Initialize kubeshark pinned eBPF resources inside init container (#1665)

* Clean kubeshark pinned bpf resources inside init container * Clean kubeshark pinned bpf resources inside init container * Update 09-worker-daemon-set.yaml * add IPC_LOCK capability to sniffer * add init container to mount bpf filesystem * add init container to mount bpf filesystem --------- Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
2025-06-30 01:54:46 +00:00 · 2024-12-20 01:20:13 +01:00 · 2024-12-20 01:20:13 +01:00 · 29de008f22
commit 29de008f22
parent 261a0ca1a9
3 changed files with 60 additions and 0 deletions
--- a/helm-chart/templates/09-worker-daemon-set.yaml
+++ b/helm-chart/templates/09-worker-daemon-set.yaml
@ -25,6 +25,39 @@ spec:
      name: kubeshark-worker-daemon-set
      namespace: kubeshark
    spec:
      initContainers:
        - command:
          - /bin/sh
          - -c
          - mkdir -p /sys/fs/bpf && mount | grep -q '/sys/fs/bpf' || mount -t bpf bpf /sys/fs/bpf
        {{- if .Values.tap.docker.overrideTag.worker }}
          image: '{{ .Values.tap.docker.registry }}/worker:{{ .Values.tap.docker.overrideTag.worker }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
        {{ else }}
          image: '{{ .Values.tap.docker.registry }}/worker:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
        {{- end }}
          imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }}
          name: check-bpf
          securityContext:
            privileged: true
          volumeMounts:
          - mountPath: /sys
            name: sys
            mountPropagation: Bidirectional
        - command:
          - ./tracer
          - -init-bpf
        {{- if .Values.tap.docker.overrideTag.worker }}
          image: '{{ .Values.tap.docker.registry }}/worker:{{ .Values.tap.docker.overrideTag.worker }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
        {{ else }}
          image: '{{ .Values.tap.docker.registry }}/worker:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}{{ include "kubeshark.dockerTagDebugVersion" . }}'
        {{- end }}
          imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }}
          name: init-bpf
          securityContext:
            privileged: true
          volumeMounts:
          - mountPath: /sys
            name: sys
      containers:
        - command:
            - ./worker
--- a/helm-chart/values.yaml
+++ b/helm-chart/values.yaml
@ -121,6 +121,7 @@ tap:
    - SYS_ADMIN
    - SYS_PTRACE
    - DAC_OVERRIDE
    - IPC_LOCK
    ebpfCapture:
    - SYS_ADMIN
    - SYS_PTRACE
--- a/manifests/complete.yaml
+++ b/manifests/complete.yaml
@ -490,6 +490,31 @@ spec:
      name: kubeshark-worker-daemon-set
      namespace: kubeshark
    spec:
      initContainers:
        - command:
          - /bin/sh
          - -c
          - mkdir -p /sys/fs/bpf && mount | grep -q '/sys/fs/bpf' || mount -t bpf bpf /sys/fs/bpf
          image: 'docker.io/kubeshark/worker:v52.3.92'
          imagePullPolicy: Always
          name: check-bpf
          securityContext:
            privileged: true
          volumeMounts:
          - mountPath: /sys
            name: sys
            mountPropagation: Bidirectional
        - command:
          - ./tracer
          - -init-bpf
          image: 'docker.io/kubeshark/worker:v52.3.92'
          imagePullPolicy: Always
          name: init-bpf
          securityContext:
            privileged: true
          volumeMounts:
          - mountPath: /sys
            name: sys
      containers:
        - command:
            - ./worker
@ -559,6 +584,7 @@ spec:
                - SYS_ADMIN
                - SYS_PTRACE
                - DAC_OVERRIDE
                - IPC_LOCK
              drop:
                - ALL
          readinessProbe: