# Tetragon Agent DaemonSet for Stella Ops # Sprint: SPRINT_20260118_019_Infra_tetragon_integration # Task: TASK-019-007 - Create Kubernetes deployment extending existing manifests # # Deploys the Stella Ops Tetragon agent alongside the existing agent framework. # Follows existing DaemonSet patterns from devops/helm/ apiVersion: apps/v1 kind: DaemonSet metadata: name: stella-ops-tetragon-agent namespace: stella-ops labels: app.kubernetes.io/name: stella-ops-tetragon-agent app.kubernetes.io/component: runtime-instrumentation app.kubernetes.io/part-of: stella-ops spec: selector: matchLabels: app.kubernetes.io/name: stella-ops-tetragon-agent updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 template: metadata: labels: app.kubernetes.io/name: stella-ops-tetragon-agent app.kubernetes.io/component: runtime-instrumentation annotations: prometheus.io/scrape: "true" prometheus.io/port: "8080" prometheus.io/path: "/metrics" spec: serviceAccountName: stella-ops-tetragon-agent hostPID: true hostNetwork: false tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule - key: node-role.kubernetes.io/control-plane effect: NoSchedule containers: - name: tetragon-agent image: stellaops/tetragon-agent:latest imagePullPolicy: IfNotPresent securityContext: privileged: true capabilities: add: - SYS_ADMIN - NET_ADMIN - BPF - PERFMON ports: - name: metrics containerPort: 8080 protocol: TCP - name: health containerPort: 8081 protocol: TCP env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: STELLA_API_URL valueFrom: configMapKeyRef: name: stella-ops-tetragon-config key: api-url - name: STELLA_AGENT_ID valueFrom: fieldRef: fieldPath: metadata.name - name: TETRAGON_GRPC_ADDRESS value: "localhost:54321" - name: LOG_LEVEL valueFrom: configMapKeyRef: name: stella-ops-tetragon-config key: log-level optional: true volumeMounts: - name: tetragon-config mountPath: /etc/tetragon readOnly: true - name: agent-certs mountPath: /etc/stella-ops/certs readOnly: true - name: bpf mountPath: /sys/fs/bpf - name: proc mountPath: /host/proc readOnly: true resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 512Mi livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 10 periodSeconds: 30 readinessProbe: httpGet: path: /ready port: 8081 initialDelaySeconds: 5 periodSeconds: 10 volumes: - name: tetragon-config configMap: name: stella-ops-tetragon-policy - name: agent-certs secret: secretName: stella-ops-agent-certs optional: true - name: bpf hostPath: path: /sys/fs/bpf type: DirectoryOrCreate - name: proc hostPath: path: /proc type: Directory --- apiVersion: v1 kind: ServiceAccount metadata: name: stella-ops-tetragon-agent namespace: stella-ops labels: app.kubernetes.io/name: stella-ops-tetragon-agent --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: stella-ops-tetragon-agent labels: app.kubernetes.io/name: stella-ops-tetragon-agent rules: # Read pods for container correlation - apiGroups: [""] resources: ["pods", "namespaces"] verbs: ["get", "list", "watch"] # Read nodes for host information - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list"] # Read Tetragon CRDs - apiGroups: ["cilium.io"] resources: ["tracingpolicies", "tracingpoliciesnamespaced"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: stella-ops-tetragon-agent labels: app.kubernetes.io/name: stella-ops-tetragon-agent subjects: - kind: ServiceAccount name: stella-ops-tetragon-agent namespace: stella-ops roleRef: kind: ClusterRole name: stella-ops-tetragon-agent apiGroup: rbac.authorization.k8s.io --- apiVersion: v1 kind: ConfigMap metadata: name: stella-ops-tetragon-config namespace: stella-ops labels: app.kubernetes.io/name: stella-ops-tetragon-agent data: api-url: "http://stella-ops-signals.stella-ops.svc.cluster.local:8080" log-level: "info" aggregation-window: "60s" buffer-size: "10000" min-confidence: "0.5" # Privacy settings redact-arguments: "true" symbol-id-only-mode: "false" # Allowed namespaces (comma-separated, empty = all) allowed-namespaces: "stella-ops-workloads,default" --- apiVersion: v1 kind: ConfigMap metadata: name: stella-ops-tetragon-policy namespace: stella-ops labels: app.kubernetes.io/name: stella-ops-tetragon-agent data: policy.yaml: | # Reference the TracingPolicy defined in stella-ops-tracing-policy.yaml # This ConfigMap can contain additional local policy configurations policyRef: stella-ops-runtime-capture enableStackTraces: true stackTraceSize: 16 filterNamespaces: - stella-ops-workloads --- apiVersion: v1 kind: Service metadata: name: stella-ops-tetragon-agent namespace: stella-ops labels: app.kubernetes.io/name: stella-ops-tetragon-agent spec: type: ClusterIP clusterIP: None # Headless for DaemonSet ports: - name: metrics port: 8080 targetPort: metrics - name: health port: 8081 targetPort: health selector: app.kubernetes.io/name: stella-ops-tetragon-agent --- # ServiceMonitor for Prometheus Operator (optional) apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: stella-ops-tetragon-agent namespace: stella-ops labels: app.kubernetes.io/name: stella-ops-tetragon-agent spec: selector: matchLabels: app.kubernetes.io/name: stella-ops-tetragon-agent endpoints: - port: metrics interval: 30s path: /metrics