feat(node-analyzer): grant lease permissions if kspm analyzer uses http transport [SSPROD-54356] (#2245)

Author: mech-pig

charts/node-analyzer/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: node-analyzer
 description: Sysdig Node Analyzer
 # currently matching Sysdig's appVersion 1.14.34
-version: 1.35.2
+version: 1.35.3
 appVersion: 12.9.2
 keywords:
   - monitoring

charts/node-analyzer/templates/configmap-kspm-analyzer.yaml

@@ -11,14 +11,15 @@ data:
 {{- $env := "PRODUCTION" -}}
 {{ if (.Values.nodeAnalyzer.kspmAnalyzer.debug | default .Values.nodeAnalyzer.debug) }}
   {{- $env = "DEVELOPMENT" -}}
-{{ end}}
+{{ end }}
   environment: {{ $env }}
   external_nats_url: {{ include "nodeAnalyzer.natsUrl" . }}
   nats_max_reconnect: {{ .Values.nodeAnalyzer.natsMaxReconnect | default 0 | quote }}
   nats_max_reconnect_failures: {{ .Values.nodeAnalyzer.natsMaxReconnectFailures | default 60 | quote }}
   cluster_name: {{ required "A valid clusterName is required" (include "nodeAnalyzer.clusterName" .) }}
   agent_app_name: {{ include "nodeAnalyzer.name" . }}
   nats_insecure: {{ include "kspmAnalyzer.natsInsecure" . }}
+  transport_layer: {{ .Values.nodeAnalyzer.kspmAnalyzer.transportLayer | default "nats" }}
   {{- if (.Values.nodeAnalyzer.kspmAnalyzer.httpProxy | default .Values.nodeAnalyzer.httpProxy | default .Values.global.proxy.httpProxy) }}
   http_proxy: {{ .Values.nodeAnalyzer.kspmAnalyzer.httpProxy | default .Values.nodeAnalyzer.httpProxy | default .Values.global.proxy.httpProxy }}
   {{- end -}}

charts/node-analyzer/templates/daemonset-node-analyzer.yaml

@@ -248,6 +248,12 @@ spec:
                 name: {{ .Release.Name }}-kspm-analyzer
                 key: nats_insecure
                 optional: true
+          - name: TRANSPORT_LAYER
+            valueFrom:
+              configMapKeyRef:
+                name: {{ .Release.Name }}-kspm-analyzer
+                key: transport_layer
+                optional: true
           - name: HTTP_PROXY
             valueFrom:
               configMapKeyRef:

charts/node-analyzer/templates/role-node-analyzer.yaml

@@ -0,0 +1,24 @@
+{{- if not (include "nodeAnalyzer.gke.autopilot" .) }}
+{{- if and (include "deploy-na" .) .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-node-analyzer
+  namespace: {{ include "nodeAnalyzer.namespace" . }}
+  labels:
+{{ include "nodeAnalyzer.labels" . | indent 4 }}
+rules:
+{{- if and .Values.global.kspm.deploy (eq .Values.nodeAnalyzer.kspmAnalyzer.transportLayer "http") }}
+- apiGroups: ["", "coordination.k8s.io"]
+  resources:
+    - "leases"
+  resourceNames:
+    - "kspm-analyzer-leader-election"
+  verbs: ["*"]
+- apiGroups: ["", "coordination.k8s.io"]
+  resources:
+    - "leases"
+  verbs: ["create"]
+{{- end }}
+{{- end }}
+{{- end }}

charts/node-analyzer/templates/rolebinding-node-analyzer.yaml

@@ -0,0 +1,18 @@
+{{- if not (include "nodeAnalyzer.gke.autopilot" .) }}
+{{- if and (include "deploy-na" .) .Values.rbac.create }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-node-analyzer
+  labels:
+{{ include "nodeAnalyzer.labels" . | indent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "nodeAnalyzer.serviceAccountName" .}}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-node-analyzer
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end }}

