github.com/inspektor-gadget/inspektor-gadget@v0.28.1/pkg/resources/manifests/deploy.yaml (about)

     1  ---
     2  # This file is generated by 'make generate-manifests'; DO NOT EDIT.
     3  apiVersion: v1
     4  kind: Namespace
     5  metadata:
     6    name: gadget
     7  ---
     8  # Source: gadget/templates/serviceaccount.yaml
     9  apiVersion: v1
    10  kind: ServiceAccount
    11  metadata:
    12    name: gadget
    13    namespace: gadget
    14  ---
    15  # Source: gadget/templates/clusterrole.yaml
    16  apiVersion: rbac.authorization.k8s.io/v1
    17  kind: ClusterRole
    18  metadata:
    19    name: gadget-cluster-role
    20  rules:
    21    - apiGroups: [""]
    22      resources: ["namespaces", "nodes", "pods"]
    23      verbs: ["get", "watch", "list"]
    24    - apiGroups: [""]
    25      resources: ["services"]
    26      # list is needed by network-policy gadget
    27      # watch is needed by operators enriching with service informations
    28      verbs: ["list", "watch"]
    29    - apiGroups: ["gadget.kinvolk.io"]
    30      resources: ["traces", "traces/status"]
    31      # For traces, we need all rights on them as we define this resource.
    32      verbs: ["delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"]
    33    - apiGroups: ["*"]
    34      resources: ["deployments", "replicasets", "statefulsets", "daemonsets", "jobs", "cronjobs", "replicationcontrollers"]
    35      # Required to retrieve the owner references used by the seccomp gadget.
    36      verbs: ["get"]
    37    - apiGroups: ["security-profiles-operator.x-k8s.io"]
    38      resources: ["seccompprofiles"]
    39      # Required for integration with the Kubernetes Security Profiles Operator
    40      verbs: ["list", "watch", "create"]
    41    - apiGroups: ["security.openshift.io"]
    42      # It is necessary to use the 'privileged' security context constraints to be
    43      # able mount host directories as volumes, use the host networking, among others.
    44      # This will be used only when running on OpenShift:
    45      # https://docs.openshift.com/container-platform/4.9/authentication/managing-security-context-constraints.html#default-sccs_configuring-internal-oauth
    46      resources: ["securitycontextconstraints"]
    47      resourceNames: ["privileged"]
    48      verbs: ["use"]
    49  ---
    50  # Source: gadget/templates/clusterrolebinding.yaml
    51  apiVersion: rbac.authorization.k8s.io/v1
    52  kind: ClusterRoleBinding
    53  metadata:
    54    name: gadget-cluster-role-binding
    55  roleRef:
    56    apiGroup: rbac.authorization.k8s.io
    57    kind: ClusterRole
    58    name: gadget-cluster-role
    59  subjects:
    60    - kind: ServiceAccount
    61      name: gadget
    62      namespace: gadget
    63  ---
    64  # Source: gadget/templates/role.yaml
    65  apiVersion: rbac.authorization.k8s.io/v1
    66  kind: Role
    67  metadata:
    68    name: gadget-role
    69    namespace: gadget
    70  rules:
    71    - apiGroups: [ "" ]
    72      resources: [ "secrets" ]
    73      # get secrets is needed for retrieving pull secret.
    74      verbs: [ "get" ]
    75  ---
    76  # Source: gadget/templates/rolebinding.yaml
    77  apiVersion: rbac.authorization.k8s.io/v1
    78  kind: RoleBinding
    79  metadata:
    80    name: gadget-role-binding
    81    namespace: gadget
    82  roleRef:
    83    apiGroup: rbac.authorization.k8s.io
    84    kind: Role
    85    name: gadget-role
    86  subjects:
    87    - kind: ServiceAccount
    88      name: gadget
    89  ---
    90  # Source: gadget/templates/daemonset.yaml
    91  apiVersion: apps/v1
    92  kind: DaemonSet
    93  metadata:
    94    labels:
    95      k8s-app: gadget
    96    name: gadget
    97    namespace: gadget
    98  spec:
    99    selector:
   100      matchLabels:
   101        k8s-app: gadget
   102    template:
   103      metadata:
   104        labels:
   105          k8s-app: gadget
   106        annotations:
   107          # We need to set gadget container as unconfined so it is able to write
   108          # /sys/fs/bpf as well as /sys/kernel/debug/tracing.
   109          # Otherwise, we can have error like:
   110          # "failed to create server failed to create folder for pinning bpf maps: mkdir /sys/fs/bpf/gadget: permission denied"
   111          # (For reference, see: https://github.com/inspektor-gadget/inspektor-gadget/runs/3966318270?check_suite_focus=true#step:20:221)
   112          container.apparmor.security.beta.kubernetes.io/gadget: "unconfined"
   113          inspektor-gadget.kinvolk.io/option-hook-mode: "auto"
   114          # keep aligned with values in pkg/operators/prometheus/prometheus.go
   115          prometheus.io/scrape: "true"
   116          prometheus.io/port: "2223"
   117          prometheus.io/path: "/metrics"
   118      spec:
   119        serviceAccount: gadget
   120        hostPID: false
   121        hostNetwork: false
   122        containers:
   123          - name: gadget
   124            terminationMessagePolicy: FallbackToLogsOnError
   125            image: ghcr.io/inspektor-gadget/inspektor-gadget:latest
   126            imagePullPolicy: Always
   127            command: [ "/entrypoint" ]
   128            lifecycle:
   129              preStop:
   130                exec:
   131                  command:
   132                    - "/cleanup"
   133            livenessProbe:
   134              exec:
   135                command:
   136                  - /bin/gadgettracermanager
   137                  - -liveness
   138              periodSeconds: 5
   139              timeoutSeconds: 2
   140            readinessProbe:
   141              exec:
   142                command:
   143                  - /bin/gadgettracermanager
   144                  - -liveness
   145              periodSeconds: 5
   146              timeoutSeconds: 2
   147            env:
   148              - name: NODE_NAME
   149                valueFrom:
   150                  fieldRef:
   151                    fieldPath: spec.nodeName
   152              - name: GADGET_POD_UID
   153                valueFrom:
   154                  fieldRef:
   155                    fieldPath: metadata.uid
   156              - name: GADGET_IMAGE
   157                value: "ghcr.io/inspektor-gadget/inspektor-gadget"
   158              - name: INSPEKTOR_GADGET_VERSION
   159                value: "latest"
   160              - name: INSPEKTOR_GADGET_OPTION_HOOK_MODE
   161                value: "auto"
   162              - name: INSPEKTOR_GADGET_OPTION_FALLBACK_POD_INFORMER
   163                value: "true"
   164              # Make sure to keep these settings in sync with pkg/container-utils/runtime-client/interface.go
   165              - name: INSPEKTOR_GADGET_CONTAINERD_SOCKETPATH
   166                value: "/run/containerd/containerd.sock"
   167              - name: INSPEKTOR_GADGET_CRIO_SOCKETPATH
   168                value: "/run/crio/crio.sock"
   169              - name: INSPEKTOR_GADGET_DOCKER_SOCKETPATH
   170                value: "/run/docker.sock"
   171              - name: HOST_ROOT
   172                value: "/host"
   173              - name: IG_EXPERIMENTAL
   174                value: "false"
   175              - name: EVENTS_BUFFER_LENGTH
   176                value: "16384"
   177              - name: GADGET_TRACER_MANAGER_LOG_LEVEL
   178                value: "info"
   179            securityContext:
   180              # With hostPID/hostNetwork/privileged [1] set to false, we need to set appropriate
   181              # SELinux context [2] to be able to mount host directories with correct permissions.
   182              # This option is ignored if hostPID/hostNetwork/privileged is set to true or SELinux isn't enabled.
   183              # See:
   184              # 1 - https://github.com/cri-o/cri-o/blob/v1.27.0/server/sandbox_run_linux.go#L537
   185              # 2 - https://github.com/cri-o/cri-o/blob/v1.27.0/server/container_create_linux.go#L310
   186              seLinuxOptions:
   187                type: "spc_t"
   188              capabilities:
   189                drop:
   190                  - ALL
   191                add:
   192                  # We need CAP_SYS_ADMIN for gadgettracermanager due to several
   193                  # syscalls:
   194                  # - bpf(): It often checks if SYS_ADMIN is set, among others
   195                  #   there:
   196                  #   https://github.com/torvalds/linux/blob/c42d9eeef8e5/kernel/bpf/syscall.c#L2602
   197                  # - perf_event_open(): The kernel checks if CAP_PERFMON or
   198                  #   CAP_SYS_ADMIN is set:
   199                  #   https://github.com/torvalds/linux/blob/c42d9eeef8e5/kernel/events/core.c#L12406-L12409
   200                  # - fanotify_init(): CAP_SYS_ADMIN is required to use all the
   201                  #   functionalities offered by fanotify:
   202                  #   https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/notify/fanotify/fanotify_user.c#L1404
   203                  # - fanotify_mark(): This capability is required to setup mount
   204                  #   or filesystem marks:
   205                  #   https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/notify/fanotify/fanotify_user.c#L1745-L1754
   206                  # - mount(): We need this capability to modify the caller
   207                  #   namespace:
   208                  #   https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/namespace.c#L1844-L1846
   209                  #   https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/namespace.c#L3609
   210                  # - setns(): SYS_ADMIN is needed to install various namespace:
   211                  #   https://github.com/torvalds/linux/blob/c42d9eeef8e5ba9292eda36fd8e3c11f35ee065c/kernel/nsproxy.c#L574
   212                  #   https://github.com/torvalds/linux/blob/c42d9eeef8e5/kernel/cgroup/namespace.c#L103-L105
   213                  - SYS_ADMIN
   214  
   215                  # We need this capability to get addresses from /proc/kallsyms.
   216                  # Without it, addresses displayed when reading this file will be
   217                  # 0.
