Skip to content

Image analyzer scripts #99

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mbreitung merged 15 commits into from
Mar 19, 2020
Merged

Image analyzer scripts #99

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
116febf
new image analyzer k8s scripts added
maxzerbini Mar 9, 2020
d7937c2
Image Analyzer config map updated
maxzerbini Mar 10, 2020
77e2765
Image Analyzer daemonset updated
maxzerbini Mar 10, 2020
949dbab
Image Analyzer daemonset: comments added
maxzerbini Mar 10, 2020
f121a79
new line added
maxzerbini Mar 12, 2020
3aa8df9
new line added
maxzerbini Mar 12, 2020
16ca9d0
comment added
maxzerbini Mar 12, 2020
01d7512
raw refresh
maxzerbini Mar 12, 2020
0191571
image analyzer daemonset updated
maxzerbini Mar 17, 2020
cd46f3b
image repo changed
maxzerbini Mar 17, 2020
7038881
imagePullSecrets removed
maxzerbini Mar 18, 2020
96e8e48
fix spelling
maxzerbini Mar 18, 2020
c7604e1
image analyzer: improve volume and comments readability
Mar 19, 2020
b50c32c
image analyzer: rename daemonset-v1 -> daemonset
Mar 19, 2020
63595f2
comment removed
maxzerbini Mar 19, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions agent_deploy/kubernetes/sysdig-image-analyzer-configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: sysdig-image-analyzer
data:
debug: "false"
143 changes: 143 additions & 0 deletions agent_deploy/kubernetes/sysdig-image-analyzer-daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
# apiVersion: extensions/v1beta1 # If you are in Kubernetes version 1.8 or less please use this line instead of the following one
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: sysdig-image-analyzer
labels:
app: sysdig-image-analyzer
spec:
selector:
matchLabels:
app: sysdig-image-analyzer
updateStrategy:
type: RollingUpdate
template:
metadata:
labels:
app: sysdig-image-analyzer
spec:
volumes:
# Needed for cri-o image inspection.
# cri-o and especially OCP 4.x by default use containers/storage to handle images, and this makes sure that the
# analyzer has access to the configuration. This file is mounted read-only.
- name: etc-containers-storage-vol
hostPath:
path: /etc/containers/storage.conf
# Needed for cri-o image inspection.
# This is the directory where image data is stored by default when using cri-o and OCP 4.x and the analyzer
# uses it to get the data to scan. This directory must be mounted r/w because proper access to its files through
# the containers/storage library is always regulated with a lockfile.
- name: var-lib-containers-vol
hostPath:
path: /var/lib/containers
# Needed for socket access
- name: varrun-vol
hostPath:
path: /var/run
# Add custom volume here
- name: sysdig-image-analyzer-config
configMap:
name: sysdig-image-analyzer
optional: true
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
# The following line is necessary for RBAC
serviceAccount: sysdig-agent
terminationGracePeriodSeconds: 5
containers:
- name: sysdig-image-analyzer
image: docker.io/sysdig/node-image-analyzer:latest
securityContext:
# The privileged flag is necessary for OCP 4.x and other Kubernetes setups that deny host filesystem access to
# running containers by default regardless of volume mounts. In those cases, access to the CRI socket would fail.
privileged: true
imagePullPolicy: Always
resources:
limits:
cpu: 500m
memory: 1024Mi
requests:
cpu: 250m
memory: 512Mi
volumeMounts:
- mountPath: /var/run
name: varrun-vol
- mountPath: /etc/containers/storage.conf
name: etc-containers-storage-vol
readOnly: true
- mountPath: /var/lib/containers
name: var-lib-containers-vol
# Add custom volume mount here
env:
- name: ACCESS_KEY
valueFrom:
secretKeyRef:
name: sysdig-agent
key: access-key
- name: IMAGE_PERIOD
valueFrom:
configMapKeyRef:
name: sysdig-image-analyzer
key: image_period
optional: true
- name: IMAGE_CACHE_TTL
valueFrom:
configMapKeyRef:
name: sysdig-image-analyzer
key: image_cache_ttl
optional: true
- name: REPORT_PERIOD
valueFrom:
configMapKeyRef:
name: sysdig-image-analyzer
key: report_period
optional: true
- name: DOCKER_SOCKET_PATH
valueFrom:
configMapKeyRef:
name: sysdig-image-analyzer
key: docker_socket_path
optional: true
- name: CRI_SOCKET_PATH
valueFrom:
configMapKeyRef:
name: sysdig-image-analyzer
key: cri_socket_path
optional: true
- name: AM_COLLECTOR_ENDPOINT
valueFrom:
configMapKeyRef:
name: sysdig-image-analyzer
key: collector_endpoint
optional: true
- name: AM_COLLECTOR_TIMEOUT
valueFrom:
configMapKeyRef:
name: sysdig-image-analyzer
key: collector_timeout
optional: true
- name: CHECK_CERTIFICATE
valueFrom:
configMapKeyRef:
name: sysdig-image-analyzer
key: check_certificate
optional: true
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: K8S_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: K8S_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: DEBUG
valueFrom:
configMapKeyRef:
name: sysdig-image-analyzer
key: debug
optional: true