Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deployment: configure K8s export logs #1575

Merged
merged 3 commits into from
Oct 11, 2023
Merged

deployment: configure K8s export logs #1575

merged 3 commits into from
Oct 11, 2023

Conversation

tixxdz
Copy link
Member

@tixxdz tixxdz commented Oct 10, 2023
edited by kkourt
Loading 

export: switch to default permissions on exported JSON to 0600.

@tixxdz tixxdz requested a review from a team as a code owner October 10, 2023 23:33
@tixxdz tixxdz requested a review from olsajiri October 10, 2023 23:33
@tixxdz tixxdz force-pushed the pr/tixxdz/restrict-volume-access branch 2 times, most recently from 592f9ab to 03ab16d Compare October 10, 2023 23:57
@netlify
Copy link

netlify bot commented Oct 10, 2023
edited
Loading

Deploy Preview for tetragon ready!

Name Link
🔨 Latest commit 5465b07
🔍 Latest deploy log https://app.netlify.com/sites/tetragon/deploys/65269357aa09e6000887e6f7
😎 Deploy Preview https://deploy-preview-1575--tetragon.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

michi-covalent
michi-covalent reviewed Oct 11, 2023
View reviewed changes
install/kubernetes/values.yaml Outdated
Comment on lines 55 to 63
extraEnv:
# Tetragon can be deployed in different forms, from a Kubernetes pod, container,
# or a systemd service, having this environment variable helps to properly
# detect the environment where Tetragon is running.
- name: TETRAGON_DEPLOYMENT_MODE
value: k8s
# Tetragon export logs file permissions as a string, default readable/writable by owner only.
- name: TETRAGON_LOGS_PERM
value: "0660"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah yeah sorry i shouldn't have suggested to use extraEnv, i thought you were just testing something out locally to pass some environment variables. i think these should be proper helm values.

there are already existing helm values related to export files, so i think we should add:

tetragon.exportFilePermission: "0660"

or some such setting instead of using extraEnv.

regarding TETRAGON_DEPLOYMENT_MODE, i'm kind of hoping tetragon can somehow autodetect it instead of asking users to specify it 💭

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for the extraEnv, I thought we can get a way with it ;-) as didn't want to overcharge tetragon --flags, as by default they should be restricted, and those permission make sense only under k8s... anyway I made the change now as you suggested!

For TETRAGON_DEPLOYMENT_MODE I removed it , and yes we have some autologic detection, that first checks --enable-k8s-api and assumes kubernetes, otherwise it does some foo cgroup namespace detection.

Then the improvement later would be to differentiate between k8s and pure container (without k8s) deployments as the container tries to hide some information, but will improve it later to do detection from kernel side.

@tixxdz tixxdz changed the title deployment: configure logs deployment: configure K8s export logs Oct 11, 2023
tixxdz added 3 commits October 11, 2023 14:16
@tixxdz
tetragon: add --export-file-perm flag
b7afce8 
Switch to default permissions on exported JSON to 0600.

This flag allows users to change this and set their own permissions.

Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
@tixxdz
helm: add tetragon.exportFilePerm
eaa5a39 
Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
@tixxdz
doc: update tetragon daemon flags
5465b07 
Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
@tixxdz tixxdz force-pushed the pr/tixxdz/restrict-volume-access branch from 03ab16d to 5465b07 Compare October 11, 2023 12:21
@tixxdz tixxdz requested a review from mtardy as a code owner October 11, 2023 12:21
@tixxdz tixxdz merged commit 2c61d4c into main Oct 11, 2023
@tixxdz tixxdz deleted the pr/tixxdz/restrict-volume-access branch October 11, 2023 14:58
@p-linnane p-linnane mentioned this pull request Nov 1, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michi-covalent michi-covalent michi-covalent approved these changes

@olsajiri olsajiri Awaiting requested review from olsajiri olsajiri is a code owner automatically assigned from cilium/tetragon

@jrfastab jrfastab Awaiting requested review from jrfastab

@mtardy mtardy Awaiting requested review from mtardy mtardy is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tixxdz @michi-covalent