From 29de008f22e3f2eb93d16027d0d24f44889f7bdf Mon Sep 17 00:00:00 2001 From: Ilya Gavrilov Date: Fri, 20 Dec 2024 01:20:13 +0100 Subject: [PATCH] Initialize kubeshark pinned eBPF resources inside init container (#1665) * Clean kubeshark pinned bpf resources inside init container * Clean kubeshark pinned bpf resources inside init container * Update 09-worker-daemon-set.yaml * add IPC_LOCK capability to sniffer * add init container to mount bpf filesystem * add init container to mount bpf filesystem --------- Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com> --- .../templates/09-worker-daemon-set.yaml | 33 +++++++++++++++++++ helm-chart/values.yaml | 1 + manifests/complete.yaml | 26 +++++++++++++++ 3 files changed, 60 insertions(+) diff --git a/helm-chart/templates/09-worker-daemon-set.yaml b/helm-chart/templates/09-worker-daemon-set.yaml index bd17e79a2..15d76be1c 100644 --- a/helm-chart/templates/09-worker-daemon-set.yaml +++ b/helm-chart/templates/09-worker-daemon-set.yaml @@ -25,6 +25,39 @@ spec: name: kubeshark-worker-daemon-set namespace: kubeshark spec: + initContainers: + - command: + - /bin/sh + - -c + - mkdir -p /sys/fs/bpf && mount | grep -q '/sys/fs/bpf' || mount -t bpf bpf /sys/fs/bpf + {{- if .Values.tap.docker.overrideTag.worker }} + image: '{{ .Values.tap.docker.registry }}/worker:{{ .Values.tap.docker.overrideTag.worker }}{{ include "kubeshark.dockerTagDebugVersion" . }}' + {{ else }} + image: '{{ .Values.tap.docker.registry }}/worker:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}{{ include "kubeshark.dockerTagDebugVersion" . }}' + {{- end }} + imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }} + name: check-bpf + securityContext: + privileged: true + volumeMounts: + - mountPath: /sys + name: sys + mountPropagation: Bidirectional + - command: + - ./tracer + - -init-bpf + {{- if .Values.tap.docker.overrideTag.worker }} + image: '{{ .Values.tap.docker.registry }}/worker:{{ .Values.tap.docker.overrideTag.worker }}{{ include "kubeshark.dockerTagDebugVersion" . }}' + {{ else }} + image: '{{ .Values.tap.docker.registry }}/worker:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}{{ include "kubeshark.dockerTagDebugVersion" . }}' + {{- end }} + imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }} + name: init-bpf + securityContext: + privileged: true + volumeMounts: + - mountPath: /sys + name: sys containers: - command: - ./worker diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index a37d2b5ee..15b1638c4 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -121,6 +121,7 @@ tap: - SYS_ADMIN - SYS_PTRACE - DAC_OVERRIDE + - IPC_LOCK ebpfCapture: - SYS_ADMIN - SYS_PTRACE diff --git a/manifests/complete.yaml b/manifests/complete.yaml index f07d415a2..945e2bda7 100644 --- a/manifests/complete.yaml +++ b/manifests/complete.yaml @@ -490,6 +490,31 @@ spec: name: kubeshark-worker-daemon-set namespace: kubeshark spec: + initContainers: + - command: + - /bin/sh + - -c + - mkdir -p /sys/fs/bpf && mount | grep -q '/sys/fs/bpf' || mount -t bpf bpf /sys/fs/bpf + image: 'docker.io/kubeshark/worker:v52.3.92' + imagePullPolicy: Always + name: check-bpf + securityContext: + privileged: true + volumeMounts: + - mountPath: /sys + name: sys + mountPropagation: Bidirectional + - command: + - ./tracer + - -init-bpf + image: 'docker.io/kubeshark/worker:v52.3.92' + imagePullPolicy: Always + name: init-bpf + securityContext: + privileged: true + volumeMounts: + - mountPath: /sys + name: sys containers: - command: - ./worker @@ -559,6 +584,7 @@ spec: - SYS_ADMIN - SYS_PTRACE - DAC_OVERRIDE + - IPC_LOCK drop: - ALL readinessProbe: