From 44b66cef67feeaa31fb9500a54aa6990628d01eb Mon Sep 17 00:00:00 2001 From: Alessio Greggi Date: Sun, 19 Jan 2025 18:00:46 +0100 Subject: [PATCH 1/5] chore: add dedicated Dockerfile for tracing Signed-off-by: Alessio Greggi --- Dockerfile.tracing | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 Dockerfile.tracing diff --git a/Dockerfile.tracing b/Dockerfile.tracing new file mode 100644 index 00000000..44b9199b --- /dev/null +++ b/Dockerfile.tracing @@ -0,0 +1,37 @@ +# Build the manager binary +FROM golang:1.23.4 as builder + +WORKDIR /workspace +# Copy the Go Modules manifests +COPY go.mod go.mod +COPY go.sum go.sum +# cache deps before building and copying source so that we don't need to re-download as much +# and so that source changes don't invalidate our downloaded layer +RUN go mod download + +ARG TARGETARCH +ARG GIT_HEAD_COMMIT +ARG GIT_TAG_COMMIT +ARG GIT_LAST_TAG +ARG GIT_MODIFIED +ARG GIT_REPO +ARG BUILD_DATE + +# Copy the go source +COPY main.go main.go +COPY version.go version.go +COPY api/ api/ +COPY controllers/ controllers/ +COPY pkg/ pkg/ + +# Build +RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on go build \ + -gcflags "-N -l" \ + -ldflags "-X main.GitRepo=$GIT_REPO -X main.GitTag=$GIT_LAST_TAG -X main.GitCommit=$GIT_HEAD_COMMIT -X main.GitDirty=$GIT_MODIFIED -X main.BuildTime=$BUILD_DATE" \ + -o manager + +FROM harpoon:latest +WORKDIR / +COPY --from=builder /workspace/manager . + +ENTRYPOINT ["/bin/bash"] From b3dec4db83e09351141a4b1d22279383a0bed6ac Mon Sep 17 00:00:00 2001 From: Alessio Greggi Date: Sun, 19 Jan 2025 18:01:45 +0100 Subject: [PATCH 2/5] feat(charts/capsule): support for multiple values files Signed-off-by: Alessio Greggi --- charts/capsule/templates/deployment.yaml | 19 +- charts/capsule/values-tracing.yaml | 366 +++++++++++++++++++++++ charts/capsule/values.yaml | 2 + 3 files changed, 384 insertions(+), 3 deletions(-) create mode 100644 charts/capsule/values-tracing.yaml diff --git a/charts/capsule/templates/deployment.yaml b/charts/capsule/templates/deployment.yaml index 60a2e4c1..bdb3eeed 100644 --- a/charts/capsule/templates/deployment.yaml +++ b/charts/capsule/templates/deployment.yaml @@ -37,6 +37,9 @@ spec: hostNetwork: true dnsPolicy: ClusterFirstWithHostNet {{- end }} + {{- if .Values.manager.hostPID }} + hostPID: true + {{- end }} priorityClassName: {{ .Values.priorityClassName }} {{- with .Values.nodeSelector }} nodeSelector: @@ -59,9 +62,18 @@ spec: secret: defaultMode: 420 secretName: {{ include "capsule.secretTlsName" . }} + {{- toYaml .Values.manager.volumes | nindent 8 }} containers: - name: manager + command: {{ .Values.manager.command }} args: + {{- with .Values.manager.args }} + {{- if . }} + {{- range . }} + - {{ . }} + {{- end }} + {{- end }} + {{- end }} - --webhook-port={{ .Values.manager.webhookPort }} - --enable-leader-election - --zap-log-level={{ default 4 .Values.manager.options.logLevel }} @@ -85,9 +97,10 @@ spec: readinessProbe: {{- toYaml .Values.manager.readinessProbe | nindent 12}} volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + {{- toYaml .Values.manager.volumeMounts | nindent 12 }} resources: {{- toYaml .Values.manager.resources | nindent 12 }} securityContext: diff --git a/charts/capsule/values-tracing.yaml b/charts/capsule/values-tracing.yaml new file mode 100644 index 00000000..e6c2aad0 --- /dev/null +++ b/charts/capsule/values-tracing.yaml @@ -0,0 +1,366 @@ +# Default values for capsule. