stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

doctor enhancements, setup, enhancements, ui functionality and design consolidation and , test projects fixes , product advisory attestation/rekor and delta verfications enhancements

Browse Source
This commit is contained in:
master
2026-01-19 09:02:59 +02:00
parent 8c4bf54aed
commit 17419ba7c4
809 changed files with 170738 additions and 12244 deletions
Download Patch File Download Diff File Expand all files Collapse all files

246
devops/manifests/tetragon/stella-ops-tetragon-agent-daemonset.yaml Normal file
View File

@@ -0,0 +1,246 @@
# Tetragon Agent DaemonSet for Stella Ops
# Sprint: SPRINT_20260118_019_Infra_tetragon_integration
# Task: TASK-019-007 - Create Kubernetes deployment extending existing manifests
#
# Deploys the Stella Ops Tetragon agent alongside the existing agent framework.
# Follows existing DaemonSet patterns from devops/helm/
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: stella-ops-tetragon-agent
namespace: stella-ops
labels:
app.kubernetes.io/name: stella-ops-tetragon-agent
app.kubernetes.io/component: runtime-instrumentation
app.kubernetes.io/part-of: stella-ops
spec:
selector:
matchLabels:
app.kubernetes.io/name: stella-ops-tetragon-agent
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
labels:
app.kubernetes.io/name: stella-ops-tetragon-agent
app.kubernetes.io/component: runtime-instrumentation
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8080"
prometheus.io/path: "/metrics"
spec:
serviceAccountName: stella-ops-tetragon-agent
hostPID: true
hostNetwork: false
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
containers:
- name: tetragon-agent
image: stellaops/tetragon-agent:latest
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
capabilities:
add:
- SYS_ADMIN
- NET_ADMIN
- BPF
- PERFMON
ports:
- name: metrics
containerPort: 8080
protocol: TCP
- name: health
containerPort: 8081
protocol: TCP
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: STELLA_API_URL
valueFrom:
configMapKeyRef:
name: stella-ops-tetragon-config
key: api-url
- name: STELLA_AGENT_ID
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: TETRAGON_GRPC_ADDRESS
value: "localhost:54321"
- name: LOG_LEVEL
valueFrom:
configMapKeyRef:
name: stella-ops-tetragon-config
key: log-level
optional: true
volumeMounts:
- name: tetragon-config
mountPath: /etc/tetragon
readOnly: true
- name: agent-certs
mountPath: /etc/stella-ops/certs
readOnly: true
- name: bpf
mountPath: /sys/fs/bpf
- name: proc
mountPath: /host/proc
readOnly: true
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 10
periodSeconds: 30
readinessProbe:
httpGet:
path: /ready
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
volumes:
- name: tetragon-config
configMap:
name: stella-ops-tetragon-policy
- name: agent-certs
secret:
secretName: stella-ops-agent-certs
optional: true
- name: bpf
hostPath:
path: /sys/fs/bpf
type: DirectoryOrCreate
- name: proc
hostPath:
path: /proc
type: Directory
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: stella-ops-tetragon-agent
namespace: stella-ops
labels:
app.kubernetes.io/name: stella-ops-tetragon-agent
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: stella-ops-tetragon-agent
labels:
app.kubernetes.io/name: stella-ops-tetragon-agent
rules:
# Read pods for container correlation
- apiGroups: [""]
resources: ["pods", "namespaces"]
verbs: ["get", "list", "watch"]
# Read nodes for host information
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list"]
# Read Tetragon CRDs
- apiGroups: ["cilium.io"]
resources: ["tracingpolicies", "tracingpoliciesnamespaced"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: stella-ops-tetragon-agent
labels:
app.kubernetes.io/name: stella-ops-tetragon-agent
subjects:
- kind: ServiceAccount
name: stella-ops-tetragon-agent
namespace: stella-ops
roleRef:
kind: ClusterRole
name: stella-ops-tetragon-agent
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ConfigMap
metadata:
name: stella-ops-tetragon-config
namespace: stella-ops
labels:
app.kubernetes.io/name: stella-ops-tetragon-agent
data:
api-url: "http://stella-ops-signals.stella-ops.svc.cluster.local:8080"
log-level: "info"
aggregation-window: "60s"
buffer-size: "10000"
min-confidence: "0.5"
# Privacy settings
redact-arguments: "true"
symbol-id-only-mode: "false"
# Allowed namespaces (comma-separated, empty = all)
allowed-namespaces: "stella-ops-workloads,default"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: stella-ops-tetragon-policy
namespace: stella-ops
labels:
app.kubernetes.io/name: stella-ops-tetragon-agent
data:
policy.yaml: |
# Reference the TracingPolicy defined in stella-ops-tracing-policy.yaml
# This ConfigMap can contain additional local policy configurations
policyRef: stella-ops-runtime-capture
enableStackTraces: true
stackTraceSize: 16
filterNamespaces:
- stella-ops-workloads
---
apiVersion: v1
kind: Service
metadata:
name: stella-ops-tetragon-agent
namespace: stella-ops
labels:
app.kubernetes.io/name: stella-ops-tetragon-agent
spec:
type: ClusterIP
clusterIP: None # Headless for DaemonSet
ports:
- name: metrics
port: 8080
targetPort: metrics
- name: health
port: 8081
targetPort: health
selector:
app.kubernetes.io/name: stella-ops-tetragon-agent
---
# ServiceMonitor for Prometheus Operator (optional)
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: stella-ops-tetragon-agent
namespace: stella-ops
labels:
app.kubernetes.io/name: stella-ops-tetragon-agent
spec:
selector:
matchLabels:
app.kubernetes.io/name: stella-ops-tetragon-agent
endpoints:
- port: metrics
interval: 30s
path: /metrics

125
devops/manifests/tetragon/stella-ops-tracing-policy.yaml Normal file
View File

@@ -0,0 +1,125 @@
# Tetragon TracingPolicy for Stella Ops Runtime Instrumentation
# Sprint: SPRINT_20260118_019_Infra_tetragon_integration
# Task: TASK-019-001 - Define Tetragon TracingPolicy for stack capture
#
# This policy captures process execution, syscalls, and stack traces for
# runtime reachability validation. Integrates with existing Signals infrastructure.
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: stella-ops-runtime-capture
namespace: stella-ops
labels:
app.kubernetes.io/name: stella-ops
app.kubernetes.io/component: runtime-instrumentation
spec:
# Process execution events
kprobes:
- call: "sys_execve"
syscall: true
return: false
args:
- index: 0
type: "string" # filename
- index: 1
type: "string" # argv[0]
selectors:
- matchNamespaces:
- namespace: stella-ops-workloads
operator: In
matchLabels:
- key: "stella-ops.io/instrumented"
operator: Exists
returnArgAction: Post
# Security-relevant syscalls for reachability validation
- call: "sys_openat"
syscall: true
args:
- index: 0
type: "int" # dirfd
- index: 1
type: "string" # pathname
- index: 2
type: "int" # flags
selectors:
- matchNamespaces:
- namespace: stella-ops-workloads
operator: In
- matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/"
- "/proc/"
- "/sys/"
returnArg:
index: 0
type: "int"
- call: "sys_connect"
syscall: true
args:
- index: 0
type: "int" # sockfd
- index: 1
type: "sock" # addr struct
selectors:
- matchNamespaces:
- namespace: stella-ops-workloads
operator: In
returnArg:
index: 0
type: "int"
# Tracepoints for additional coverage
tracepoints:
- subsystem: "sched"
event: "sched_process_exec"
args:
- index: 0
type: "string" # filename
selectors:
- matchNamespaces:
- namespace: stella-ops-workloads
operator: In
# Stack trace configuration
options:
# Enable kernel + userspace stack traces
stackTraces: true
# Capture both kernel and user stacks
stackTraceSize: 16
# Symbol resolution for userspace
symbols: true
---
# Companion TracingPolicy for library loading
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: stella-ops-library-capture
namespace: stella-ops
spec:
# Capture dynamic library loading
uprobes:
- path: "/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2"
symbols:
- "_dl_map_object"
args:
- index: 0
type: "string" # library name
selectors:
- matchNamespaces:
- namespace: stella-ops-workloads
operator: In
# Alternative for musl-based containers
- path: "/lib/ld-musl-x86_64.so.1"
symbols:
- "__dls3"
selectors:
- matchNamespaces:
- namespace: stella-ops-workloads
operator: In