github.com/inspektor-gadget/inspektor-gadget@v0.28.1/pkg/resources/manifests/deploy.yaml (about) 1 --- 2 # This file is generated by 'make generate-manifests'; DO NOT EDIT. 3 apiVersion: v1 4 kind: Namespace 5 metadata: 6 name: gadget 7 --- 8 # Source: gadget/templates/serviceaccount.yaml 9 apiVersion: v1 10 kind: ServiceAccount 11 metadata: 12 name: gadget 13 namespace: gadget 14 --- 15 # Source: gadget/templates/clusterrole.yaml 16 apiVersion: rbac.authorization.k8s.io/v1 17 kind: ClusterRole 18 metadata: 19 name: gadget-cluster-role 20 rules: 21 - apiGroups: [""] 22 resources: ["namespaces", "nodes", "pods"] 23 verbs: ["get", "watch", "list"] 24 - apiGroups: [""] 25 resources: ["services"] 26 # list is needed by network-policy gadget 27 # watch is needed by operators enriching with service informations 28 verbs: ["list", "watch"] 29 - apiGroups: ["gadget.kinvolk.io"] 30 resources: ["traces", "traces/status"] 31 # For traces, we need all rights on them as we define this resource. 32 verbs: ["delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"] 33 - apiGroups: ["*"] 34 resources: ["deployments", "replicasets", "statefulsets", "daemonsets", "jobs", "cronjobs", "replicationcontrollers"] 35 # Required to retrieve the owner references used by the seccomp gadget. 36 verbs: ["get"] 37 - apiGroups: ["security-profiles-operator.x-k8s.io"] 38 resources: ["seccompprofiles"] 39 # Required for integration with the Kubernetes Security Profiles Operator 40 verbs: ["list", "watch", "create"] 41 - apiGroups: ["security.openshift.io"] 42 # It is necessary to use the 'privileged' security context constraints to be 43 # able mount host directories as volumes, use the host networking, among others. 44 # This will be used only when running on OpenShift: 45 # https://docs.openshift.com/container-platform/4.9/authentication/managing-security-context-constraints.html#default-sccs_configuring-internal-oauth 46 resources: ["securitycontextconstraints"] 47 resourceNames: ["privileged"] 48 verbs: ["use"] 49 --- 50 # Source: gadget/templates/clusterrolebinding.yaml 51 apiVersion: rbac.authorization.k8s.io/v1 52 kind: ClusterRoleBinding 53 metadata: 54 name: gadget-cluster-role-binding 55 roleRef: 56 apiGroup: rbac.authorization.k8s.io 57 kind: ClusterRole 58 name: gadget-cluster-role 59 subjects: 60 - kind: ServiceAccount 61 name: gadget 62 namespace: gadget 63 --- 64 # Source: gadget/templates/role.yaml 65 apiVersion: rbac.authorization.k8s.io/v1 66 kind: Role 67 metadata: 68 name: gadget-role 69 namespace: gadget 70 rules: 71 - apiGroups: [ "" ] 72 resources: [ "secrets" ] 73 # get secrets is needed for retrieving pull secret. 74 verbs: [ "get" ] 75 --- 76 # Source: gadget/templates/rolebinding.yaml 77 apiVersion: rbac.authorization.k8s.io/v1 78 kind: RoleBinding 79 metadata: 80 name: gadget-role-binding 81 namespace: gadget 82 roleRef: 83 apiGroup: rbac.authorization.k8s.io 84 kind: Role 85 name: gadget-role 86 subjects: 87 - kind: ServiceAccount 88 name: gadget 89 --- 90 # Source: gadget/templates/daemonset.yaml 91 apiVersion: apps/v1 92 kind: DaemonSet 93 metadata: 94 labels: 95 k8s-app: gadget 96 name: gadget 97 namespace: gadget 98 spec: 99 selector: 100 matchLabels: 101 k8s-app: gadget 102 template: 103 metadata: 104 labels: 105 k8s-app: gadget 106 annotations: 107 # We need to set gadget container as unconfined so it is able to write 108 # /sys/fs/bpf as well as /sys/kernel/debug/tracing. 109 # Otherwise, we can have error like: 110 # "failed to create server failed to create folder for pinning bpf maps: mkdir /sys/fs/bpf/gadget: permission denied" 111 # (For reference, see: https://github.com/inspektor-gadget/inspektor-gadget/runs/3966318270?check_suite_focus=true#step:20:221) 112 container.apparmor.security.beta.kubernetes.io/gadget: "unconfined" 113 inspektor-gadget.kinvolk.io/option-hook-mode: "auto" 114 # keep aligned with values in pkg/operators/prometheus/prometheus.go 115 prometheus.io/scrape: "true" 116 prometheus.io/port: "2223" 117 prometheus.io/path: "/metrics" 118 spec: 119 serviceAccount: gadget 120 hostPID: false 121 hostNetwork: false 122 containers: 123 - name: gadget 124 terminationMessagePolicy: FallbackToLogsOnError 125 image: ghcr.io/inspektor-gadget/inspektor-gadget:latest 126 imagePullPolicy: Always 127 command: [ "/entrypoint" ] 128 lifecycle: 129 preStop: 130 exec: 131 command: 132 - "/cleanup" 133 livenessProbe: 134 exec: 135 command: 136 - /bin/gadgettracermanager 137 - -liveness 138 periodSeconds: 5 139 timeoutSeconds: 2 140 readinessProbe: 141 exec: 142 command: 143 - /bin/gadgettracermanager 144 - -liveness 145 periodSeconds: 5 146 timeoutSeconds: 2 147 env: 148 - name: NODE_NAME 149 valueFrom: 150 fieldRef: 151 fieldPath: spec.nodeName 152 - name: GADGET_POD_UID 153 valueFrom: 154 fieldRef: 155 fieldPath: metadata.uid 156 - name: GADGET_IMAGE 157 value: "ghcr.io/inspektor-gadget/inspektor-gadget" 158 - name: INSPEKTOR_GADGET_VERSION 159 value: "latest" 160 - name: INSPEKTOR_GADGET_OPTION_HOOK_MODE 161 value: "auto" 162 - name: INSPEKTOR_GADGET_OPTION_FALLBACK_POD_INFORMER 163 value: "true" 164 # Make sure to keep these settings in sync with pkg/container-utils/runtime-client/interface.go 165 - name: INSPEKTOR_GADGET_CONTAINERD_SOCKETPATH 166 value: "/run/containerd/containerd.sock" 167 - name: INSPEKTOR_GADGET_CRIO_SOCKETPATH 168 value: "/run/crio/crio.sock" 169 - name: INSPEKTOR_GADGET_DOCKER_SOCKETPATH 170 value: "/run/docker.sock" 171 - name: HOST_ROOT 172 value: "/host" 173 - name: IG_EXPERIMENTAL 174 value: "false" 175 - name: EVENTS_BUFFER_LENGTH 176 value: "16384" 177 - name: GADGET_TRACER_MANAGER_LOG_LEVEL 178 value: "info" 179 securityContext: 180 # With hostPID/hostNetwork/privileged [1] set to false, we need to set appropriate 181 # SELinux context [2] to be able to mount host directories with correct permissions. 182 # This option is ignored if hostPID/hostNetwork/privileged is set to true or SELinux isn't enabled. 183 # See: 184 # 1 - https://github.com/cri-o/cri-o/blob/v1.27.0/server/sandbox_run_linux.go#L537 185 # 2 - https://github.com/cri-o/cri-o/blob/v1.27.0/server/container_create_linux.go#L310 186 seLinuxOptions: 187 type: "spc_t" 188 capabilities: 189 drop: 190 - ALL 191 add: 192 # We need CAP_SYS_ADMIN for gadgettracermanager due to several 193 # syscalls: 194 # - bpf(): It often checks if SYS_ADMIN is set, among others 195 # there: 196 # https://github.com/torvalds/linux/blob/c42d9eeef8e5/kernel/bpf/syscall.c#L2602 197 # - perf_event_open(): The kernel checks if CAP_PERFMON or 198 # CAP_SYS_ADMIN is set: 199 # https://github.com/torvalds/linux/blob/c42d9eeef8e5/kernel/events/core.c#L12406-L12409 200 # - fanotify_init(): CAP_SYS_ADMIN is required to use all the 201 # functionalities offered by fanotify: 202 # https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/notify/fanotify/fanotify_user.c#L1404 203 # - fanotify_mark(): This capability is required to setup mount 204 # or filesystem marks: 205 # https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/notify/fanotify/fanotify_user.c#L1745-L1754 206 # - mount(): We need this capability to modify the caller 207 # namespace: 208 # https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/namespace.c#L1844-L1846 209 # https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/namespace.c#L3609 210 # - setns(): SYS_ADMIN is needed to install various namespace: 211 # https://github.com/torvalds/linux/blob/c42d9eeef8e5ba9292eda36fd8e3c11f35ee065c/kernel/nsproxy.c#L574 212 # https://github.com/torvalds/linux/blob/c42d9eeef8e5/kernel/cgroup/namespace.c#L103-L105 213 - SYS_ADMIN 214 215 # We need this capability to get addresses from /proc/kallsyms. 216 # Without it, addresses displayed when reading this file will be 217 # 0. 218 # Indeed, the socket-enricher needs to get the socket_file_ops 219 # to work correctly: 220 # https://github.com/inspektor-gadget/inspektor-gadget/blob/69692d54d951/pkg/gadgets/internal/socketenricher/tracer.go#L75 221 - SYSLOG 222 223 # Accessing some procfs files such as /proc/$pid/ns/mnt 224 # requires ptrace capability: 225 # https://github.com/inspektor-gadget/inspektor-gadget/blob/3c51ff5e9f5b/pkg/utils/host/namespaces.go#L65 226 # https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/proc/namespaces.c#L58 227 - SYS_PTRACE 228 229 # Needed by RemoveMemlock in gadgettracermanager: 230 # https://github.com/inspektor-gadget/inspektor-gadget/blob/f2b9826fc4ae046415cdee30ee4a25322fd3f0c0/pkg/gadgettracermanager/gadgettracermanager.go#L258 231 - SYS_RESOURCE 232 233 # Needed by mmap() called by gadgettracermanager: 234 # https://github.com/torvalds/linux/blob/c42d9eeef8e5/mm/mmap.c#L1281 235 # https://github.com/torvalds/linux/blob/c42d9eeef8e5/mm/mmap.c#L1161-L1162 236 - IPC_LOCK 237 238 # Needed by gadgets that open a raw sock like dns and snisnoop: 239 # https://github.com/inspektor-gadget/inspektor-gadget/blob/3c51ff5e9f5b/gadgets/trace_dns/program.bpf.c#L365-L366 240 - NET_RAW 241 242 # Needed to attach qdiscs and filters to network interfaces. See createClsActQdisc() 243 # and addTCFilter() in pkg/gadgets/internal/tcnetworktracer/tc.go 244 - NET_ADMIN 245 volumeMounts: 246 - mountPath: /host/bin 247 name: bin 248 readOnly: true 249 # We need to have read/write as we write NRI and OCI config files 250 # here. 251 - mountPath: /host/etc 252 name: etc 253 readOnly: false 254 # We need to have read/write as we write NRI and OCI binaries here. 255 - mountPath: /host/opt 256 name: opt 257 readOnly: false 258 - mountPath: /host/usr 259 name: usr 260 readOnly: true 261 - mountPath: /host/run 262 name: run 263 readOnly: true 264 - mountPath: /host/var 265 name: var 266 readOnly: true 267 # WARNING Despite mounting host proc as readonly, it is possible to 268 # write host file system using symlinks under /host/proc. The 269 # following command, ran from gadget pod, will result in writing to 270 # the host filesystem: 271 # touch /host/proc/1/root/foobar 272 # This limitation comes from Inspektor Gadget needing to be run as 273 # unconfined with regard to AppArmor and having the SYS_PTRACE 274 # capability. 275 - mountPath: /host/proc 276 name: proc 277 readOnly: true 278 - mountPath: /run 279 name: run 280 - mountPath: /sys/kernel/debug 281 name: debugfs 282 - mountPath: /sys/fs/cgroup 283 name: cgroup 284 - mountPath: /sys/fs/bpf 285 name: bpffs 286 nodeSelector: 287 kubernetes.io/os: linux 288 affinity: 289 {} 290 tolerations: 291 - effect: NoSchedule 292 operator: Exists 293 - effect: NoExecute 294 operator: Exists 295 volumes: 296 # /bin is needed to find runc. 297 - name: bin 298 hostPath: 299 path: /bin 300 # /etc is needed for several reasons: 301 # 1. entrypoint needs /etc/os-release to print information. 302 # 2. entrypoint needs /etc/nri to handle NRI hooks 303 # 3. entrypoint needs /etc/containers/oci to handle OCI hooks. 304 - name: etc 305 hostPath: 306 path: /etc 307 # /opt is needed for several reasons: 308 # 1. entrypoint needs /opt/nri to handle NRI hooks. 309 # 2. entrypoint needs /opt/hooks/oci to handle OCI hooks. 310 - name: opt 311 hostPath: 312 path: /opt 313 # /usr is needed to find runc. 314 - name: usr 315 hostPath: 316 path: /usr 317 - name: proc 318 hostPath: 319 path: /proc 320 - name: run 321 hostPath: 322 path: /run 323 # /var is needed by container-hook to fanoitfy mark certain directories 324 # e.g. needed in case of docker runtime on minikube (driver=kvm2) 325 - name: var 326 hostPath: 327 path: /var 328 - name: cgroup 329 hostPath: 330 path: /sys/fs/cgroup 331 - name: bpffs 332 hostPath: 333 path: /sys/fs/bpf 334 - name: debugfs 335 hostPath: 336 path: /sys/kernel/debug