ci: generate seccomp profiles

Dockerfile.tracing

@@ -0,0 +1,39 @@
+# Build the manager binary
+FROM golang:1.23.4 as builder
+
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+ARG TARGETARCH
+ARG GIT_HEAD_COMMIT
+ARG GIT_TAG_COMMIT
+ARG GIT_LAST_TAG
+ARG GIT_MODIFIED
+ARG GIT_REPO
+ARG BUILD_DATE
+
+# Copy the go source
+COPY main.go main.go
+COPY version.go version.go
+COPY api/ api/
+COPY controllers/ controllers/
+COPY pkg/ pkg/
+
+# Build
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on go build \
+        -gcflags "-N -l" \
+        -ldflags "-X main.GitRepo=$GIT_REPO -X main.GitTag=$GIT_LAST_TAG -X main.GitCommit=$GIT_HEAD_COMMIT -X main.GitDirty=$GIT_MODIFIED -X main.BuildTime=$BUILD_DATE" \
+        -o manager
+
+# From this stage we add the harpoon container
+# so we will be able to trace syscalls from Capsule.
+FROM alegrey91/harpoon:v0.9.1-rc1
+WORKDIR /
+COPY --from=builder /workspace/manager .
+
+ENTRYPOINT ["/bin/bash"]

Makefile

@@ -171,6 +171,14 @@ ko-build-capsule: ko
 .PHONY: ko-build-all
 ko-build-all: ko-build-capsule
 
+.PHONY: docker-build-capsule-tracing
+docker-build-capsule-tracing:
+	@docker build \
+		--no-cache \
+		-t localhost/capsule-tracing:latest \
+		-f Dockerfile.tracing \
+		.
+
 # Docker Image Publish
 # ------------------
 
@@ -294,10 +302,40 @@ e2e-install: e2e-load-image
 		capsule \
 		./charts/capsule
 
+.PHONY: tracing-install
+tracing-install: tracing-load-image
+	helm upgrade \
+	    --dependency-update \
+		--debug \
+		--install \
+		--namespace capsule-system \
+		--create-namespace \
+		--set 'manager.image.pullPolicy=Never' \
+		--set 'manager.image.registry=localhost' \
+		--set 'manager.image.repository=capsule-tracing' \
+		--set 'manager.resources=null'\
+		--set "manager.image.tag=latest" \
+		--set "manager.image.securityContext.privileged=true" \
+		--set 'manager.livenessProbe.failureThreshold=10' \
+		--set 'manager.readinessProbe.failureThreshold=10' \
+		--values charts/capsule/values-tracing.yaml \
+		capsule \
+		./charts/capsule
+
+tracing-capsule:
+	$(MAKE) docker-build-capsule-tracing
+	@kind create cluster --wait=60s --name capsule-tracing
+	$(MAKE) tracing-install
+	$(MAKE) e2e-exec
+
 .PHONY: e2e-load-image
 e2e-load-image: kind ko-build-all
 	$(KIND) load docker-image --nodes capsule-control-plane --name capsule $(CAPSULE_IMG):$(VERSION)
 
+.PHONY: tracing-load-image
+tracing-load-image:
+	kind load docker-image --nodes capsule-tracing-control-plane --name capsule-tracing localhost/capsule-tracing:latest
+
 .PHONY: e2e-exec
 e2e-exec: ginkgo
 	$(GINKGO) -v -tags e2e ./e2e

charts/capsule/templates/deployment.yaml

@@ -37,6 +37,9 @@ spec:
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
       {{- end }}
+      {{- if .Values.manager.hostPID }}
+      hostPID: true
+      {{- end }}
       priorityClassName: {{ .Values.priorityClassName }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
@@ -59,13 +62,17 @@ spec:
           secret:
             defaultMode: 420
             secretName: {{ include "capsule.secretTlsName" . }}
+        {{- toYaml .Values.manager.volumes | nindent 8 }}
       containers:
         - name: manager
+          command:
+          {{ toYaml .Values.manager.command | nindent 12 }}
           args:
-          - --webhook-port={{ .Values.manager.webhookPort }}
-          - --enable-leader-election
-          - --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
-          - --configuration-name={{ .Values.manager.options.capsuleConfiguration }}
+          {{- toYaml .Values.manager.args | nindent 12 }}
+            - --webhook-port={{ .Values.manager.webhookPort }}
+            - --enable-leader-election
+            - --zap-log-level={{ default 4 .Values.manager.options.logLevel }}
+            - --configuration-name={{ .Values.manager.options.capsuleConfiguration }}
           image: {{ include "capsule.managerFullyQualifiedDockerImage" . }}
           imagePullPolicy: {{ .Values.manager.image.pullPolicy }}
           env:
@@ -85,12 +92,13 @@ spec:
           readinessProbe:
             {{- toYaml .Values.manager.readinessProbe | nindent 12}}
           volumeMounts:
-          - mountPath: /tmp/k8s-webhook-server/serving-certs
-            name: cert
-            readOnly: true
+            - mountPath: /tmp/k8s-webhook-server/serving-certs
+              name: cert
+              readOnly: true
+          {{- toYaml .Values.manager.volumeMounts | nindent 12 }}
           resources:
             {{- toYaml .Values.manager.resources | nindent 12 }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- toYaml .Values.manager.securityContext | nindent 12 }}
   {{- end }}
 {{- end }}