabled false" -}}
+{{- else -}}
 {{- default "container_runtimes.containerd.enabled true container_runtimes.containerd.kubernetes_enabled true" -}}
 {{- end -}}
 {{- end -}}
+{{- end -}}
diff --git a/templates/daemonset.yaml b/templates/daemonset.yaml
@@ -83,7 +83,7 @@ spec:
           exec:
             command: [ "sh", "-c", "tsagent status" ]
           initialDelaySeconds: 15
-          periodSeconds: 60
+          periodSeconds: 360
           timeoutSeconds: 5
           successThreshold: 1
           failureThreshold: 5
@@ -124,12 +124,6 @@ spec:
         volumeMounts:
           - name: hostfs
             mountPath: /threatstackfs
-          - name: dockersocket
-            mountPath: /var/run/docker.sock
-          - name: containerdsocket
-            mountPath: /run/containerd/containerd.sock
-          - name: oldcontainerdsocket
-            mountPath: /var/run/docker/containerd/docker-containerd.sock
 {{- if .Values.daemonset.customAuditRules }}
           - name: custom-audit-rules
             mountPath: /opt/threatstack/etc/audit-custom.rules
@@ -149,15 +143,6 @@ spec:
         - hostPath:
             path: /
           name: hostfs
-        - hostPath:
-            path: {{ .Values.daemonset.volumes.dockersocket.hostPath }}
-          name: dockersocket
-        - hostPath:
-            path: {{ .Values.daemonset.volumes.containerdsocket.hostPath }}
-          name: containerdsocket
-        - hostPath:
-            path: {{ .Values.daemonset.volumes.oldcontainerdsocket.hostPath }}
-          name: oldcontainerdsocket
 {{- if .Values.daemonset.customAuditRules }}
         - name: custom-audit-rules
           configMap:
diff --git a/templates/deployment-api-reader.yaml b/templates/deployment-api-reader.yaml
@@ -66,7 +66,7 @@ spec:
           exec:
             command: [ "sh", "-c", "tsagent status" ]
           initialDelaySeconds: 15
-          periodSeconds: 60
+          periodSeconds: 360
           timeoutSeconds: 5
           successThreshold: 1
           failureThreshold: 5
diff --git a/values.yaml b/values.yaml
@@ -145,8 +145,11 @@ apiReader:
 #
 ########
 daemonset:
-  enableDocker: true
-  enableContainerd: false
+  # Override the agent's default detection behavior that determines
+  # which docker service to monitor
+  #
+  # enableDocker: false
+  # enableContainerd: false
 
   additionalRuntimeConfig: "log.level info"
   # Override the agent's liveness probe logic from the default:
@@ -188,15 +191,6 @@ daemonset:
   # Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
   priorityClassName: ""
 
-  # Configure hostPaths for docker and containerd sockets
-  volumes:
-    dockersocket:
-      hostPath: "/var/run/docker.sock"
-    containerdsocket:
-      hostPath: "/run/containerd/containerd.sock"
-    oldcontainerdsocket:
-      hostPath: "/var/run/docker/containerd/docker-containerd.sock"
-
   ## Annotations to add to the threatstack daemonset pod(s)
   #
   # To remove the apparmor annotation, add a comment as the attribute value,
