Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tetragon: run Tetragon without access to CRD #1931

Merged
merged 2 commits into from
Jan 23, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 57 additions & 39 deletions cmd/tetragon/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ import (
apiextensionsclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
apiextensionsinformer "k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions/apiextensions/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/cache"
)

Expand Down Expand Up @@ -357,50 +358,16 @@ func tetragonExecute() error {
var k8sWatcher watcher.K8sResourceWatcher
if option.Config.EnableK8s {
log.Info("Enabling Kubernetes API")
crds := map[string]struct{}{
v1alpha1.TPName: {},
v1alpha1.TPNamespacedName: {},
}
if option.Config.EnablePodInfo {
crds[v1alpha1.PIName] = struct{}{}
}
config, err := k8sconf.K8sConfig()
if err != nil {
return err
}
log.WithField("crds", crds).Info("Waiting for required CRDs")
var wg sync.WaitGroup
wg.Add(1)
k8sClient := kubernetes.NewForConfigOrDie(config)
crdClient := apiextensionsclientset.NewForConfigOrDie(config)
crdInformer := apiextensionsinformer.NewCustomResourceDefinitionInformer(crdClient, 0*time.Second, nil)
_, err = crdInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
AddFunc: func(obj interface{}) {
crdObject, ok := obj.(*v1.CustomResourceDefinition)
if !ok {
log.WithField("obj", obj).Warn("Received an invalid object")
return
}
if _, ok := crds[crdObject.Name]; ok {
log.WithField("crd", crdObject.Name).Info("Found CRD")
delete(crds, crdObject.Name)
if len(crds) == 0 {
log.Info("Found all the required CRDs")
wg.Done()
}
}
},
})
if err != nil {
log.WithError(err).Error("failed to add event handler")

if err := waitCRDs(config); err != nil {
return err
}
stop := make(chan struct{})
go func() {
crdInformer.Run(stop)
}()
wg.Wait()
close(stop)

k8sClient := kubernetes.NewForConfigOrDie(config)
k8sWatcher = watcher.NewK8sWatcher(k8sClient, 60*time.Second)
} else {
log.Info("Disabling Kubernetes API")
Expand Down Expand Up @@ -452,7 +419,7 @@ func tetragonExecute() error {
log.WithField("enabled", option.Config.ExportFilename != "").WithField("fileName", option.Config.ExportFilename).Info("Exporter configuration")
obs.AddListener(pm)
saveInitInfo()
if option.Config.EnableK8s {
if option.Config.EnableK8s && option.Config.EnableTracingPolicyCRD {
go crd.WatchTracePolicy(ctx, observer.GetSensorManager())
}

Expand Down Expand Up @@ -496,6 +463,57 @@ func tetragonExecute() error {
return obs.Start(ctx)
}

func waitCRDs(config *rest.Config) error {
crds := make(map[string]struct{})

if option.Config.EnableTracingPolicyCRD {
crds[v1alpha1.TPName] = struct{}{}
crds[v1alpha1.TPNamespacedName] = struct{}{}
}
if option.Config.EnablePodInfo {
crds[v1alpha1.PIName] = struct{}{}
}

if len(crds) == 0 {
log.Info("No CRDs are enabled")
return nil
}

log.WithField("crds", crds).Info("Waiting for required CRDs")
var wg sync.WaitGroup
wg.Add(1)
crdClient := apiextensionsclientset.NewForConfigOrDie(config)
crdInformer := apiextensionsinformer.NewCustomResourceDefinitionInformer(crdClient, 0*time.Second, nil)
_, err := crdInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
AddFunc: func(obj interface{}) {
crdObject, ok := obj.(*v1.CustomResourceDefinition)
if !ok {
log.WithField("obj", obj).Warn("Received an invalid object")
return
}
if _, ok := crds[crdObject.Name]; ok {
log.WithField("crd", crdObject.Name).Info("Found CRD")
delete(crds, crdObject.Name)
if len(crds) == 0 {
log.Info("Found all the required CRDs")
wg.Done()
}
}
},
})
if err != nil {
log.WithError(err).Error("failed to add event handler")
return err
}
stop := make(chan struct{})
go func() {
crdInformer.Run(stop)
}()
wg.Wait()
close(stop)
return nil
}

func loadTpFromDir(ctx context.Context, dir string) error {
tpMaxDepth := 1
tpFS := os.DirFS(dir)
Expand Down
3 changes: 2 additions & 1 deletion docs/content/en/docs/reference/helm-chart.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions docs/data/tetragon_flags.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion install/kubernetes/tetragon/README.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@ metadata:
data:
skip-crd-creation: {{ .Values.tetragonOperator.skipCRDCreation | quote }}
skip-pod-info-crd: {{ not .Values.tetragonOperator.podInfo.enabled | quote }}
skip-tracing-policy-crd: {{ not .Values.tetragonOperator.tracingPolicy.enabled | quote }}
Original file line number Diff line number Diff line change
Expand Up @@ -56,4 +56,5 @@ data:
enable-msg-handling-latency: "true"
{{- end }}
enable-pod-info: {{ .Values.tetragonOperator.podInfo.enabled | quote }}
enable-tracing-policy-crd: {{ .Values.tetragonOperator.tracingPolicy.enabled | quote }}
{{- include "configmap.extra" . | nindent 2 }}
3 changes: 3 additions & 0 deletions install/kubernetes/tetragon/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,9 @@ tetragonOperator:
# -- Enables the PodInfo CRD and the controller that reconciles PodInfo
# custom resources.
enabled: false
tracingPolicy:
# -- Enables the TracingPolicy and TracingPolicyNamespaced CRD creation.
enabled: true
# -- Enables the Tetragon Operator metrics.
prometheus:
enabled: true
Expand Down
1 change: 1 addition & 0 deletions operator/cmd/common/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ func AddCommonFlags(cmd *cobra.Command) {
flags.String(operatorOption.KubeCfgPath, "", "Kubeconfig filepath to connect to k8s")
flags.String(operatorOption.ConfigDir, "", "Directory in which tetragon-operator-config configmap is mounted")
flags.Bool(operatorOption.SkipPodInfoCRD, false, "When true, PodInfo Custom Resource Definition (CRD) will not be created")
flags.Bool(operatorOption.SkipTracingPolicyCRD, false, "When true, TracingPolicy and TracingPolicyNamespaced Custom Resource Definition (CRD) will not be created")
}

func Initialize(cmd *cobra.Command) {
Expand Down
7 changes: 6 additions & 1 deletion operator/crd/crd.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,12 @@ func RegisterCRDs() {

crds := []crdutils.CRD{}
for _, crd := range client.AllCRDs {
if option.Config.SkipPodInfoCRD && crd.CRDName == client.PodInfoCRD.CRDName {
switch {
case option.Config.SkipPodInfoCRD && crd.CRDName == client.PodInfoCRD.CRDName:
continue
case option.Config.SkipTracingPolicyCRD && crd.CRDName == client.TracingPolicyCRD.CRDName:
continue
case option.Config.SkipTracingPolicyCRD && crd.CRDName == client.TracingPolicyNamespacedCRD.CRDName:
continue
}
crds = append(crds, crd)
Expand Down
9 changes: 9 additions & 0 deletions operator/option/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@ const (
// SkipPodInfoCRD specifies whether the tetragonPod CustomResourceDefinition will be
// disabled
SkipPodInfoCRD = "skip-pod-info-crd"

// SkipTracingPolicyCRD specifies whether the tracing-policies CustomResourceDefinition will be
// disabled
SkipTracingPolicyCRD = "skip-tracing-policy-crd"
)

// OperatorConfig is the configuration used by the operator.
Expand All @@ -42,6 +46,10 @@ type OperatorConfig struct {

// SkipPodInfoCRD disables creation of the TetragonPod CustomResourceDefinition only.
SkipPodInfoCRD bool

// SkipTracingPolicyCRD disables creation of the TracingPolicy and
// TracingPolicyNamespaced CustomResourceDefinition only.
SkipTracingPolicyCRD bool
}

// Config represents the operator configuration.
Expand All @@ -53,4 +61,5 @@ func ConfigPopulate() {
Config.KubeCfgPath = viper.GetString(KubeCfgPath)
Config.ConfigDir = viper.GetString(ConfigDir)
Config.SkipPodInfoCRD = viper.GetBool(SkipPodInfoCRD)
Config.SkipTracingPolicyCRD = viper.GetBool(SkipTracingPolicyCRD)
}
3 changes: 2 additions & 1 deletion pkg/option/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,8 @@ type config struct {

KMods []string

EnablePodInfo bool
EnablePodInfo bool
EnableTracingPolicyCRD bool

ExposeKernelAddresses bool
}
Expand Down
5 changes: 4 additions & 1 deletion pkg/option/flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,8 @@ const (

KeyKmods = "kmods"

KeyEnablePodInfo = "enable-pod-info"
KeyEnablePodInfo = "enable-pod-info"
KeyEnableTracingPolicyCRD = "enable-tracing-policy-crd"

KeyExposeKernelAddresses = "expose-kernel-addresses"

Expand Down Expand Up @@ -165,6 +166,7 @@ func ReadAndSetFlags() error {
Config.KMods = viper.GetStringSlice(KeyKmods)

Config.EnablePodInfo = viper.GetBool(KeyEnablePodInfo)
Config.EnableTracingPolicyCRD = viper.GetBool(KeyEnableTracingPolicyCRD)

Config.TracingPolicy = viper.GetString(KeyTracingPolicy)

Expand Down Expand Up @@ -271,6 +273,7 @@ func AddFlags(flags *pflag.FlagSet) {
flags.String(KeyRBQueueSize, "65535", "Set size of channel between ring buffer and sensor go routines (default 65k, allows K/M/G suffix)")

flags.Bool(KeyEnablePodInfo, false, "Enable PodInfo custom resource")
flags.Bool(KeyEnableTracingPolicyCRD, true, "Enable TracingPolicy and TracingPolicyNamespaced custom resources")

flags.Bool(KeyExposeKernelAddresses, false, "Expose real kernel addresses in events stack traces")

Expand Down
Loading