# apiVersion: extensions/v1beta1  # If you are in Kubernetes version 1.8 or less please use this line instead of the following one
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: sysdig-image-analyzer
  labels:
    app: sysdig-image-analyzer
spec:
  selector:
    matchLabels:
      app: sysdig-image-analyzer
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: sysdig-image-analyzer
    spec:
      volumes:
      # Needed for cri-o image inspection.
      # cri-o and especially OCP 4.x by default use containers/storage to handle images, and this makes sure that the
      # analyzer has access to the configuration. This file is mounted read-only.
      - name: etc-containers-storage-vol
        hostPath:
          path: /etc/containers/storage.conf
      # Needed for cri-o image inspection.
      # This is the directory where image data is stored by default when using cri-o and OCP 4.x and the analyzer
      # uses it to get the data to scan. This directory must be mounted r/w because proper access to its files through
      # the containers/storage library is always regulated with a lockfile.
      - name: var-lib-containers-vol
        hostPath:
          path: /var/lib/containers
      # Needed for some IBM OpenShift clusters which symlink /var/run/containers/storage to contents of /var/data by default
      - name: vardata-vol
        hostPath:
          path: /var/data
      # Needed for socket access
      - name: varrun-vol
        hostPath:
          path: /var/run
      # Add custom volume here
      - name: sysdig-image-analyzer-config
        configMap:
          name: sysdig-image-analyzer
          optional: true
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
        - effect: NoSchedule
          key: node-role.kubernetes.io/control-plane
        - effect: NoSchedule
          key: node-role.kubernetes.io/controlplane
          operator: Equal
          value: "true"
        - effect: NoExecute
          key: node-role.kubernetes.io/etcd
          operator: Equal
          value: "true"
      # The following line is necessary for RBAC
      serviceAccount: sysdig-agent
      terminationGracePeriodSeconds: 5
      containers:
      - name: sysdig-image-analyzer
        image: quay.io/sysdig/node-image-analyzer
        securityContext:
          # The privileged flag is necessary for OCP 4.x and other Kubernetes setups that deny host filesystem access to
          # running containers by default regardless of volume mounts. In those cases, access to the CRI socket would fail.
          privileged: true
        imagePullPolicy: Always
        resources:
          limits:
            cpu: 500m
            memory: 1536Mi
          requests:
            cpu: 250m
            memory: 512Mi
        volumeMounts:
        - mountPath: /var/run
          name: varrun-vol
        - mountPath: /etc/containers/storage.conf
          name: etc-containers-storage-vol
          readOnly: true
        - mountPath: /var/lib/containers
          name: var-lib-containers-vol
        - mountPath: /var/data
          name: vardata-vol
        # Add custom volume mount here
        env:
        - name: ACCESS_KEY
          valueFrom:
            secretKeyRef:
              name: sysdig-agent
              key: access-key
        - name: IMAGE_PERIOD
          valueFrom:
            configMapKeyRef:
              name: sysdig-image-analyzer
              key: image_period
              optional: true
        - name: IMAGE_CACHE_TTL
          valueFrom:
            configMapKeyRef:
              name: sysdig-image-analyzer
              key: image_cache_ttl
              optional: true
        - name: REPORT_PERIOD
          valueFrom:
            configMapKeyRef:
              name: sysdig-image-analyzer
              key: report_period
              optional: true
        - name: DOCKER_SOCKET_PATH
          valueFrom:
            configMapKeyRef:
              name: sysdig-image-analyzer
              key: docker_socket_path
              optional: true
        - name: CRI_SOCKET_PATH
          valueFrom:
            configMapKeyRef:
              name: sysdig-image-analyzer
              key: cri_socket_path
              optional: true
        - name: CONTAINERD_SOCKET_PATH
          valueFrom:
            configMapKeyRef:
              name: sysdig-image-analyzer
              key: containerd_socket_path
              optional: true
        - name: AM_COLLECTOR_ENDPOINT
          valueFrom:
            configMapKeyRef:
              name: sysdig-image-analyzer
              key: collector_endpoint
              optional: true
        - name: AM_COLLECTOR_TIMEOUT
          valueFrom:
            configMapKeyRef:
              name: sysdig-image-analyzer
              key: collector_timeout
              optional: true
        - name: VERIFY_CERTIFICATE
          valueFrom:
            configMapKeyRef:
              name: sysdig-image-analyzer
              key: ssl_verify_certificate
              optional: true
        - name: K8S_NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        - name: K8S_POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: K8S_POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: DEBUG
          valueFrom:
            configMapKeyRef:
              name: sysdig-image-analyzer
              key: debug
              optional: true
        - name: HTTP_PROXY
          valueFrom:
            configMapKeyRef:
              key: http_proxy
              name: sysdig-image-analyzer
              optional: true
        - name: HTTPS_PROXY
          valueFrom:
            configMapKeyRef:
              key: https_proxy
              name: sysdig-image-analyzer
              optional: true
        - name: NO_PROXY
          valueFrom:
            configMapKeyRef:
              key: no_proxy
              name: sysdig-image-analyzer
              optional: true