From 6d7f078fac5c8d6c9724584c9d027aeb6e7c6fbb Mon Sep 17 00:00:00 2001 From: Kornilios Kourtis Date: Thu, 14 Sep 2023 13:21:09 +0200 Subject: [PATCH] localdev: mount proper proc fs in kind This patch modifies the localdev scripts to mount the actual host /proc in the tetragon container when using kind. This eliminates the warning introduced in the previous commits. To this end, this patch introduces a new helm variable to specify the path of the proc filesystem in the runtime. Signed-off-by: Kornilios Kourtis --- contrib/localdev/bootstrap-kind-cluster.sh | 4 ++-- contrib/localdev/install-tetragon.sh | 5 +++++ contrib/localdev/kind-config.yaml | 8 ++++++++ docs/content/en/docs/reference/helm-chart.md | 1 + install/kubernetes/README.md | 1 + install/kubernetes/templates/daemonset.yaml | 2 +- install/kubernetes/values.yaml | 4 ++++ 7 files changed, 22 insertions(+), 3 deletions(-) create mode 100644 contrib/localdev/kind-config.yaml diff --git a/contrib/localdev/bootstrap-kind-cluster.sh b/contrib/localdev/bootstrap-kind-cluster.sh index 1ec8f7a7b5a..f7e7efb3c3d 100755 --- a/contrib/localdev/bootstrap-kind-cluster.sh +++ b/contrib/localdev/bootstrap-kind-cluster.sh @@ -40,7 +40,7 @@ done bootstrap_cluster() { if ! kind get clusters | grep "$CLUSTER_NAME" &>/dev/null; then echo "Creating a new cluster \"$CLUSTER_NAME\"..." 1>&2 - kind create cluster --name "$CLUSTER_NAME" --wait=2m + kind create cluster --name "$CLUSTER_NAME" --config ./contrib/localdev/kind-config.yaml --wait=2m else if [ "$FORCE" != 1 ]; then echo "Cluster already exists... Exiting... (Re-run with -f to force.)" 1>&2 @@ -48,7 +48,7 @@ bootstrap_cluster() { else echo "Recreating cluster..." 1>&2 kind delete cluster --name "$CLUSTER_NAME" - kind create cluster --name "$CLUSTER_NAME" --wait=5m + kind create cluster --name "$CLUSTER_NAME" --config ./contrib/localdev/kind-config.yaml --wait=5m fi fi diff --git a/contrib/localdev/install-tetragon.sh b/contrib/localdev/install-tetragon.sh index 8a784c092bb..90b83db2ea8 100755 --- a/contrib/localdev/install-tetragon.sh +++ b/contrib/localdev/install-tetragon.sh @@ -90,6 +90,11 @@ if [ -n "$VALUES" ]; then fi helm_opts+=("tetragon" "./install/kubernetes") +if [ "$IS_KIND" == 1 ]; then + # NB: configured in kind-config.yaml + helm_opts+=("--set" "tetragon.hostProcPath=/procHost") +fi + echo "Installing Tetragon in cluster..." 1>&2 helm upgrade --install "${helm_opts[@]}" diff --git a/contrib/localdev/kind-config.yaml b/contrib/localdev/kind-config.yaml new file mode 100644 index 00000000000..96ffdfbf944 --- /dev/null +++ b/contrib/localdev/kind-config.yaml @@ -0,0 +1,8 @@ +apiVersion: kind.x-k8s.io/v1alpha4 +kind: Cluster +nodes: + - role: control-plane + extraMounts: + - hostPath: /proc + containerPath: /procHost + diff --git a/docs/content/en/docs/reference/helm-chart.md b/docs/content/en/docs/reference/helm-chart.md index be3bcb7ad05..60bde448131 100644 --- a/docs/content/en/docs/reference/helm-chart.md +++ b/docs/content/en/docs/reference/helm-chart.md @@ -86,6 +86,7 @@ To use [the values available](#values), with `helm install` or `helm upgrade`, u | tetragon.gops.port | int | `8118` | The port at which to expose gops. | | tetragon.grpc.address | string | `"localhost:54321"` | The address at which to expose gRPC. Examples: localhost:54321, unix:///var/run/tetragon/tetragon.sock | | tetragon.grpc.enabled | bool | `true` | Whether to enable exposing Tetragon gRPC. | +| tetragon.hostProcPath | string | `"/proc"` | Location of the host proc filesystem in the runtime environment. If the runtime runs in the host, the path is /proc. Exceptions to this are environments like kind, where the runtime itself does not run on the host. | | tetragon.image.override | string | `nil` | | | tetragon.image.repository | string | `"quay.io/cilium/tetragon"` | | | tetragon.image.tag | string | `"v0.11.0"` | | diff --git a/install/kubernetes/README.md b/install/kubernetes/README.md index f0a3c656120..a85d4935d3a 100644 --- a/install/kubernetes/README.md +++ b/install/kubernetes/README.md @@ -69,6 +69,7 @@ Helm chart for Tetragon | tetragon.gops.port | int | `8118` | The port at which to expose gops. | | tetragon.grpc.address | string | `"localhost:54321"` | The address at which to expose gRPC. Examples: localhost:54321, unix:///var/run/tetragon/tetragon.sock | | tetragon.grpc.enabled | bool | `true` | Whether to enable exposing Tetragon gRPC. | +| tetragon.hostProcPath | string | `"/proc"` | Location of the host proc filesystem in the runtime environment. If the runtime runs in the host, the path is /proc. Exceptions to this are environments like kind, where the runtime itself does not run on the host. | | tetragon.image.override | string | `nil` | | | tetragon.image.repository | string | `"quay.io/cilium/tetragon"` | | | tetragon.image.tag | string | `"v0.11.0"` | | diff --git a/install/kubernetes/templates/daemonset.yaml b/install/kubernetes/templates/daemonset.yaml index 7bed4bb43d1..23d7ecbda0b 100644 --- a/install/kubernetes/templates/daemonset.yaml +++ b/install/kubernetes/templates/daemonset.yaml @@ -89,7 +89,7 @@ spec: type: DirectoryOrCreate - name: host-proc hostPath: - path: /proc + path: {{ .Values.tetragon.hostProcPath }} type: Directory {{- if not .Values.tetragon.btf }} - emptyDir: {} diff --git a/install/kubernetes/values.yaml b/install/kubernetes/values.yaml index 0f8791c5336..3da34f12913 100644 --- a/install/kubernetes/values.yaml +++ b/install/kubernetes/values.yaml @@ -151,6 +151,10 @@ tetragon: enablePolicyFilterDebug: false # Enable latency monitoring in message handling enableMsgHandlingLatency: false + # -- Location of the host proc filesystem in the runtime environment. If the runtime runs in the + # host, the path is /proc. Exceptions to this are environments like kind, where the runtime itself + # does not run on the host. + hostProcPath: "/proc" tetragonOperator: # -- tetragon-operator image. image: