feat(kspm-collector): grant k8s lease permissions if transport is http [SSPROD-56744]

charts/kspm-collector/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
 name: kspm-collector
 description: Sysdig KSPM collector
-version: 0.17.8
-appVersion: 1.39.11
+version: 0.17.9
+appVersion: 1.39.12
 keywords:
   - monitoring
   - security

charts/kspm-collector/templates/_helpers.tpl

@@ -141,6 +141,12 @@ Sysdig NATS service URL
 {{- end -}}
 {{- end -}}
 
+{{/*
+Returns the transport layer
+*/}}
+{{- define "kspmCollector.transportLayer" -}}
+    {{ .Values.transportLayer | default "nats" }}
+{{- end -}}
 
 {{/*
 Returns the namespace for installing components
@@ -149,6 +155,17 @@ Returns the namespace for installing components
     {{- coalesce .Values.namespace .Release.Namespace -}}
 {{- end -}}
 
+{{/*
+Returns the name of the lock for the leader election lease
+*/}}
+{{- define "kspmCollector.leaderElectionLeaseLockName" -}}
+    {{- if eq (.Values.transportLayer | default "") "http" -}}
+        {{- required "A valid lock name for the leader election is required when transport is http" .Values.leaderElection.lockName -}}
+    {{- else -}}
+        {{- .Values.leaderElection.lockName -}}
+    {{- end -}}
+{{- end -}}
+
 {{/*
 KSPM Collector nodeSelector
 */}}

charts/kspm-collector/templates/configmap.yaml

@@ -21,6 +21,9 @@ data:
   nats_max_reconnect_failures: {{ .Values.natsMaxReconnectFailures | default 60 | quote }}
   cluster_name: {{ required "A valid clusterName is required" (include "kspmCollector.clusterName" .) }}
   nats_insecure: {{ include "kspmCollector.natsInsecure" . }}
+  transport_layer: {{ include "kspmCollector.transportLayer" . }}
+  leader_election_lease_lock_name: {{ include "kspmCollector.leaderElectionLeaseLockName" . }}
+  leader_election_lease_lock_namespace: {{ include "kspmCollector.namespace" . }}
   {{- if (.Values.httpProxy | default .Values.global.proxy.httpProxy) }}
   http_proxy: {{ .Values.httpProxy | default .Values.global.proxy.httpProxy }}
   {{- end -}}

charts/kspm-collector/templates/deployment.yaml

@@ -103,6 +103,20 @@ spec:
                 name: {{ ( include "kspmCollector.accessKeySecret" .) }}
                 {{- end }}
                 key: access-key
+          - name: KUBE_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: KUBE_LEADER_ELECTION_LEASE_LOCK_NAME
+            valueFrom:
+              configMapKeyRef:
+                name: {{ template "kspmCollector.fullname" . }}
+                key: leader_election_lease_lock_name
+          - name: KUBE_LEADER_ELECTION_LEASE_LOCK_NAMESPACE
+            valueFrom:
+              configMapKeyRef:
+                name: {{ template "kspmCollector.fullname" . }}
+                key: leader_election_lease_lock_namespace
           - name: CLUSTER_NAME
             valueFrom:
               configMapKeyRef:

charts/kspm-collector/templates/role.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.rbac.create }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kspmCollector.fullname" . }}
+  namespace: {{ include "kspmCollector.namespace" . }}
+  labels:
+{{ include "kspmCollector.labels" . | indent 4 }}
+rules:
+{{- if eq (include "kspmCollector.transportLayer" .) "http" }}
+- apiGroups: ["", "coordination.k8s.io"]
+  resources:
+    - "leases"
+  resourceNames:
+    - {{ include "kspmCollector.leaderElectionLeaseLockName" . }}
+  verbs: ["*"]
+- apiGroups: ["", "coordination.k8s.io"]
+  resources:
+    - "leases"
+  verbs: ["create"]
+{{- end }}
+{{- end }}

charts/kspm-collector/templates/rolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if and .Values.rbac.create }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kspmCollector.fullname" .}}
+  labels:
+{{ include "kspmCollector.labels" . | indent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kspmCollector.serviceAccountName" .}}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ template "kspmCollector.fullname" .}}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

charts/kspm-collector/tests/configmap_test.yaml

@@ -0,0 +1,85 @@
+suite: KSPM Collector ConfigMap Tests
+templates:
+  - configmap.yaml
+tests:
+  - it: check that transport_layer is set with default value
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+      clusterName: test-cluster
+    asserts:
+      - equal:
+          path: data.transport_layer
+          value: nats
+
+  - it: check that transport_layer is set with overridden value
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+      clusterName: test-cluster
+      transportLayer: http
+    asserts:
+      - equal:
+          path: data.transport_layer
+          value: http
+
+  - it: check that leader_election_lease_lock_name is set with default value
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+      clusterName: test-cluster
+    asserts:
+      - equal:
+          path: data.leader_election_lease_lock_name
+          value: kspm-analyzer-leader-election
+
+  - it: check that leader_election_lease_lock_name is set with overridden value
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+      clusterName: test-cluster
+      leaderElection:
+        lockName: test-lock
+    asserts:
+      - equal:
+          path: data.leader_election_lease_lock_name
+          value: test-lock
+
+  - it: check that leader_election_lease_lock_name is required when transport is http
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+      clusterName: test-cluster
+      transportLayer: http
+      leaderElection:
+        lockName: ""
+    asserts:
+      - failedTemplate:
+          errorMessage: A valid lock name for the leader election is required when transport is http
+
+  - it: check that leader_election_lease_lock_namespace is equal to release namespace
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+      clusterName: test-cluster
+      transportLayer: http
+    release:
+      namespace: test-namespace-release
+    asserts:
+      - equal:
+          path: data.leader_election_lease_lock_namespace
+          value: test-namespace-release
+
+  - it: check that leader_election_lease_lock_namespace is equal to namespace value if set
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+      clusterName: test-cluster
+      transportLayer: http
+      namespace: test-namespace-value
+    release:
+      namespace: test-namespace-release
+    asserts:
+      - equal:
+          path: data.leader_election_lease_lock_namespace
+          value: test-namespace-value

charts/kspm-collector/tests/deployment_envvars_test.yaml

@@ -0,0 +1,16 @@
+suite: KSPM Collector Deployment Env Var Tests
+templates:
+  - deployment.yaml
+tests:
+  - it: check that KUBE_POD_NAME is set with the name of the pod
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[?(@.name=="kspm-collector")].env
+          content:
+            name: KUBE_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name

charts/kspm-collector/tests/role_test.yaml

@@ -0,0 +1,48 @@
+suite: KSPM Collector Role Tests
+templates:
+  - templates/role.yaml
+tests:
+  - it: Should not create document if rbac.create is false
+    set:
+      rbac:
+        create: false
+    asserts:
+      - containsDocument:
+          apiVersion: rbac.authorization.k8s.io/v1
+          kind: Role
+        not: true
+
+  - it: Should not create rules if transportLayer is not http
+    set:
+      transportLayer: nats
+    asserts:
+      - isNullOrEmpty:
+          path: rules
+
+  - it: Should grant permissions to create lease if transport is http
+    set:
+      transportLayer: http
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups: ["", "coordination.k8s.io"]
+            resources:
+              - "leases"
+            verbs: ["create"]
+
+  - it: Should grant all permissions on specific lease if transport is http
+    set:
+      transportLayer: http
+      leaderElection:
+        lockName: test-lock-name
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups: ["", "coordination.k8s.io"]
+            resources:
+              - "leases"
+            resourceNames:
+              - "test-lock-name"
+            verbs: ["*"]

charts/kspm-collector/values.yaml

@@ -72,6 +72,16 @@ natsUrl: ""
 # Setting a cluster name allows you to filter events from this cluster using kubernetes.cluster.name
 clusterName: ""
 
+# Determine the transport used by the collector to receive tasks from the backend and send results back to it.
+# Valid values are "nats" and "http".
+transportLayer: nats
+
+# Provide values required to acquire a lease from the k8s api for the leader election mechanism
+# used to prevent multiple instances of the collector to run simultaneously.
+# This is done to reduce the load on the k8s api in case of http transport.
+leaderElection:
+  lockName: kspm-analyzer-leader-election
+
 image:
   repository: sysdig/kspm-collector
   tag: 1.39.11