Skip to content

Commit

Permalink
Update beyla and remove sys_admin (#96)
Browse files Browse the repository at this point in the history 
* update beyla and remove sys_admin

* change to use namespace as pin path

* bump to v1.5.2
  • Loading branch information
@dashpole
dashpole authored Apr 23, 2024
1 parent 3454219 commit 647ab30
Show file tree
Hide file tree
Showing 2 changed files with 76 additions and 4 deletions.
40 changes: 38 additions & 2 deletions recipes/beyla-golden-signals/beyla-daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,31 @@ spec:
spec:
serviceAccountName: beyla
hostPID: true
initContainers:
- name: mount-bpf-fs
image: grafana/beyla:1.5.2
args:
# Create the directory using the Pod UID, and mount the BPF filesystem.
- 'mkdir -p /sys/fs/bpf/$BEYLA_BPF_FS_PATH && mount -t bpf bpf /sys/fs/bpf/$BEYLA_BPF_FS_PATH'
command:
- /bin/bash
- -c
- --
securityContext:
# The init container is privileged so that it can use bidirectional mount propagation
privileged: true
volumeMounts:
- name: bpffs
mountPath: /sys/fs/bpf
# Make sure the mount is propagated back to the host so it can be used by the Beyla container
mountPropagation: Bidirectional
env:
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: BEYLA_BPF_FS_PATH
value: beyla-$(KUBE_NAMESPACE)
containers:
- name: beyla
resources:
Expand All @@ -41,25 +66,36 @@ spec:
memory: 100Mi
limits:
memory: 500Mi
image: grafana/beyla:1.4.1
image: grafana/beyla:1.5.2
securityContext:
seccompProfile:
type: RuntimeDefault
runAsUser: 0
readOnlyRootFilesystem: true
capabilities:
add:
- SYS_ADMIN
- BPF
- SYS_PTRACE
- NET_RAW
- CHECKPOINT_RESTORE
- DAC_READ_SEARCH
- PERFMON
drop:
- ALL
env:
- name: BEYLA_CONFIG_PATH
value: "/config/beyla-config.yml"
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: BEYLA_BPF_FS_PATH
value: beyla-$(KUBE_NAMESPACE)
volumeMounts:
- name: bpffs
mountPath: /sys/fs/bpf
# Use HostToContainer to propagate the mount from the init container to the Beyla container
mountPropagation: HostToContainer
- name: beyla-config
mountPath: /config
volumes:
Expand Down
40 changes: 38 additions & 2 deletions recipes/beyla-service-graph/beyla-daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,31 @@ spec:
spec:
serviceAccountName: beyla
hostPID: true
initContainers:
- name: mount-bpf-fs
image: grafana/beyla:1.5.2
args:
# Create the directory using the Pod UID, and mount the BPF filesystem.
- 'mkdir -p /sys/fs/bpf/$BEYLA_BPF_FS_PATH && mount -t bpf bpf /sys/fs/bpf/$BEYLA_BPF_FS_PATH'
command:
- /bin/bash
- -c
- --
securityContext:
# The init container is privileged so that it can use bidirectional mount propagation
privileged: true
volumeMounts:
- name: bpffs
mountPath: /sys/fs/bpf
# Make sure the mount is propagated back to the host so it can be used by the Beyla container
mountPropagation: Bidirectional
env:
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: BEYLA_BPF_FS_PATH
value: beyla-$(KUBE_NAMESPACE)
containers:
- name: beyla
resources:
Expand All @@ -41,25 +66,36 @@ spec:
memory: 100Mi
limits:
memory: 500Mi
image: grafana/beyla:1.4.1
image: grafana/beyla:1.5.2
securityContext:
seccompProfile:
type: RuntimeDefault
runAsUser: 0
readOnlyRootFilesystem: true
capabilities:
add:
- SYS_ADMIN
- BPF
- SYS_PTRACE
- NET_RAW
- CHECKPOINT_RESTORE
- DAC_READ_SEARCH
- PERFMON
drop:
- ALL
env:
- name: BEYLA_CONFIG_PATH
value: "/config/beyla-config.yml"
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: BEYLA_BPF_FS_PATH
value: beyla-$(KUBE_NAMESPACE)
volumeMounts:
- name: bpffs
mountPath: /sys/fs/bpf
# Use HostToContainer to propagate the mount from the init container to the Beyla container
mountPropagation: HostToContainer
- name: beyla-config
mountPath: /config
volumes:
Expand Down

0 comments on commit 647ab30

Please sign in to comment.