# apiVersion: extensions/v1beta1 # If you are in Kubernetes version 1.8 or less please use this line instead of the following one apiVersion: apps/v1 kind: DaemonSet metadata: name: sysdig-node-analyzer labels: app: sysdig-node-analyzer spec: selector: matchLabels: app: sysdig-node-analyzer updateStrategy: type: RollingUpdate template: metadata: labels: app: sysdig-node-analyzer spec: volumes: - name: sysdig-agent-config configMap: name: sysdig-agent optional: true # Needed for cri-o image inspection. # cri-o and especially OCP 4.x by default use containers/storage to handle images, and this makes sure that the # analyzer has access to the configuration. This file is mounted read-only. - name: etc-containers-storage-vol hostPath: path: /etc/containers/storage.conf # Needed for cri-o image inspection. # This is the directory where image data is stored by default when using cri-o and OCP 4.x and the analyzer # uses it to get the data to scan. This directory must be mounted r/w because proper access to its files through # the containers/storage library is always regulated with a lockfile. - name: var-lib-containers-vol hostPath: path: /var/lib/containers # Needed for some IBM OpenShift clusters which symlink /var/run/containers/storage to contents of /var/data by default - name: vardata-vol hostPath: path: /var/data # Needed for socket access - name: varrun-vol hostPath: path: /var/run # Add custom volume here - name: sysdig-image-analyzer-config configMap: name: sysdig-image-analyzer optional: true # Needed to run Benchmarks. This mount is read-only. # Benchmarks include numerous checks that run tests against config files in the host filesystem. There are also # checks that test various host configurations such as loaded modules and enabled security features. - name: root-vol hostPath: path: / - name: tmp-vol emptyDir: {} tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master - effect: NoSchedule key: node-role.kubernetes.io/control-plane - effect: NoSchedule key: node-role.kubernetes.io/controlplane operator: Equal value: "true" - effect: NoExecute key: node-role.kubernetes.io/etcd operator: Equal value: "true" # The following line is necessary for RBAC serviceAccount: sysdig-agent terminationGracePeriodSeconds: 5 # Use the Host Network Namespace. # This is required by the Benchmark container to determine the hostname and host mac address hostNetwork: true dnsPolicy: ClusterFirstWithHostNet # Use the Host PID namespace. # This is required for Kubernetes benchmarks, as they contain tests that check Kubernetes processes running on # the host hostPID: true containers: - name: sysdig-image-analyzer image: quay.io/sysdig/node-image-analyzer securityContext: # The privileged flag is necessary for OCP 4.x and other Kubernetes setups that deny host filesystem access to # running containers by default regardless of volume mounts. In those cases, access to the CRI socket would fail. privileged: true imagePullPolicy: Always resources: limits: cpu: 500m memory: 1536Mi requests: cpu: 150m memory: 512Mi volumeMounts: - mountPath: /var/run name: varrun-vol - mountPath: /etc/containers/storage.conf name: etc-containers-storage-vol readOnly: true - mountPath: /var/lib/containers name: var-lib-containers-vol - mountPath: /var/data name: vardata-vol # Add custom volume mount here env: - name: ACCESS_KEY valueFrom: secretKeyRef: name: sysdig-agent key: access-key - name: IMAGE_PERIOD valueFrom: configMapKeyRef: name: sysdig-image-analyzer key: image_period optional: true - name: IMAGE_CACHE_TTL valueFrom: configMapKeyRef: name: sysdig-image-analyzer key: image_cache_ttl optional: true - name: REPORT_PERIOD valueFrom: configMapKeyRef: name: sysdig-image-analyzer key: report_period optional: true - name: DOCKER_SOCKET_PATH valueFrom: configMapKeyRef: name: sysdig-image-analyzer key: docker_socket_path optional: true - name: CRI_SOCKET_PATH valueFrom: configMapKeyRef: name: sysdig-image-analyzer key: cri_socket_path optional: true - name: CONTAINERD_SOCKET_PATH valueFrom: configMapKeyRef: name: sysdig-image-analyzer key: containerd_socket_path optional: true - name: AM_COLLECTOR_ENDPOINT valueFrom: configMapKeyRef: name: sysdig-image-analyzer key: collector_endpoint optional: true - name: AM_COLLECTOR_TIMEOUT valueFrom: configMapKeyRef: name: sysdig-image-analyzer key: collector_timeout optional: true - name: VERIFY_CERTIFICATE valueFrom: configMapKeyRef: name: sysdig-image-analyzer key: ssl_verify_certificate optional: true - name: K8S_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: K8S_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: K8S_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: DEBUG valueFrom: configMapKeyRef: name: sysdig-image-analyzer key: debug optional: true - name: HTTP_PROXY valueFrom: configMapKeyRef: key: http_proxy name: sysdig-image-analyzer optional: true - name: HTTPS_PROXY valueFrom: configMapKeyRef: key: https_proxy name: sysdig-image-analyzer optional: true - name: NO_PROXY valueFrom: configMapKeyRef: key: no_proxy name: sysdig-image-analyzer optional: true - name: sysdig-host-analyzer image: quay.io/sysdig/host-analyzer:latest securityContext: # The privileged flag is necessary for OCP 4.x and other Kubernetes setups that deny host filesystem access to # running containers by default regardless of volume mounts. In those cases, access to any host related components # would fail privileged: true imagePullPolicy: Always resources: limits: cpu: 500m memory: 1536Mi requests: cpu: 150m memory: 512Mi volumeMounts: - mountPath: /host name: root-vol readOnly: true env: - name: ACCESS_KEY valueFrom: secretKeyRef: name: sysdig-agent key: access-key - name: AM_COLLECTOR_ENDPOINT valueFrom: configMapKeyRef: name: sysdig-host-analyzer key: collector_endpoint - name: AM_COLLECTOR_TIMEOUT valueFrom: configMapKeyRef: name: sysdig-host-analyzer key: collector_timeout optional: true - name: SCHEDULE valueFrom: configMapKeyRef: name: sysdig-host-analyzer key: schedule optional: true - name: ANALYZE_AT_STARTUP valueFrom: configMapKeyRef: name: sysdig-host-analyzer key: analyze_at_startup optional: true - name: HOST_BASE value: /host - name: DIRS_TO_SCAN valueFrom: configMapKeyRef: name: sysdig-host-analyzer key: dirs_to_scan optional: true - name: MAX_SEND_ATTEMPTS valueFrom: configMapKeyRef: name: sysdig-host-analyzer key: max_send_attempts optional: true - name: VERIFY_CERTIFICATE valueFrom: configMapKeyRef: name: sysdig-host-analyzer key: ssl_verify_certificate optional: true - name: DEBUG valueFrom: configMapKeyRef: name: sysdig-host-analyzer key: debug optional: true - name: HTTP_PROXY valueFrom: configMapKeyRef: key: http_proxy name: sysdig-host-analyzer optional: true - name: HTTPS_PROXY valueFrom: configMapKeyRef: key: https_proxy name: sysdig-host-analyzer optional: true - name: NO_PROXY valueFrom: configMapKeyRef: key: no_proxy name: sysdig-host-analyzer optional: true - name: sysdig-benchmark-runner image: quay.io/sysdig/compliance-benchmark-runner imagePullPolicy: Always securityContext: # The privileged flag is necessary for OCP 4.x and other Kubernetes setups that deny host filesystem access to # running containers by default regardless of volume mounts. In those cases, the benchmark process would fail. privileged: true resources: limits: cpu: 500m memory: 256Mi requests: cpu: 150m memory: 128Mi volumeMounts: - mountPath: /opt/draios/etc/kubernetes/config name: sysdig-agent-config - mountPath: /host name: root-vol readOnly: true - mountPath: /host/tmp name: tmp-vol env: - name: ACCESS_KEY valueFrom: secretKeyRef: name: sysdig-agent key: access-key - name: BACKEND_ENDPOINT valueFrom: configMapKeyRef: name: sysdig-benchmark-runner key: collector_endpoint - name: BACKEND_VERIFY_TLS valueFrom: configMapKeyRef: name: sysdig-benchmark-runner key: ssl_verify_certificate optional: true - name: KUBERNETES_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: DEBUG valueFrom: configMapKeyRef: name: sysdig-benchmark-runner key: debug optional: true - name: HTTP_PROXY valueFrom: configMapKeyRef: key: http_proxy name: sysdig-benchmark-runner optional: true - name: HTTPS_PROXY valueFrom: configMapKeyRef: key: https_proxy name: sysdig-benchmark-runner optional: true - name: NO_PROXY valueFrom: configMapKeyRef: key: no_proxy name: sysdig-benchmark-runner optional: true