install odigos in openshift

odigos-io · May 23, 2024 · 92a125f · 92a125f
1 parent 7a2aa4d
commit 92a125f
Show file tree

Hide file tree

Showing 6 changed files with 181 additions and 9 deletions.
diff --git a/api/odigos/v1alpha1/odigosconfig_types.go b/api/odigos/v1alpha1/odigosconfig_types.go
@@ -34,6 +34,7 @@ type OdigosConfigurationSpec struct {
 	OdigosVersion     string                                          `json:"odigosVersion"`
 	ConfigVersion     int                                             `json:"configVersion"`
 	TelemetryEnabled  bool                                            `json:"telemetryEnabled,omitempty"`
+	OpenshiftEnabled  bool                                            `json:"openshiftEnabled,omitempty"`
 	IgnoredNamespaces []string                                        `json:"ignoredNamespaces,omitempty"`
 	IgnoredContainers []string                                        `json:"ignoredContainers,omitempty"`
 	Psp               bool                                            `json:"psp,omitempty"`

diff --git a/autoscaler/controllers/gateway/deployment.go b/autoscaler/controllers/gateway/deployment.go
@@ -155,7 +155,7 @@ func getDesiredDeployment(dests *odigosv1.DestinationList, configData string,
 								},
 							},
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: int64Ptr(10000),
+								AllowPrivilegeEscalation: boolPtr(false),
 							},
 							VolumeMounts: []corev1.VolumeMount{
 								{
@@ -223,6 +223,10 @@ func getSecretsFromDests(destList *odigosv1.DestinationList) []corev1.EnvFromSou
 	return result
 }
 
+func boolPtr(b bool) *bool {
+	return &b
+}
+
 func intPtr(n int32) *int32 {
 	return &n
 }

diff --git a/cli/cmd/install.go b/cli/cmd/install.go
@@ -31,6 +31,7 @@ var (
 	versionFlag                string
 	skipWait                   bool
 	telemetryEnabled           bool
+	openshiftEnabled           bool
 	psp                        bool
 	userInputIgnoredNamespaces []string
 	userInputIgnoredContainers []string
@@ -172,6 +173,7 @@ func createOdigosConfigSpec() odigosv1.OdigosConfigurationSpec {
 		OdigosVersion:     versionFlag,
 		ConfigVersion:     1, // config version starts at 1 and incremented on every config change
 		TelemetryEnabled:  telemetryEnabled,
+		OpenshiftEnabled:  openshiftEnabled,
 		IgnoredNamespaces: fullIgnoredNamespaces,
 		IgnoredContainers: fullIgnoredContainers,
 		Psp:               psp,
@@ -199,6 +201,7 @@ func init() {
 	installCmd.Flags().StringVarP(&odigosOnPremToken, "onprem-token", "", "", "authentication token for odigos enterprise on-premises")
 	installCmd.Flags().BoolVar(&skipWait, "nowait", false, "skip waiting for odigos pods to be ready")
 	installCmd.Flags().BoolVar(&telemetryEnabled, "telemetry", true, "send general telemetry regarding Odigos usage")
+	installCmd.Flags().BoolVar(&openshiftEnabled, "openshift", false, "configure selinux on openshift nodes")
 	installCmd.Flags().StringVar(&odigletImage, "odiglet-image", "", "odiglet container image name")
 	installCmd.Flags().StringVar(&instrumentorImage, "instrumentor-image", "keyval/odigos-instrumentor", "instrumentor container image name")
 	installCmd.Flags().StringVar(&autoScalerImage, "autoscaler-image", "keyval/odigos-autoscaler", "autoscaler container image name")

diff --git a/cli/cmd/resources/odiglet.go b/cli/cmd/resources/odiglet.go
@@ -117,6 +117,15 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole {
 					"deployments/status",
 				},
 			},
+			{
+				Verbs: []string{
+					"get",
+				},
+				APIGroups: []string{"apps"},
+				Resources: []string{
+					"deployments/finalizers",
+				},
+			},
 			{
 				Verbs: []string{
 					"get",
@@ -135,6 +144,15 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole {
 					"statefulsets/status",
 				},
 			},
+			{
+				Verbs: []string{
+					"get",
+				},
+				APIGroups: []string{"apps"},
+				Resources: []string{
+					"statefulsets/finalizers",
+				},
+			},
 			{
 				Verbs: []string{
 					"get",
@@ -153,6 +171,15 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole {
 					"daemonsets/status",
 				},
 			},
+			{
+				Verbs: []string{
+					"get",
+				},
+				APIGroups: []string{"apps"},
+				Resources: []string{
+					"daemonsets/finalizers",
+				},
+			},
 			{
 				Verbs: []string{
 					"create",
@@ -238,7 +265,61 @@ func NewOdigletClusterRoleBinding(ns string) *rbacv1.ClusterRoleBinding {
 	}
 }
 
-func NewOdigletDaemonSet(ns string, version string, imagePrefix string, imageName string, odigosTier common.OdigosTier) *appsv1.DaemonSet {
+func NewSCCRoleBinding(ns string) *rbacv1.RoleBinding {
+	return &rbacv1.RoleBinding{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "RoleBinding",
+			APIVersion: "rbac.authorization.k8s.io/v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "system:openshift:scc:privileged",
+			Namespace: ns,
+		},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:      "ServiceAccount",
+				Name:      "odiglet",
+				Namespace: ns,
+			},
+			{
+				Kind:      "ServiceAccount",
+				Name:      "odigos-data-collection",
+				Namespace: ns,
+			},
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     "system:openshift:scc:privileged",
+		},
+	}
+}
+
+func NewSCClusterRoleBinding(ns string) *rbacv1.ClusterRoleBinding {
+	return &rbacv1.ClusterRoleBinding{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "ClusterRoleBinding",
+			APIVersion: "rbac.authorization.k8s.io/v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "system:openshift:scc:anyuid:" + ns,
+		},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:      "Group",
+				Name:      "system:serviceaccounts:" + ns,
+				Namespace: ns,
+			},
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     "system:openshift:scc:anyuid",
+		},
+	}
+}
+
+func NewOdigletDaemonSet(ns string, version string, imagePrefix string, imageName string, odigosTier common.OdigosTier, openshiftEnabled bool) *appsv1.DaemonSet {
 
 	odigosProToken := []corev1.EnvVar{}
 	if odigosTier == common.CloudOdigosTier {
@@ -247,6 +328,13 @@ func NewOdigletDaemonSet(ns string, version string, imagePrefix string, imageNam
 		odigosProToken = append(odigosProToken, odigospro.OnPremTokenAsEnvVar())
 	}
 
+	odigosSeLinuxHostVolumes := []corev1.Volume{}
+	odigosSeLinuxHostVolumeMounts := []corev1.VolumeMount{}
+	if openshiftEnabled {
+		odigosSeLinuxHostVolumes = append(odigosSeLinuxHostVolumes, selinuxHostVolumes()...)
+		odigosSeLinuxHostVolumeMounts = append(odigosSeLinuxHostVolumeMounts, selinuxHostVolumeMounts()...)
+	}
+
 	// 50% of the nodes can be unavailable during the update.
 	// if we do not set it, the default value is 1.
 	// 1 means that if 1 daemonset pod fails to update, the whole rollout will be broken.
@@ -300,7 +388,7 @@ func NewOdigletDaemonSet(ns string, version string, imagePrefix string, imageNam
 							Effect:   corev1.TaintEffectNoSchedule,
 						},
 					},
-					Volumes: []corev1.Volume{
+					Volumes: append([]corev1.Volume{
 						{
 							Name: "run-dir",
 							VolumeSource: corev1.VolumeSource{
@@ -333,7 +421,7 @@ func NewOdigletDaemonSet(ns string, version string, imagePrefix string, imageNam
 								},
 							},
 						},
-					},
+					}, odigosSeLinuxHostVolumes...),
 					Containers: []corev1.Container{
 						{
 							Name:  OdigletContainerName,
@@ -370,7 +458,7 @@ func NewOdigletDaemonSet(ns string, version string, imagePrefix string, imageNam
 								},
 							},
 							Resources: corev1.ResourceRequirements{},
-							VolumeMounts: []corev1.VolumeMount{
+							VolumeMounts: append([]corev1.VolumeMount{
 								{
 									Name:             "run-dir",
 									MountPath:        "/run",
@@ -390,7 +478,7 @@ func NewOdigletDaemonSet(ns string, version string, imagePrefix string, imageNam
 									Name:      "kernel-debug",
 									MountPath: "/sys/kernel/debug",
 								},
-							},
+							}, odigosSeLinuxHostVolumeMounts...),
 							ImagePullPolicy: "IfNotPresent",
 							SecurityContext: &corev1.SecurityContext{
 								Privileged: ptrbool(true),
@@ -411,6 +499,45 @@ func NewOdigletDaemonSet(ns string, version string, imagePrefix string, imageNam
 		},
 	}
 }
+
+// used to inject the host volumes into odigos components for selinux update
+func selinuxHostVolumes() []corev1.Volume {
+	return []corev1.Volume{
+		{
+			Name: "host",
+			VolumeSource: corev1.VolumeSource{
+				HostPath: &corev1.HostPathVolumeSource{
+					Path: "/",
+				},
+			},
+		},
+		{
+			Name: "selinux",
+			VolumeSource: corev1.VolumeSource{
+				HostPath: &corev1.HostPathVolumeSource{
+					Path: "/etc/selinux",
+				},
+			},
+		},
+	}
+}
+
+// used to inject the host volumemounts into odigos components for selinux update
+func selinuxHostVolumeMounts() []corev1.VolumeMount {
+	return []corev1.VolumeMount{
+		{
+			Name:      "host",
+			MountPath: "/host",
+			ReadOnly:  true,
+		},
+		{
+			Name:             "selinux",
+			MountPath:        "/host/etc/seluinux",
+			MountPropagation: ptrMountPropagationMode("Bidirectional"),
+		},
+	}
+}
+
 func ptrMountPropagationMode(p corev1.MountPropagationMode) *corev1.MountPropagationMode {
 	return &p
 }
@@ -446,7 +573,12 @@ func (a *odigletResourceManager) InstallFromScratch(ctx context.Context) error {
 		NewOdigletServiceAccount(a.ns),
 		NewOdigletClusterRole(a.config.Psp),
 		NewOdigletClusterRoleBinding(a.ns),
-		NewOdigletDaemonSet(a.ns, a.config.OdigosVersion, a.config.ImagePrefix, odigletImage, a.odigosTier),
+		NewOdigletDaemonSet(a.ns, a.config.OdigosVersion, a.config.ImagePrefix, odigletImage, a.odigosTier, a.config.OpenshiftEnabled),
+	}
+
+	if a.config.OpenshiftEnabled {
+		resources = append(resources, NewSCCRoleBinding(a.ns))
+		resources = append(resources, NewSCClusterRoleBinding(a.ns))
 	}
 	return a.client.ApplyResources(ctx, a.config.ConfigVersion, resources)
 }
diff --git a/docs/cli/odigos_install.mdx b/docs/cli/odigos_install.mdx
@@ -36,6 +36,7 @@ odigos install [flags]
     -n, --namespace                 target k8s namespace for Odigos installation
         --nowait                    skip waiting for odigos pods to be ready
         --telemetry                 send general telemetry regarding Odigos usage (default true)
+        --openshift                 configure selinux in Openshift environemnt (default false)
         --sidecar-instrumentation   use sidecars for eBPF instrumentations
         --odiglet-image             odiglet container image name
         --instrumentor-image        instrumentor container image name

diff --git a/odiglet/pkg/instrumentation/fs/agents.go b/odiglet/pkg/instrumentation/fs/agents.go
@@ -2,14 +2,20 @@ package fs
 
 import (
 	"os"
+	"os/exec"
 	"path/filepath"
+	"syscall"
 
+	"github.com/odigos-io/odigos/odiglet/pkg/log"
 	cp "github.com/otiai10/copy"
 )
 
 const (
-	containerDir = "/instrumentations"
-	hostDir      = "/var/odigos"
+	containerDir   = "/instrumentations"
+	hostDir        = "/var/odigos"
+	chrootDir      = "/host"
+	semanagePath   = "/sbin/semanage"
+	restoreconPath = "/sbin/restorecon"
 )
 
 func CopyAgentsDirectoryToHost() error {
@@ -34,5 +40,30 @@ func CopyAgentsDirectoryToHost() error {
 	if err != nil {
 		return err
 	}
+
+	// Check if the semanage command exists when running on RHEL/CoreOS
+	_, err = exec.LookPath(filepath.Join(chrootDir, semanagePath))
+	if err == nil {
+		// Run the semanage command to add the new directory to the container_ro_file_t context
+		cmd := exec.Command(semanagePath, "fcontext", "-a", "-t", "container_ro_file_t", "/var/odigos(/.*)?")
+		syscall.Chroot(chrootDir)
+		err = cmd.Run()
+		if err != nil {
+			log.Logger.Error(err, "Error running semanage command")
+		}
+	}
+
+	// Check if the restorecon command exists when running on RHEL/CoreOS
+	_, err = exec.LookPath(filepath.Join(chrootDir, restoreconPath))
+	if err != nil {
+		// Run the restorecon command to apply the new context
+		cmd := exec.Command(restoreconPath, "-r", "/var/odigos")
+		syscall.Chroot(chrootDir)
+		err = cmd.Run()
+		if err != nil {
+			log.Logger.Error(err, "Error running restorecon command")
+		}
+	}
+
 	return nil
 }