forked from grafana/beyla
-
Notifications
You must be signed in to change notification settings - Fork 0
/
unprivileged.yaml
221 lines (221 loc) · 7.02 KB
/
unprivileged.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
---
apiVersion: v1
kind: Namespace
metadata:
name: beyla-demo
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: beyla
namespace: beyla-demo
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: beyla-demo
name: beyla-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: beyla-role-binding
namespace: beyla-demo
subjects:
- kind: ServiceAccount
name: beyla
roleRef:
kind: Role
name: beyla-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: beyla-cluster-role
rules:
- apiGroups: [""]
resources: ["namespaces", "nodes", "pods"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["services"]
# list services is needed by network-policy beyla.
verbs: ["list"]
- apiGroups: ["*"]
resources: ["deployments", "replicasets", "statefulsets", "daemonsets", "jobs", "cronjobs", "replicationcontrollers"]
# Required to retrieve the owner references used by the seccomp beyla.
verbs: ["get", "list", "watch"]
- apiGroups: ["security-profiles-operator.x-k8s.io"]
resources: ["seccompprofiles"]
# Required for integration with the Kubernetes Security Profiles Operator
verbs: ["list", "watch", "create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: beyla-cluster-role-binding
subjects:
- kind: ServiceAccount
name: beyla
namespace: beyla-demo
roleRef:
kind: ClusterRole
name: beyla-cluster-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: beyla
namespace: beyla-demo
labels:
k8s-app: beyla
spec:
selector:
matchLabels:
k8s-app: beyla
template:
metadata:
labels:
k8s-app: beyla
annotations:
# We need to set beyla container as unconfined so it is able to write
# the BPF file system.
# Otherwise, we can have error like:
# "failed to create server failed to create or mount folder for pinning bpf maps: can't mount BPF filesystem: permission denied""
#
# Default rules can be found here: https://github.com/moby/moby/blob/master/profiles/apparmor/template.go
# Both 'mount' and access to /sys/fs/bpf are denied by default.
#
# Instead of 'unconfined', you can define a more refined policy which allows Beyla to use 'mount'
container.apparmor.security.beta.kubernetes.io/beyla: "unconfined" # <-- Important
spec:
serviceAccount: beyla
hostPID: true # <-- Important. Required in Daemonset mode so Beyla can discover all monitored processes
initContainers:
- name: mount-bpf-fs
image: grafana/beyla:latest
args:
# Create the directory and mount the BPF filesystem.
- 'mkdir -p /sys/fs/bpf/$BEYLA_BPF_FS_PATH && mount -t bpf bpf /sys/fs/bpf/$BEYLA_BPF_FS_PATH'
command:
- /bin/bash
- -c
- --
securityContext:
# The init container is privileged so that it can use bidirectional mount propagation
privileged: true
volumeMounts:
- name: bpffs
mountPath: /sys/fs/bpf
# Make sure the mount is propagated back to the host so it can be used by the Beyla container
mountPropagation: Bidirectional
env:
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# Use a unique path for each namespace to prevent collisions with other namespaces.
- name: BEYLA_BPF_FS_PATH
value: beyla-$(KUBE_NAMESPACE)
containers:
- name: beyla
terminationMessagePolicy: FallbackToLogsOnError
image: grafana/beyla:latest
env:
- name: BEYLA_TRACE_PRINTER
value: "text"
- name: BEYLA_EXECUTABLE_NAME
value: "greetings"
- name: BEYLA_SERVICE_NAMESPACE
value: "k8s-test"
- name: BEYLA_LOG_LEVEL
value: "INFO"
- name: BEYLA_INTERNAL_METRICS_PROMETHEUS_PORT
value: "8999"
- name: BEYLA_KUBE_METADATA_ENABLE
value: "autodetect"
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# Use a unique path for each namespace to prevent collisions with other namespaces.
- name: BEYLA_BPF_FS_PATH
value: beyla-$(KUBE_NAMESPACE)
- name: BEYLA_BPF_FS_BASE_DIR
value: /sys/fs/bpf
securityContext:
runAsUser: 0
readOnlyRootFilesystem: true
capabilities:
add:
- BPF # <-- Important. Required for most eBPF probes to function correctly.
- SYS_PTRACE # <-- Important. Allows Beyla to access the container namespaces and inspect executables.
- NET_RAW # <-- Important. Allows Beyla to use socket filters for http requests.
- CHECKPOINT_RESTORE # <-- Important. Allows Beyla to open ELF files.
- DAC_READ_SEARCH # <-- Important. Allows Beyla to open ELF files.
- PERFMON # <-- Important. Allows Beyla to load BPF programs.
#- SYS_RESOURCE # <-- pre 5.11 only. Allows Beyla to increase the amount of locked memory.
#- SYS_ADMIN # <-- Required for Go application trace context propagation, or if kernel.perf_event_paranoid >= 3 on Debian distributions.
drop:
- ALL
volumeMounts:
- name: var-run-beyla
mountPath: /var/run/beyla
- name: cgroup
mountPath: /sys/fs/cgroup
- name: bpffs
mountPath: /sys/fs/bpf
mountPropagation: HostToContainer # <-- Important. Allows Beyla to see the BPF mount from the init container
tolerations:
- effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists
volumes:
- name: var-run-beyla
emptyDir: {}
- name: cgroup
hostPath:
path: /sys/fs/cgroup
- name: bpffs
hostPath:
path: /sys/fs/bpf
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: rust-service
namespace: beyla-demo
labels:
k8s-app: rust-service
spec:
selector:
matchLabels:
k8s-app: rust-service
template:
metadata:
labels:
k8s-app: rust-service
spec:
serviceAccount: beyla
containers:
- name: rust-service
image: 'ghcr.io/grafana/beyla-demo/greeting-actix-rust/0.0.1'
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8090
hostPort: 8090
name: service
resources:
limits:
memory: 120Mi
securityContext:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
---