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +global: + jobs: + kubectl: + image: + # -- Set the image repository of the helm chart job + registry: docker.io + # -- Set the image repository of the helm chart job + repository: clastix/kubectl + # -- Set the image pull policy of the helm chart job + pullPolicy: IfNotPresent + # -- Set the image tag of the helm chart job + tag: "" + # -- ImagePullSecrets + imagePullSecrets: [] + # -- Annotations to add to the certgen job. + annotations: {} + # -- Set the restartPolicy + restartPolicy: Never + # -- Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete. + ttlSecondsAfterFinished: 60 + # -- Security context for the job pods. + podSecurityContext: + seccompProfile: + type: "RuntimeDefault" + # -- Security context for the job containers. + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1002 + runAsNonRoot: true + runAsUser: 1002 + # -- Job resources + resources: {} + # -- Set the node selector + nodeSelector: {} + # -- Set list of tolerations + tolerations: [] + # -- Set affinity rules + affinity: {} + # -- Set Topology Spread Constraints + topologySpreadConstraints: [] + # -- Set a pod priorityClassName + priorityClassName: "" + # -- Backofflimit for jobs + backoffLimit: 4 + +# Manage CRD Lifecycle +crds: + # -- Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations) + install: true + # -- Only install the CRDs, no other primitives + exclusive: false + # -- Extra Labels for CRDs + labels: {} + # -- Extra Annotations for CRDs + annnotations: {} + +# Secret Options +tls: + # -- Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well. + enableController: true + # -- When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion. + create: true + # -- Override name of the Capsule TLS Secret name when externally managed. + name: "" + +# Capsule Proxy +proxy: + # -- Enable Installation of Capsule Proxy + enabled: false + +# Manager Options +manager: + + # Manager RBAC + rbac: + # -- Specifies whether RBAC resources should be created. + create: true + # -- Specifies further cluster roles to be added to the Capsule manager service account. + existingClusterRoles: [] + # - cluster-admin + # -- Specifies further cluster roles to be added to the Capsule manager service account. + existingRoles: [] + # - namespace-admin + + # -- Set the controller deployment mode as `Deployment` or `DaemonSet`. + kind: Deployment + + command: /harpoon + args: + - capture + - --function + - main.main + - --env-var + - "NAMESPACE=capsule-system" + - --dump-interval + - "2" + - --include-cmd-stdout + - --include-cmd-stderr + - --save + - --directory + - /tmp/results/ + - -- + - /manager + + image: + # -- Set the image registry of capsule. + registry: ghcr.io + # -- Set the image repository of capsule. + repository: projectcapsule/capsule + # -- Set the image pull policy. + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion. + tag: '' + + # -- Specifies if the container should be started in hostNetwork mode. + # + # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom + # CNI (such as calico), because control-plane managed by AWS cannot communicate + # with pods' IP CIDR and admission webhooks are not working + hostNetwork: true + + # -- Specifies if the container should be started in hostPID mode. + hostPID: true + + # -- Set an alternative to the default container port. + # + # Useful for use in some kubernetes clusters (such as GKE Private) with + # aggregator routing turned on, because pod ports have to be opened manually + # on the firewall side + webhookPort: 9443 + + # Additional Capsule Controller Options + options: + # -- Change the default name of