charts/node-analyzer/tests/configmap_kspm_analyzer_test.yaml

@@ -0,0 +1,62 @@
+suite: Node Analyzer KSPM Analyzer ConfigigMap Tests
+templates:
+  - templates/configmap-kspm-analyzer.yaml
+tests:
+  - it: Should not create document if kspm.deploy is false
+    set:
+      global:
+        kspm:
+          deploy: false
+      nodeAnalyzer:
+        deploy: true
+    asserts:
+      - containsDocument:
+          apiVersion: v1
+          kind: ConfigMap
+        not: true
+
+  - it: Should not create document if GKE Autopilot is active
+    set:
+      global:
+        gke:
+          autopilot:
+            true
+        kspm:
+          deploy: true
+      nodeAnalyzer:
+        deploy: true
+        gke:
+          autopilot: true
+    asserts:
+      - containsDocument:
+          apiVersion: v1
+          kind: ConfigMap
+        not: true
+
+  - it: Uses nats as default transport layer
+    set:
+      clusterName: "test"
+      global:
+        kspm:
+          deploy: true
+      nodeAnalyzer:
+        deploy: true
+    asserts:
+      - equal:
+          path: data.transport_layer
+          value: nats
+
+  - it: Sets transport layer according to value
+    set:
+      clusterName: "test"
+      global:
+        kspm:
+          deploy: true
+      nodeAnalyzer:
+        deploy: true
+        kspmAnalyzer:
+          transportLayer: http
+    asserts:
+      - equal:
+          path: data.transport_layer
+          value: http

charts/node-analyzer/tests/role_test.yaml

@@ -0,0 +1,96 @@
+suite: Node Analyzer Role Tests
+templates:
+  - templates/role-node-analyzer.yaml
+tests:
+  - it: Should not create document if nodeAnalyzer.deploy is false
+    set:
+      nodeAnalyzer:
+        deploy: false
+    asserts:
+      - containsDocument:
+          apiVersion: rbac.authorization.k8s.io/v1
+          kind: Role
+        not: true
+
+  - it: Should not create document if GKE Autopilot is active
+    set:
+      global:
+        gke:
+          autopilot: true
+    asserts:
+      - containsDocument:
+          apiVersion: rbac.authorization.k8s.io/v1
+          kind: Role
+        not: true
+
+  - it: Should not create document if rbac.create is false
+    set:
+      rbac:
+        create: false
+    asserts:
+      - containsDocument:
+          apiVersion: rbac.authorization.k8s.io/v1
+          kind: Role
+        not: true
+
+  - it: Should not create rules if kspm.deploy is false
+    set:
+      global:
+        kspm:
+          deploy: false
+      nodeAnalyzer:
+        deploy: true
+    asserts:
+      - isNullOrEmpty:
+          path: rules
+
+  - it: Should not create rules if transportLayer is not http
+    set:
+      global:
+        kspm:
+          deploy: true
+      nodeAnalyzer:
+        deploy: true
+        kspmAnalyzer:
+          transportLayer: nats
+    asserts:
+      - isNullOrEmpty:
+          path: rules
+
+  - it: Should grant permissions to create lease if transport is http
+    set:
+      global:
+        kspm:
+          deploy: true
+      nodeAnalyzer:
+        deploy: true
+        kspmAnalyzer:
+          transportLayer: http
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups: ["", "coordination.k8s.io"]
+            resources:
+              - "leases"
+            verbs: ["create"]
+
+  - it: Should grant all permissions on kspm-analyzer lease if transport is http
+    set:
+      global:
+        kspm:
+          deploy: true
+      nodeAnalyzer:
+        deploy: true
+        kspmAnalyzer:
+          transportLayer: http
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups: ["", "coordination.k8s.io"]
+            resources:
+              - "leases"
+            resourceNames:
+              - "kspm-analyzer-leader-election"
+            verbs: ["*"]

charts/node-analyzer/values.yaml

@@ -441,6 +441,9 @@ nodeAnalyzer:
     # Permissions for OCP4, previously only added for benchmarkrunner
     includeSensitivePermissions: false
 
+    # http or nats
+    transportLayer: nats
+
     # Proxy configuration variables
     httpProxy: null
     httpsProxy: null