-
Notifications
You must be signed in to change notification settings - Fork 111
/
unprivileged.yaml
173 lines (173 loc) · 4.83 KB
/
unprivileged.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
---
apiVersion: v1
kind: Namespace
metadata:
name: beyla-demo
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: beyla
namespace: beyla-demo
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: beyla-demo
name: beyla-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: beyla-role-binding
namespace: beyla-demo
subjects:
- kind: ServiceAccount
name: beyla
roleRef:
kind: Role
name: beyla-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: beyla-cluster-role
rules:
- apiGroups: [""]
resources: ["namespaces", "nodes", "pods"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["services"]
# list and watch services are needed by network-policy beyla.
verbs: ["list", "watch"]
- apiGroups: ["*"]
resources: ["deployments", "replicasets", "statefulsets", "daemonsets", "jobs", "cronjobs", "replicationcontrollers"]
# Required to retrieve the owner references used by the seccomp beyla.
verbs: ["get", "list", "watch"]
- apiGroups: ["security-profiles-operator.x-k8s.io"]
resources: ["seccompprofiles"]
# Required for integration with the Kubernetes Security Profiles Operator
verbs: ["list", "watch", "create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: beyla-cluster-role-binding
subjects:
- kind: ServiceAccount
name: beyla
namespace: beyla-demo
roleRef:
kind: ClusterRole
name: beyla-cluster-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: beyla
namespace: beyla-demo
labels:
k8s-app: beyla
spec:
selector:
matchLabels:
k8s-app: beyla
template:
metadata:
labels:
k8s-app: beyla
spec:
serviceAccount: beyla
hostPID: true # <-- Important. Required in Daemonset mode so Beyla can discover all monitored processes
containers:
- name: beyla
terminationMessagePolicy: FallbackToLogsOnError
image: grafana/beyla:latest
env:
- name: BEYLA_TRACE_PRINTER
value: "text"
- name: BEYLA_EXECUTABLE_NAME
value: "greetings"
- name: BEYLA_SERVICE_NAMESPACE
value: "k8s-test"
- name: BEYLA_LOG_LEVEL
value: "INFO"
- name: BEYLA_INTERNAL_METRICS_PROMETHEUS_PORT
value: "8999"
- name: BEYLA_KUBE_METADATA_ENABLE
value: "autodetect"
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
runAsUser: 0
readOnlyRootFilesystem: true
capabilities:
add:
- BPF # <-- Important. Required for most eBPF probes to function correctly.
- SYS_PTRACE # <-- Important. Allows Beyla to access the container namespaces and inspect executables.
- NET_RAW # <-- Important. Allows Beyla to use socket filters for http requests.
- CHECKPOINT_RESTORE # <-- Important. Allows Beyla to open ELF files.
- DAC_READ_SEARCH # <-- Important. Allows Beyla to open ELF files.
- PERFMON # <-- Important. Allows Beyla to load BPF programs.
#- SYS_RESOURCE # <-- pre 5.11 only. Allows Beyla to increase the amount of locked memory.
#- SYS_ADMIN # <-- Required for Go application trace context propagation, or if kernel.perf_event_paranoid >= 3 on Debian distributions.
drop:
- ALL
volumeMounts:
- name: var-run-beyla
mountPath: /var/run/beyla
- name: cgroup
mountPath: /sys/fs/cgroup
tolerations:
- effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists
volumes:
- name: var-run-beyla
emptyDir: {}
- name: cgroup
hostPath:
path: /sys/fs/cgroup
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: rust-service
namespace: beyla-demo
labels:
k8s-app: rust-service
spec:
selector:
matchLabels:
k8s-app: rust-service
template:
metadata:
labels:
k8s-app: rust-service
spec:
serviceAccount: beyla
containers:
- name: rust-service
image: 'ghcr.io/grafana/beyla-demo/greeting-actix-rust/0.0.1'
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8090
hostPort: 8090
name: service
resources:
limits:
memory: 120Mi
securityContext:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
---