the capsule configuration name + capsuleConfiguration: default + # -- Set the log verbosity of the capsule with a value from 1 to 10 + logLevel: '4' + # -- Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash + forceTenantPrefix: false + # -- Override the Capsule user groups + capsuleUserGroups: ["projectcapsule.dev"] + # -- If specified, disallows creation of namespaces matching the passed regexp + protectedNamespaceRegex: "" + # -- Specifies whether capsule webhooks certificates should be generated by capsule operator + generateCertificates: true + # -- Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant + nodeMetadata: + forbiddenLabels: + denied: [] + deniedRegex: "" + forbiddenAnnotations: + denied: [] + deniedRegex: "" + + # -- Configure the liveness probe using Deployment probe spec + livenessProbe: + httpGet: + path: /healthz + port: 10080 + + # -- Configure the readiness probe using Deployment probe spec + readinessProbe: + httpGet: + path: /readyz + port: 10080 + + # -- Set the resource requests/limits for the Capsule manager container + resources: {} + + # -- Set the additional volumes needed for the Capsule manager container + volumes: + - name: debugfs + hostPath: + path: /sys/kernel/debug + type: Directory + + # -- Set the additional volumeMounts needed for the Capsule manager container + volumeMounts: + - name: debugfs + mountPath: /sys/kernel/debug + +# -- Configuration for `imagePullSecrets` so that you can use a private images registry. +imagePullSecrets: [] + +# -- Annotations to add to the capsule pod. +podAnnotations: {} +# The following annotations guarantee scheduling for critical add-on pods +# podAnnotations: +# scheduler.alpha.kubernetes.io/critical-pod: '' + +# -- Set the priority class name of the Capsule pod +priorityClassName: '' # system-cluster-critical + +# -- Set the securityContext for the Capsule container +securityContext: + privileged: true + capabilities: + add: + - SYS_ADMIN + - NET_ADMIN + - PERFOM + +# -- Set the node selector for the Capsule pod +nodeSelector: {} +# node-role.kubernetes.io/master: "" + +# -- Set list of tolerations for the Capsule pod +tolerations: [] +# - key: CriticalAddonsOnly +# operator: Exists +# - effect: NoSchedule +# key: node-role.kubernetes.io/master + +# -- Set the replica count for capsule pod +replicaCount: 1 + +# -- Set affinity rules for the Capsule pod +affinity: {} + +# -- Set topology spread constraints for the Capsule pod +topologySpreadConstraints: [] + +# -- Deprecated, use .global.jobs.kubectl instead +jobs: {} + +# ServiceAccount +serviceAccount: + # -- Specifies whether a service account should be created. + create: true + # -- Annotations to add to the service account. + annotations: {} + # -- The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template + name: "" + +certManager: + # -- Specifies whether capsule webhooks certificates should be generated using cert-manager + generateCertificates: false + # -- Specify additional SANS to add to the certificate + additionalSANS: [] +# -- Additional labels which will be added to all resources created by Capsule helm chart +customLabels: {} + +# -- Additional annotations which will be added to all resources created by Capsule helm chart +customAnnotations: {} + +# Webhooks configurations +webhooks: + # -- When `crds.exclusive` is `true` the webhooks will be installed + exclusive: false + # -- Timeout in seconds for mutating webhooks + mutatingWebhooksTimeoutSeconds: 30 + # -- Timeout in seconds for validating webhooks + validatingWebhooksTimeoutSeconds: 30 + + # Configure custom webhook service + service: + # -- The URL where the capsule webhook services are running (Overwrites cluster scoped service definition) + url: "" + # -- CABundle for the webhook service + caBundle: "" + # -- Custom service name for the webhook service + name: "" + # -- Custom service namespace for the webhook service + namespace: "" + # -- Custom service port for the webhook service + port: + + # Hook Configuration + hooks: + namespaceOwnerReference: + failurePolicy: Fail + cordoning: + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: capsule.clastix.io/tenant + operator: Exists + ingresses: + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: capsule.clastix.io/tenant + operator: Exists + namespaces: + failurePolicy: Fail + networkpolicies: + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: capsule.clastix.io/tenant + operator: Exists + pods: + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: capsule.clastix.io/tenant + operator: Exists + persistentvolumeclaims: + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: capsule.clastix.io/tenant + operator: Exists + tenants: + failurePolicy: Fail + tenantResourceObjects: + failurePolicy: Fail + services: + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: capsule.clastix.io/tenant + operator: Exists + nodes: + failurePolicy: Fail + defaults: + ingress: + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: capsule.clastix.io/tenant + operator: Exists + pvc: + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: capsule.clastix.io/tenant + operator: Exists + pods: + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: capsule.clastix.io/tenant + operator: Exists + +# ServiceMonitor +serviceMonitor: + # -- Enable ServiceMonitor + enabled: false + # -- Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one) + namespace: '' + # -- Assign additional labels according to Prometheus' serviceMonitorSelector matching labels + labels: {} + # -- Assign additional Annotations + annotations: {} + # -- Change matching labels + matchLabels: {} + # -- Set targetLabels for the serviceMonitor + targetLabels: [] + endpoint: + # -- Set the scrape interval for the endpoint of the serviceMonitor + interval: "15s" + # -- Set the scrape timeout for the endpoint of the serviceMonitor + scrapeTimeout: "" + # -- Set metricRelabelings for the endpoint of the serviceMonitor + metricRelabelings: [] + # -- Set relabelings for the endpoint of the serviceMonitor + relabelings: [] diff --git a/charts/capsule/values.yaml b/charts/capsule/values.yaml index 677a1d12..daedf77e 100644 --- a/charts/capsule/values.yaml +++ b/charts/capsule/values.yaml @@ -93,6 +93,8 @@ manager: # -- Set the controller deployment mode as `Deployment` or `DaemonSet`. kind: Deployment + command: /manager + image: # -- Set the image registry of capsule. registry: ghcr.io From 4e45068182bc74e54a2422c1a823ce2be8ebfecf Mon Sep 17 00:00:00 2001 From: Alessio Greggi Date: Sun, 19 Jan 2025 18:03:06 +0100 Subject: [PATCH 3/5] chore(Makefile): add dedicated targets for tracing Signed-off-by: Alessio Greggi --- Makefile | 58 +++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 45 insertions(+), 13 deletions(-) diff --git a/Makefile b/Makefile index b0680b9d..612b1d56 100644 --- a/Makefile +++ b/Makefile @@ -71,12 +71,12 @@ helm-lint: docker @docker run -v "$(SRC_ROOT):/workdir" --entrypoint /bin/sh quay.io/helmpack/chart-testing:$(CT_VERSION) -c "cd /workdir; ct lint --config .github/configs/ct.yaml --lint-conf .github/configs/lintconf.yaml --all --debug" helm-test: kind ct ko-build-all - @$(KIND) create cluster --wait=60s --name capsule-charts --image kindest/node:$${KIND_K8S_VERSION:-v1.27.0} + @kind create cluster --wait=60s --name capsule-charts @make helm-test-exec - @$(KIND) delete cluster --name capsule-charts + @kind delete cluster --name capsule-charts -helm-test-exec: kind - @$(KIND) load docker-image --name capsule-charts $(CAPSULE_IMG):$(VERSION) +helm-test-exec: + @kind load docker-image --name capsule-charts $(CAPSULE_IMG):$(VERSION) @kubectl create ns capsule-system || true @kubectl apply --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml @kubectl apply --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml @@ -171,6 +171,14 @@ ko-build-capsule: ko .PHONY: ko-build-all ko-build-all: ko-build-capsule +.PHONY: docker-build-capsule-tracing +docker-build-capsule-tracing: + @docker build \ + --no-cache \ + -t capsule-tracing:latest \ + -f Dockerfile.tracing \ + . + # Docker Image Publish # ------------------ @@ -271,11 +279,11 @@ golint: golangci-lint # Running e2e tests in a KinD instance .PHONY: e2e -e2e: ginkgo - $(MAKE) e2e-build && $(MAKE) e2e-exec && $(MAKE) e2e-destroy - -e2e-build: kind - $(KIND) create cluster --wait=60s --name capsule --image kindest/node:$${KIND_K8S_VERSION:-v1.27.0} +e2e/%: ginkgo + $(MAKE) e2e-build/$* && $(MAKE) e2e-exec && $(MAKE) e2e-destroy + +e2e-build/%: + kind create cluster --wait=60s --name capsule --image=kindest/node:$* $(MAKE) e2e-install .PHONY: e2e-install @@ -294,17 +302,41 @@ e2e-install: e2e-load-image capsule \ ./charts/capsule +.PHONY: tracing-install +tracing-install: tracing-load-image + helm upgrade \ + --dependency-update \ + --debug \ + --install \ + --namespace capsule-system \ + --create-namespace \ + --set 'manager.image.pullPolicy=Never' \ + --set 'manager.image.registry=' \ + --set 'manager.image.repository=capsule-tracing' \ + --set 'manager.resources=null'\ + --set "manager.image.tag=$(VERSION)" \ + --set "manager.image.securityContext.privileged=true" \ + --set 'manager.livenessProbe.failureThreshold=10' \ + --set 'manager.readinessProbe.failureThreshold=10' \ + --values charts/capsule/values-tracing.yaml \ + capsule \ + ./charts/capsule + .PHONY: e2e-load-image -e2e-load-image: kind ko-build-all - $(KIND) load docker-image --nodes capsule-control-plane --name capsule $(CAPSULE_IMG):$(VERSION) +e2e-load-image: ko-build-all + kind load docker-image --nodes capsule-control-plane --name capsule $(CAPSULE_IMG):$(VERSION) + +.PHONY: tracing-load-image +tracing-load-image: docker-build-capsule-tracing + kind load docker-image --nodes capsule-control-plane --name capsule $(CAPSULE_IMG):$(VERSION) .PHONY: e2e-exec e2e-exec: ginkgo $(GINKGO) -v -tags e2e ./e2e .PHONY: e2e-destroy -e2e-destroy: kind - $(KIND) delete cluster --name capsule +e2e-destroy: + kind delete cluster --name capsule SPELL_CHECKER = npx spellchecker-cli docs-lint: From 63cac427cacd7dbb11e710b76576a9fd8b13c1a9 Mon Sep 17 00:00:00 2001 From: Alessio Greggi Date: Tue, 21 Jan 2025 21:05:22 +0100 Subject: [PATCH 4/5] make harpoon work giving right permissions Signed-off-by: Alessio Greggi --- Dockerfile.tracing | 4 +++- Makefile | 16 +++++++++---- charts/capsule/templates/deployment.yaml | 21 +++++++---------- charts/capsule/values-tracing.yaml | 29 ++++++++++++++++-------- 4 files changed, 41 insertions(+), 29 deletions(-) diff --git a/Dockerfile.tracing b/Dockerfile.tracing index 44b9199b..8f2fdeea 100644 --- a/Dockerfile.tracing +++ b/Dockerfile.tracing @@ -30,7 +30,9 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on go build \ -ldflags "-X main.GitRepo=$GIT_REPO -X main.GitTag=$GIT_LAST_TAG -X main.GitCommit=$GIT_HEAD_COMMIT -X main.GitDirty=$GIT_MODIFIED -X main.BuildTime=$BUILD_DATE" \ -o manager -FROM harpoon:latest +# From this stage we add the harpoon container +# so we will be able to trace syscalls from Capsule. +FROM alegrey91/harpoon:v0.9.1-rc1 WORKDIR / COPY --from=builder /workspace/manager . diff --git a/Makefile b/Makefile index 612b1d56..d08babec 100644 --- a/Makefile +++ b/Makefile @@ -175,7 +175,7 @@ ko-build-all: ko-build-capsule docker-build-capsule-tracing: @docker build \ --no-cache \ - -t capsule-tracing:latest \ + -t localhost/capsule-tracing:latest \ -f Dockerfile.tracing \ . @@ -311,10 +311,10 @@ tracing-install: tracing-load-image --namespace capsule-system \ --create-namespace \ --set 'manager.image.pullPolicy=Never' \ - --set 'manager.image.registry=' \ + --set 'manager.image.registry=localhost' \ --set 'manager.image.repository=capsule-tracing' \ --set 'manager.resources=null'\ - --set "manager.image.tag=$(VERSION)" \ + --set "manager.image.tag=latest" \ --set "manager.image.securityContext.privileged=true" \ --set 'manager.livenessProbe.failureThreshold=10' \ --set 'manager.readinessProbe.failureThreshold=10' \ @@ -322,13 +322,19 @@ tracing-install: tracing-load-image capsule \ ./charts/capsule +tracing-capsule: + $(MAKE) docker-build-capsule-tracing + @kind create cluster --wait=60s --name capsule-tracing + $(MAKE) tracing-install + $(MAKE) e2e-exec + .PHONY: e2e-load-image e2e-load-image: ko-build-all kind load docker-image --nodes capsule-control-plane --name capsule $(CAPSULE_IMG):$(VERSION) .PHONY: tracing-load-image -tracing-load-image: docker-build-capsule-tracing - kind load docker-image --nodes capsule-control-plane --name capsule $(CAPSULE_IMG):$(VERSION) +tracing-load-image: + kind load docker-image --nodes capsule-tracing-control-plane --name capsule-tracing localhost/capsule-tracing:latest .PHONY: e2e-exec e2e-exec: ginkgo diff --git a/charts/capsule/templates/deployment.yaml b/charts/capsule/templates/deployment.yaml index bdb3eeed..cbe91904 100644 --- a/charts/capsule/templates/deployment.yaml +++ b/charts/capsule/templates/deployment.yaml @@ -65,19 +65,14 @@ spec: {{- toYaml .Values.manager.volumes | nindent 8 }} containers: - name: manager - command: {{ .Values.manager.command }} + command: + {{ toYaml .Values.manager.command | nindent 12 }} args: - {{- with .Values.manager.args }} - {{- if . }} - {{- range . }} - - {{ . }} - {{- end }} - {{- end }} - {{- end }} - - --webhook-port={{ .Values.manager.webhookPort }} - - --enable-leader-election - - --zap-log-level={{ default 4 .Values.manager.options.logLevel }} - - --configuration-name={{ .Values.manager.options.capsuleConfiguration }} + {{- toYaml .Values.manager.args | nindent 12 }} + - --webhook-port={{ .Values.manager.webhookPort }} + - --enable-leader-election + - --zap-log-level={{ default 4 .Values.manager.options.logLevel }} + - --configuration-name={{ .Values.manager.options.capsuleConfiguration }} image: {{ include "capsule.managerFullyQualifiedDockerImage" . }} imagePullPolicy: {{ .Values.manager.image.pullPolicy }} env: @@ -104,6 +99,6 @@ spec: resources: {{- toYaml .Values.manager.resources | nindent 12 }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml .Values.manager.securityContext | nindent 12 }} {{- end }} {{- end }} diff --git a/charts/capsule/values-tracing.yaml b/charts/capsule/values-tracing.yaml index e6c2aad0..17e6a4f7 100644 --- a/charts/capsule/values-tracing.yaml +++ b/charts/capsule/values-tracing.yaml @@ -93,7 +93,8 @@ manager: # -- Set the controller deployment mode as `Deployment` or `DaemonSet`. kind: Deployment - command: /harpoon + command: + - /harpoon args: - capture - --function @@ -187,6 +188,23 @@ manager: - name: debugfs mountPath: /sys/kernel/debug + # -- Set the securityContext for the Capsule container + securityContext: + privileged: true + capabilities: + add: + - SYS_ADMIN + - NET_ADMIN + - PERFOM + +# podsecuritycontext +podSecurityContext: + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + seccompProfile: + type: "Unconfined" + # -- Configuration for `imagePullSecrets` so that you can use a private images registry. imagePullSecrets: [] @@ -199,15 +217,6 @@ podAnnotations: {} # -- Set the priority class name of the Capsule pod priorityClassName: '' # system-cluster-critical -# -- Set the securityContext for the Capsule container -securityContext: - privileged: true - capabilities: - add: - - SYS_ADMIN - - NET_ADMIN - - PERFOM - # -- Set the node selector for the Capsule pod nodeSelector: {} # node-role.kubernetes.io/master: "" From 53c44765b64da25d4766a7dddd5a5fae0cbed359 Mon Sep 17 00:00:00 2001 From: Alessio Greggi Date: Tue, 21 Jan 2025 21:17:52 +0100 Subject: [PATCH 5/5] restore Makefile Signed-off-by: Alessio Greggi --- Makefile | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/Makefile b/Makefile index d08babec..5442c77c 100644 --- a/Makefile +++ b/Makefile @@ -71,12 +71,12 @@ helm-lint: docker @docker run -v "$(SRC_ROOT):/workdir" --entrypoint /bin/sh quay.io/helmpack/chart-testing:$(CT_VERSION) -c "cd /workdir; ct lint --config .github/configs/ct.yaml --lint-conf .github/configs/lintconf.yaml --all --debug" helm-test: kind ct ko-build-all - @kind create cluster --wait=60s --name capsule-charts + @$(KIND) create cluster --wait=60s --name capsule-charts --image kindest/node:$${KIND_K8S_VERSION:-v1.27.0} @make helm-test-exec - @kind delete cluster --name capsule-charts + @$(KIND) delete cluster --name capsule-charts -helm-test-exec: - @kind load docker-image --name capsule-charts $(CAPSULE_IMG):$(VERSION) +helm-test-exec: kind + @$(KIND) load docker-image --name capsule-charts $(CAPSULE_IMG):$(VERSION) @kubectl create ns capsule-system || true @kubectl apply --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml @kubectl apply --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml @@ -279,11 +279,11 @@ golint: golangci-lint # Running e2e tests in a KinD instance .PHONY: e2e -e2e/%: ginkgo - $(MAKE) e2e-build/$* && $(MAKE) e2e-exec && $(MAKE) e2e-destroy - -e2e-build/%: - kind create cluster --wait=60s --name capsule --image=kindest/node:$* +e2e: ginkgo + $(MAKE) e2e-build && $(MAKE) e2e-exec && $(MAKE) e2e-destroy + +e2e-build: kind + $(KIND) create cluster --wait=60s --name capsule --image kindest/node:$${KIND_K8S_VERSION:-v1.27.0} $(MAKE) e2e-install .PHONY: e2e-install @@ -329,8 +329,8 @@ tracing-capsule: $(MAKE) e2e-exec .PHONY: e2e-load-image -e2e-load-image: ko-build-all - kind load docker-image --nodes capsule-control-plane --name capsule $(CAPSULE_IMG):$(VERSION) +e2e-load-image: kind ko-build-all + $(KIND) load docker-image --nodes capsule-control-plane --name capsule $(CAPSULE_IMG):$(VERSION) .PHONY: tracing-load-image tracing-load-image: @@ -341,8 +341,8 @@ e2e-exec: ginkgo $(GINKGO) -v -tags e2e ./e2e .PHONY: e2e-destroy -e2e-destroy: - kind delete cluster --name capsule +e2e-destroy: kind + $(KIND) delete cluster --name capsule SPELL_CHECKER = npx spellchecker-cli docs-lint: