ci: generate seccomp profile within pipeline #1325
Conversation
✅ Deploy Preview for capsule-documentation canceled.
|
Signed-off-by: Alessio Greggi <[email protected]>
alegrey91
force-pushed
the
ci/harpoon-integration
branch
from
2816ee9 to
62f2e5f
Compare
alegrey91
changed the title
alegrey91
changed the title
There was a problem hiding this comment.
Hey @alegrey91 great tool, hope we can get you gain some traction as example. I have requested changes regarding the chart
Makefile
Outdated
| harpoon: ## Download harpoon locally if necessary. | ||
| @curl -s https://raw.githubusercontent.com/alegrey91/harpoon/main/install | \ | ||
| sudo bash -s -- --install-version $(HARPOON_VERSION) |
There was a problem hiding this comment.
Not a big fan of this, we should try to install binaries into the project's bin/ folder, i am assuming this is going to install harpoon at system level. Since it,s go, can't we make a target like the other binary dependencies:
HARPOON = $(shell pwd)/bin/harpoon
HARPOON_VERSION = v0.9.4
harpoon:
$(call go-install-tool,$(HARPOON),github.com/alegrey91/harpoon@$(HARPOON_VERSION))
There was a problem hiding this comment.
Hi @oliverbaehler, unfortunately I don't think we can currently use go install with harpoon.
The project has a complex toolchain that requires a separated compilation of the ebpf object.
About the installation directory, I think this is fine, I can set the location through the install script.
| {{- if .Values.manager.securityContext }} | ||
| {{- toYaml .Values.manager.securityContext | nindent 12 }} | ||
| {{- else }} | ||
| {{- toYaml .Values.securityContext | nindent 12 }} | ||
| {{- end }} |
There was a problem hiding this comment.
Just use securityContext ? Or what's the reason here
There was a problem hiding this comment.
.Values.securityContext is used by kubelet image.
.Values.manager.securityContext is used only by the capsule image when built for tracing.
When we don't set .Values.manager.securityContext, then .Values.securityContext come into play for both the images.
Does it make sense to you?
There was a problem hiding this comment.
Which kubelet image? We just have the manager that we are deploying..
ARe you talking about this here:
trace-install: trace-load-image
helm upgrade \
--dependency-update \
--debug \
--install \
--namespace capsule-system \
--create-namespace \
--set 'manager.image.pullPolicy=Never' \
--set 'manager.image.registry=localhost' \
--set 'manager.image.repository=capsule-tracing' \
--set 'manager.resources=null'\
--set "manager.image.tag=latest" \
--set "manager.image.securityContext.privileged=true" \
--set 'manager.livenessProbe.failureThreshold=10' \
--set 'manager.readinessProbe.failureThreshold=10' \
--values charts/capsule/values-tracing.yaml \
capsule \
./charts/capsule
This specifcally manager.image.securityContext.privileged=true (This path is wrong btw)? So the rest of the securitycontext is too restrictive? Otherwise make sure it points to the same values in the Makefile as in the chart values
There was a problem hiding this comment.
Sorry, I meant the kubectl image which is mentioned in the values.yaml.
The point is that .Values.securityContext is shared between the capsule Deployment and the kubectl Job, so in order to be able to overwrite only the capsule Deployment I created a dedicated item for it.
There was a problem hiding this comment.
Jobs take sec from .Vales.global.jobs.kubectl.securityContext, they are no longer shared
| {{- if .Values.manager.securityContext }} | ||
| {{- toYaml .Values.manager.securityContext | nindent 12 }} | ||
| {{- else }} | ||
| {{- toYaml .Values.securityContext | nindent 12 }} | ||
| {{- end }} |
There was a problem hiding this comment.
Which kubelet image? We just have the manager that we are deploying..
ARe you talking about this here:
trace-install: trace-load-image
helm upgrade \
--dependency-update \
--debug \
--install \
--namespace capsule-system \
--create-namespace \
--set 'manager.image.pullPolicy=Never' \
--set 'manager.image.registry=localhost' \
--set 'manager.image.repository=capsule-tracing' \
--set 'manager.resources=null'\
--set "manager.image.tag=latest" \
--set "manager.image.securityContext.privileged=true" \
--set 'manager.livenessProbe.failureThreshold=10' \
--set 'manager.readinessProbe.failureThreshold=10' \
--values charts/capsule/values-tracing.yaml \
capsule \
./charts/capsule
This specifcally manager.image.securityContext.privileged=true (This path is wrong btw)? So the rest of the securitycontext is too restrictive? Otherwise make sure it points to the same values in the Makefile as in the chart values
Signed-off-by: Alessio Greggi <[email protected]>
Signed-off-by: Alessio Greggi <[email protected]>
Signed-off-by: Alessio Greggi <[email protected]>
Signed-off-by: Alessio Greggi <[email protected]>
Signed-off-by: Alessio Greggi <[email protected]>
Signed-off-by: Alessio Greggi <[email protected]>
|
Hello @oliverbaehler, I'm having a problem with the Test charts pipeline. |
This PR introduces the ability of generating seccomp profiles within the pipeline.
This will be helpful in case some user wants to secure his capsule installation by leveraging the power of seccomp.
To do so,
capsulecontainer image is built replacing the base image with the one provided byharpoon. This will allow the execution ofcapsulethroughharpoon.Then, set up a Kubernetes cluster using
kindwith a shared folder that is used to retrieve the metadata generated byharpoonduring the e2e tests execution.Capsule image is consequently installed on the cluster with a customized values file from
helm, and the e2e could start.Once finished, the results are merged with the tracing of the unit tests (handled by
harpoon).This generates the
seccompprofile tailored forcapsule, which is going to be uploaded with the other artifacts in the upcoming releases.