   218                  # Indeed, the socket-enricher needs to get the socket_file_ops
   219                  # to work correctly:
   220                  # https://github.com/inspektor-gadget/inspektor-gadget/blob/69692d54d951/pkg/gadgets/internal/socketenricher/tracer.go#L75
   221                  - SYSLOG
   222  
   223                  # Accessing some procfs files such as /proc/$pid/ns/mnt
   224                  # requires ptrace capability:
   225                  # https://github.com/inspektor-gadget/inspektor-gadget/blob/3c51ff5e9f5b/pkg/utils/host/namespaces.go#L65
   226                  # https://github.com/torvalds/linux/blob/c42d9eeef8e5/fs/proc/namespaces.c#L58
   227                  - SYS_PTRACE
   228  
   229                  # Needed by RemoveMemlock in gadgettracermanager:
   230                  # https://github.com/inspektor-gadget/inspektor-gadget/blob/f2b9826fc4ae046415cdee30ee4a25322fd3f0c0/pkg/gadgettracermanager/gadgettracermanager.go#L258
   231                  - SYS_RESOURCE
   232  
   233                  # Needed by mmap() called by gadgettracermanager:
   234                  # https://github.com/torvalds/linux/blob/c42d9eeef8e5/mm/mmap.c#L1281
   235                  # https://github.com/torvalds/linux/blob/c42d9eeef8e5/mm/mmap.c#L1161-L1162
   236                  - IPC_LOCK
   237  
   238                  # Needed by gadgets that open a raw sock like dns and snisnoop:
   239                  # https://github.com/inspektor-gadget/inspektor-gadget/blob/3c51ff5e9f5b/gadgets/trace_dns/program.bpf.c#L365-L366
   240                  - NET_RAW
   241  
   242                  # Needed to attach qdiscs and filters to network interfaces. See createClsActQdisc()
   243                  # and addTCFilter() in pkg/gadgets/internal/tcnetworktracer/tc.go
   244                  - NET_ADMIN
   245            volumeMounts:
   246              - mountPath: /host/bin
   247                name: bin
   248                readOnly: true
   249              # We need to have read/write as we write NRI and OCI config files
   250              # here.
   251              - mountPath: /host/etc
   252                name: etc
   253                readOnly: false
   254              # We need to have read/write as we write NRI and OCI binaries here.
   255              - mountPath: /host/opt
   256                name: opt
   257                readOnly: false
   258              - mountPath: /host/usr
   259                name: usr
   260                readOnly: true
   261              - mountPath: /host/run
   262                name: run
   263                readOnly: true
   264              - mountPath: /host/var
   265                name: var
   266                readOnly: true
   267              # WARNING Despite mounting host proc as readonly, it is possible to
   268              # write host file system using symlinks under /host/proc. The
   269              # following command, ran from gadget pod, will result in writing to
   270              # the host filesystem:
   271              # touch /host/proc/1/root/foobar
   272              # This limitation comes from Inspektor Gadget needing to be run as
   273              # unconfined with regard to AppArmor and having the SYS_PTRACE
   274              # capability.
   275              - mountPath: /host/proc
   276                name: proc
   277                readOnly: true
   278              - mountPath: /run
   279                name: run
   280              - mountPath: /sys/kernel/debug
   281                name: debugfs
   282              - mountPath: /sys/fs/cgroup
   283                name: cgroup
   284              - mountPath: /sys/fs/bpf
   285                name: bpffs
   286        nodeSelector:
   287          kubernetes.io/os: linux
   288        affinity:
   289          {}
   290        tolerations:
   291          - effect: NoSchedule
   292            operator: Exists
   293          - effect: NoExecute
   294            operator: Exists
   295        volumes:
   296          # /bin is needed to find runc.
   297          - name: bin
   298            hostPath:
   299              path: /bin
   300          # /etc is needed for several reasons:
   301          # 1. entrypoint needs /etc/os-release to print information.
   302          # 2. entrypoint needs /etc/nri to handle NRI hooks
   303          # 3. entrypoint needs /etc/containers/oci to handle OCI hooks.
   304          - name: etc
   305            hostPath:
   306              path: /etc
   307          # /opt is needed for several reasons:
   308          # 1. entrypoint needs /opt/nri to handle NRI hooks.
   309          # 2. entrypoint needs /opt/hooks/oci to handle OCI hooks.
   310          - name: opt
   311            hostPath:
   312              path: /opt
   313          # /usr is needed to find runc.
   314          - name: usr
   315            hostPath:
   316              path: /usr
   317          - name: proc
   318            hostPath:
   319              path: /proc
   320          - name: run
   321            hostPath:
   322              path: /run
   323          # /var is needed by container-hook to fanoitfy mark certain directories
   324          # e.g. needed in case of docker runtime on minikube (driver=kvm2)
   325          - name: var
   326            hostPath:
   327              path: /var
   328          - name: cgroup
   329            hostPath:
   330              path: /sys/fs/cgroup
   331          - name: bpffs
   332            hostPath:
   333              path: /sys/fs/bpf
   334          - name: debugfs
   335            hostPath:
   336              path: /sys/kernel/debug