### WARNING: this file is supported from Sysdig Agent 0.80.0
# apiVersion: extensions/v1beta1  # If you are in Kubernetes version 1.8 or less please use this line instead of the following one
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: sysdig-agent
  labels:
    app: sysdig-agent
spec:
  selector:
    matchLabels:
      app: sysdig-agent
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: sysdig-agent
    spec:
      volumes:
      - name: modprobe-d
        hostPath:
          path: /etc/modprobe.d
### uncomment for minikube
#      - name: etc-version
#        hostPath:
#          path: /etc/VERSION
#          type: FileOrCreate
      - name: dshm
        emptyDir:
          medium: Memory
      - name: etc-vol
        hostPath:
          path: /etc
      - name: dev-vol
        hostPath:
          path: /dev
      - name: proc-vol
        hostPath:
          path: /proc
      - name: boot-vol
        hostPath:
          path: /boot
      - name: modules-vol
        hostPath:
          path: /lib/modules
      - name: usr-vol
        hostPath:
          path: /usr
      - name: run-vol
        hostPath:
          path: /run
      - name: varrun-vol
        hostPath:
          path: /var/run
### Uncomment these lines if you'd like to map /root/ from the
#   host into the container. This can be useful to map
#   /root/.sysdig to pick up custom kernel modules.
#     - name: host-root-vol
#       hostPath:
#         path: /root
      - name: sysdig-agent-config
        configMap:
          name: sysdig-agent
          optional: true
      - name: sysdig-agent-secrets
        secret:
          secretName: sysdig-agent
      - name: podinfo
        downwardAPI:
          defaultMode: 420
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
            path: name
      # This section is for eBPF support. Please refer to Sysdig Support before
      # uncommenting, as eBPF is recommended for only a few configurations.
      #- name: sys-tracing
      #  hostPath:
      #    path: /sys/kernel/debug
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      hostPID: true
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
        - effect: NoSchedule
          key: node-role.kubernetes.io/control-plane
        - effect: NoSchedule
          key: node-role.kubernetes.io/controlplane
          operator: Equal
          value: "true"
        - effect: NoExecute
          key: node-role.kubernetes.io/etcd
          operator: Equal
          value: "true"
      # The following line is necessary for RBAC
      serviceAccount: sysdig-agent
      terminationGracePeriodSeconds: 5
      ### Uncomment following 2 lines to pull images from a private registry,
      ### replacing secret-name with your secret name (previously created)
      #imagePullSecrets:
      #- name: secret-name
      containers:
      - name: sysdig-agent
        image: quay.io/sysdig/agent
        imagePullPolicy: Always
        securityContext:
          privileged: true
          runAsUser: 0
        resources:
          # Resources needed are subjective to the actual workload.
          # Please refer to Sysdig Support for more info.
          # See also: https://docs.sysdig.com/en/tuning-sysdig-agent.html
          requests:
            cpu: 1000m
            memory: 1024Mi
          limits:
            cpu: 1000m
            memory: 1024Mi
        readinessProbe:
          exec:
            command: [ "test", "-e", "/opt/draios/logs/running" ]
          initialDelaySeconds: 10
        env:
          - name: K8S_NODE
            valueFrom:
              fieldRef:
                fieldPath: spec.nodeName
        # This section is for eBPF support. Please refer to Sysdig Support before
        # uncommenting, as eBPF is recommended for only a few configurations.
        #  - name: SYSDIG_BPF_PROBE
        #    value: ""
        volumeMounts:
        - mountPath: /etc/modprobe.d
          name: modprobe-d
          readOnly: true
### uncomment for minikube
#        - mountPath: /host/etc/VERSION
#          name: etc-version
#          readOnly: true
        - mountPath: /host/etc
          name: etc-vol
          readOnly: true
        - mountPath: /host/dev
          name: dev-vol
          readOnly: false
        - mountPath: /host/proc
          name: proc-vol
          readOnly: true
        - mountPath: /host/boot
          name: boot-vol
          readOnly: true
        - mountPath: /host/lib/modules
          name: modules-vol
          readOnly: true
        - mountPath: /host/usr
          name: usr-vol
          readOnly: true
        - mountPath: /host/run
          name: run-vol
        - mountPath: /host/var/run
          name: varrun-vol
        - mountPath: /dev/shm
          name: dshm
        - mountPath: /opt/draios/etc/kubernetes/config
          name: sysdig-agent-config
        - mountPath: /opt/draios/etc/kubernetes/secrets
          name: sysdig-agent-secrets
        - mountPath: /etc/podinfo
          name: podinfo
### Uncomment these lines if you'd like to map /root/ from the
#   host into the container. This can be useful to map
#   /root/.sysdig to pick up custom kernel modules.
#       - mountPath: /root
#         name: host-root-vol
        # This section is for eBPF support. Please refer to Sysdig Support before
        # uncommenting, as eBPF is recommended for only a few configurations.
        #- mountPath: /sys/kernel/debug
        #  name: sys-tracing
        #  readOnly: true