Merge pull request #1076 from kinvolk/iaguis/inspektor-gadget

assets/charts/components/inspektor-gadget/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

assets/charts/components/inspektor-gadget/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: inspektor-gadget
+description: Collection of gadgets for debugging and introspecting Kubernetes applications using BPF
+type: application
+
+version: 0.1.0
+appVersion: 0.2.0

assets/charts/components/inspektor-gadget/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "inspektor-gadget.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "inspektor-gadget.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "inspektor-gadget.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "inspektor-gadget.labels" -}}
+helm.sh/chart: {{ include "inspektor-gadget.chart" . }}
+{{ include "inspektor-gadget.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "inspektor-gadget.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "inspektor-gadget.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "inspektor-gadget.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "inspektor-gadget.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

assets/charts/components/inspektor-gadget/templates/daemonset.yaml

@@ -0,0 +1,124 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "inspektor-gadget.fullname" . }}
+  labels:
+    {{- include "inspektor-gadget.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "inspektor-gadget.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+    {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      labels:
+        k8s-app: gadget # kubectl-gadget and headlamp's traceloop plugin expect this
+        {{- include "inspektor-gadget.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "inspektor-gadget.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      hostPID: true
+      hostNetwork: true
+      containers:
+      - name: gadget # kubectl-gadget expects this container name
+        securityContext:
+          privileged: true
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        resources:
+          {{- toYaml .Values.resources | nindent 12 }}
+        command: [ "/entrypoint.sh" ]
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - "/cleanup.sh"
+        env:
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: GADGET_POD_UID
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.uid
+        {{- if .Values.enableTraceloop }}
+        - name: TRACELOOP_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: TRACELOOP_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: TRACELOOP_POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: TRACELOOP_IMAGE
+          value: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
+        {{- end }}
+        - name: INSPEKTOR_GADGET_VERSION
+          value: {{ .Chart.AppVersion }}
+        - name: INSPEKTOR_GADGET_OPTION_TRACELOOP
+          value: "{{ .Values.enableTraceloop }}"
+        {{- if .Values.enableTraceloop }}
+        - name: INSPEKTOR_GADGET_OPTION_TRACELOOP_LOGLEVEL
+          value: {{ .Values.logLevel }}
+        - name: INSPEKTOR_GADGET_OPTION_RUNC_HOOKS_MODE
+          value: "auto"
+        {{- end }}
+        volumeMounts:
+        - name: host
+          mountPath: /host
+        - name: run
+          mountPath: /run
+          mountPropagation: Bidirectional
+        - name: modules
+          mountPath: /lib/modules
+        - name: debugfs
+          mountPath: /sys/kernel/debug
+        - name: cgroup
+          mountPath: /sys/fs/cgroup
+        - name: bpffs
+          mountPath: /sys/fs/bpf
+        - name: localtime
+          mountPath: /etc/localtime
+      tolerations:
+      - effect: NoSchedule
+        operator: Exists
+      - effect: NoExecute
+        operator: Exists
+        {{- with .Values.tolerations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      volumes:
+      - name: host
+        hostPath:
+          path: /
+      - name: run
+        hostPath:
+          path: /run
+      - name: cgroup
+        hostPath:
+          path: /sys/fs/cgroup
+      - name: modules
+        hostPath:
+          path: /lib/modules
+      - name: bpffs
+        hostPath:
+          path: /sys/fs/bpf
+      - name: debugfs
+        hostPath:
+          path: /sys/kernel/debug
+      - name: localtime
+        hostPath:
+          path: /etc/localtime

assets/charts/components/inspektor-gadget/templates/psp.yaml

@@ -0,0 +1,24 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: inspektor-gadget
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+spec:
+  privileged: true
+  volumes:
+  - 'hostPath'
+  hostNetwork: true
+  hostPID: true
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: false
+  allowedHostPaths:
+  - pathPrefix: "/"

assets/charts/components/inspektor-gadget/templates/rbac.yaml

@@ -0,0 +1,26 @@
+{{ if .Values.rbac }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "inspektor-gadget.serviceAccountName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "inspektor-gadget.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: inspektor-gadget-psp
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups: ['policy']
+    resources: ['podsecuritypolicies']
+    verbs:     ['use']
+    resourceNames:
+    - inspektor-gadget
+{{ end }}

assets/charts/components/inspektor-gadget/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "inspektor-gadget.serviceAccountName" . }}
+  labels:
+    {{- include "inspektor-gadget.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

assets/charts/components/inspektor-gadget/values.yaml

@@ -0,0 +1,42 @@
+# Default values for inspektor-gadget.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+image:
+  repository: kinvolk/gadget
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: 202007010134320f732c # v0.2.0
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+tolerations: []
+
+enableTraceloop: true
+logLevel: "info,json"
+rbac: true

ci/aks/aks-cluster.lokocfg.envsubst

@@ -125,3 +125,5 @@ component "web-ui" {
     certmanager_cluster_issuer = "letsencrypt-staging"
   }
 }
+
+component "inspektor-gadget" {}

ci/aws/aws-cluster.lokocfg.envsubst

@@ -250,3 +250,5 @@ component "web-ui" {
     issuer_url    = "$ISSUER_HOST"
   }
 }
+
+component "inspektor-gadget" {}

ci/baremetal/baremetal-cluster.lokocfg.envsubst

@@ -41,3 +41,5 @@ cluster "bare-metal" {
     "roleofnode" = "testing",
   }
 }
+
+component "inspektor-gadget" {}

ci/packet/packet-cluster.lokocfg.envsubst

@@ -222,3 +222,5 @@ component "web-ui" {
     issuer_url    = "$ISSUER_HOST"
   }
 }
+
+component "inspektor-gadget" {}

cli/cmd/component.go

@@ -27,6 +27,7 @@ import (
 	_ "github.com/kinvolk/lokomotive/pkg/components/flatcar-linux-update-operator"
 	_ "github.com/kinvolk/lokomotive/pkg/components/gangway"
 	_ "github.com/kinvolk/lokomotive/pkg/components/httpbin"
+	_ "github.com/kinvolk/lokomotive/pkg/components/inspektor-gadget"
 	_ "github.com/kinvolk/lokomotive/pkg/components/istio-operator"
 	_ "github.com/kinvolk/lokomotive/pkg/components/linkerd"
 	_ "github.com/kinvolk/lokomotive/pkg/components/metallb"

docs/concepts/components.md

@@ -86,6 +86,7 @@ Available components:
 	 gangway
 	 web-ui
 	 httpbin
+	 inspektor-gadget
 	 metallb
 	 metrics-server
 	 openebs-operator