stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
17419ba7c4f8e35ed78033515115088eb40d20a7
git.stella-ops.org/devops/manifests/tetragon/stella-ops-tetragon-agent-daemonset.yaml

247 lines
6.7 KiB
YAML
Raw Blame History

# Tetragon Agent DaemonSet for Stella Ops
# Sprint: SPRINT_20260118_019_Infra_tetragon_integration
# Task: TASK-019-007 - Create Kubernetes deployment extending existing manifests
#
# Deploys the Stella Ops Tetragon agent alongside the existing agent framework.
# Follows existing DaemonSet patterns from devops/helm/
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: stella-ops-tetragon-agent
namespace: stella-ops
labels:
app.kubernetes.io/name: stella-ops-tetragon-agent
app.kubernetes.io/component: runtime-instrumentation
app.kubernetes.io/part-of: stella-ops
spec:
selector:
matchLabels:
app.kubernetes.io/name: stella-ops-tetragon-agent
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
labels:
app.kubernetes.io/name: stella-ops-tetragon-agent
app.kubernetes.io/component: runtime-instrumentation
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8080"
prometheus.io/path: "/metrics"
spec:
serviceAccountName: stella-ops-tetragon-agent
hostPID: true
hostNetwork: false
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
containers:
- name: tetragon-agent
image: stellaops/tetragon-agent:latest
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
capabilities:
add:
- SYS_ADMIN
- NET_ADMIN
- BPF
- PERFMON
ports:
- name: metrics
containerPort: 8080
protocol: TCP
- name: health
containerPort: 8081
protocol: TCP
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: STELLA_API_URL
valueFrom:
configMapKeyRef:
name: stella-ops-tetragon-config
key: api-url
- name: STELLA_AGENT_ID
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: TETRAGON_GRPC_ADDRESS
value: "localhost:54321"
- name: LOG_LEVEL
valueFrom:
configMapKeyRef:
name: stella-ops-tetragon-config
key: log-level
optional: true
volumeMounts:
- name: tetragon-config
mountPath: /etc/tetragon
readOnly: true
- name: agent-certs
mountPath: /etc/stella-ops/certs
readOnly: true
- name: bpf
mountPath: /sys/fs/bpf
- name: proc
mountPath: /host/proc
readOnly: true
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 10
periodSeconds: 30
readinessProbe:
httpGet:
path: /ready
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
volumes:
- name: tetragon-config
configMap:
name: stella-ops-tetragon-policy
- name: agent-certs
secret:
secretName: stella-ops-agent-certs
optional: true
- name: bpf
hostPath:
path: /sys/fs/bpf
type: DirectoryOrCreate
- name: proc
hostPath:
path: /proc
type: Directory
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: stella-ops-tetragon-agent
namespace: stella-ops
labels:
app.kubernetes.io/name: stella-ops-tetragon-agent
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: stella-ops-tetragon-agent
labels:
app.kubernetes.io/name: stella-ops-tetragon-agent
rules:
# Read pods for container correlation
- apiGroups: [""]
resources: ["pods", "namespaces"]
verbs: ["get", "list", "watch"]
# Read nodes for host information
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list"]
# Read Tetragon CRDs
- apiGroups: ["cilium.io"]
resources: ["tracingpolicies", "tracingpoliciesnamespaced"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: stella-ops-tetragon-agent
labels:
app.kubernetes.io/name: stella-ops-tetragon-agent
subjects:
- kind: ServiceAccount
name: stella-ops-tetragon-agent
namespace: stella-ops
roleRef:
kind: ClusterRole
name: stella-ops-tetragon-agent
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ConfigMap
metadata:
name: stella-ops-tetragon-config
namespace: stella-ops
labels:
app.kubernetes.io/name: stella-ops-tetragon-agent
data:
api-url: "http://stella-ops-signals.stella-ops.svc.cluster.local:8080"
log-level: "info"
aggregation-window: "60s"
buffer-size: "10000"
min-confidence: "0.5"
# Privacy settings
redact-arguments: "true"
symbol-id-only-mode: "false"
# Allowed namespaces (comma-separated, empty = all)
allowed-namespaces: "stella-ops-workloads,default"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: stella-ops-tetragon-policy
namespace: stella-ops
labels:
app.kubernetes.io/name: stella-ops-tetragon-agent
data:
policy.yaml: |
# Reference the TracingPolicy defined in stella-ops-tracing-policy.yaml
# This ConfigMap can contain additional local policy configurations
policyRef: stella-ops-runtime-capture
enableStackTraces: true
stackTraceSize: 16
filterNamespaces:
- stella-ops-workloads
---
apiVersion: v1
kind: Service
metadata:
name: stella-ops-tetragon-agent
namespace: stella-ops
labels:
app.kubernetes.io/name: stella-ops-tetragon-agent
spec:
type: ClusterIP
clusterIP: None # Headless for DaemonSet
ports:
- name: metrics
port: 8080
targetPort: metrics
- name: health
port: 8081
targetPort: health
selector:
app.kubernetes.io/name: stella-ops-tetragon-agent
---
# ServiceMonitor for Prometheus Operator (optional)
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: stella-ops-tetragon-agent
namespace: stella-ops
labels:
app.kubernetes.io/name: stella-ops-tetragon-agent
spec:
selector:
matchLabels:
app.kubernetes.io/name: stella-ops-tetragon-agent
endpoints:
- port: metrics
interval: 30s
path: /metrics
Reference in New Issue View Git Blame Copy Permalink