Skip to content

release(sysdig-deploy,kspm-collector): kspm-collector v1.39.12 #2255

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
May 20, 2025
Merged

release(sysdig-deploy,kspm-collector): kspm-collector v1.39.12 #2255

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
1b97eaa
release(sysdig-deploy,kspm-collector): release kspm-collector v1.39.12
mech-pig May 14, 2025
c935093
disable decoupled client for testing purposes
mech-pig May 18, 2025
4ced7e0
add readme entries
mech-pig May 18, 2025
2a71801
add temp dir volume
mech-pig May 19, 2025
e8c244b
set official release candidate
mech-pig May 19, 2025
a70879b
final touches
mech-pig May 20, 2025
a7937a4
bump kspm-collector in sysdig-deploy chart
mech-pig May 20, 2025
acdf981
minor version bump
mech-pig May 20, 2025
1213089
Merge branch 'main' into ma/kspm-collector/bump-to-v1.39.12/ssprod-57042
mech-pig May 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions charts/kspm-collector/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
apiVersion: v2
name: kspm-collector
description: Sysdig KSPM collector
version: 0.17.9
appVersion: 1.39.11
version: 0.18.0
appVersion: 1.39.12
keywords:
- monitoring
- security
Expand Down
5 changes: 4 additions & 1 deletion charts/kspm-collector/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,11 +45,13 @@ The following table lists the configurable parameters of the Sysdig KSPM Collect
| `clusterName` | Sets a unique cluster name. This name will be used to identify events using the `kubernetes.cluster.name` tag. | ` ` |
| `image.registry` | Specifies the KSPM collector image registry. | `quay.io` |
| `image.repository` | Specifies the image repository to pull from. | `sysdig/kspm-collector` |
| `image.tag` | Specifies the image tag to pull from the image repository. | `1.39.11` |
| `image.tag` | Specifies the image tag to pull from the image repository. | `1.39.12` |
| `image.digest` | Specifies the image digest to pull from the image repository. | ` ` |
| `image.pullPolicy` | Specifies theImage pull policy. | `""` |
| `imagePullSecrets` | Specifies the Image pull secret. | `[]` |
| `replicas` | Specifies the KSPM collector deployment replicas. | `1` |
| `transportLayer` | Determine the transport used by the collector to receive tasks from the backend and send results back to it. Valid values are "nats" and "http". | `http` |
| `leaderElection.lockName` | Name of the k8s leader election lease lock. Applicable only if the transport layer is `http`. | `kspm-collector-leader-election` |
| `namespaces.included` | Specifies the namespaces to include in the KSPM collector scans. If left empty, all the namesapces will be scanned. | `` |
| `namespaces.excluded` | Specifies the namespaces to exclude in the KSPM collector scans. | `` |
| `nodeSelector` | Specifies the Node Selector. | `{}` |
Expand All @@ -70,6 +72,7 @@ The following table lists the configurable parameters of the Sysdig KSPM Collect
| `sslVerifyCertificate` | Sets `NATS_INSECURE` env variable on the KSPM collector containers. | |
| `arch` | Specifies the allowed architectures for scheduling. | `[ amd64, arm64 ]` |
| `os` | Specifies the allowed operating systems for scheduling. | `[ linux ]` |
| `env` | Specifies the Extra environment variables that will be passed onto pods. | `{}` |
| `affinity` | Specifies the node affinities. Overrides `arch` and `os` values. | `{}` |
| `labels` | Specifies the KSPM collector specific labels as a multi-line templated string map or as YAML. | `{}` |
| `annotations` | Specifies the deployment annotations as a multi-line templated string map or as YAML. | `{}` |
Expand Down
17 changes: 17 additions & 0 deletions charts/kspm-collector/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,12 @@ Sysdig NATS service URL
{{- end -}}
{{- end -}}

{{/*
Returns the transport layer
*/}}
{{- define "kspmCollector.transportLayer" -}}
{{ .Values.transportLayer | default "http" }}
{{- end -}}

{{/*
Returns the namespace for installing components
Expand All @@ -149,6 +155,17 @@ Returns the namespace for installing components
{{- coalesce .Values.namespace .Release.Namespace -}}
{{- end -}}

{{/*
Returns the name of the lock for the leader election lease
*/}}
{{- define "kspmCollector.leaderElectionLeaseLockName" -}}
{{- if eq (.Values.transportLayer | default "") "http" -}}
{{- required "A valid lock name for the leader election is required when transport is http" .Values.leaderElection.lockName -}}
{{- else -}}
{{- .Values.leaderElection.lockName -}}
{{- end -}}
{{- end -}}

{{/*
KSPM Collector nodeSelector
*/}}
Expand Down
4 changes: 4 additions & 0 deletions charts/kspm-collector/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ data:
{{- $env = "DEVELOPMENT" -}}
{{ end}}
environment: {{ $env }}
api_endpoint: {{ include "kspmCollector.apiEndpoint" . }}
included_namespaces: {{ .Values.namespaces.included | quote}}
excluded_namespaces: {{ .Values.namespaces.excluded | quote }}
included_workloads: {{ .Values.workloads.included | quote }}
Expand All @@ -21,6 +22,9 @@ data:
nats_max_reconnect_failures: {{ .Values.natsMaxReconnectFailures | default 60 | quote }}
cluster_name: {{ required "A valid clusterName is required" (include "kspmCollector.clusterName" .) }}
nats_insecure: {{ include "kspmCollector.natsInsecure" . }}
transport_layer: {{ include "kspmCollector.transportLayer" . }}
leader_election_lease_lock_name: {{ include "kspmCollector.leaderElectionLeaseLockName" . }}
leader_election_lease_lock_namespace: {{ include "kspmCollector.namespace" . }}
{{- if (.Values.httpProxy | default .Values.global.proxy.httpProxy) }}
http_proxy: {{ .Values.httpProxy | default .Values.global.proxy.httpProxy }}
{{- end -}}
Expand Down
34 changes: 34 additions & 0 deletions charts/kspm-collector/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,11 @@ spec:
resources:
{{ toYaml .Values.resources | indent 10 }}
env:
- name: API_ENDPOINT
valueFrom:
configMapKeyRef:
name: {{ template "kspmCollector.fullname" . }}
key: api_endpoint
- name: ACCESS_KEY
valueFrom:
secretKeyRef:
Expand All @@ -103,11 +108,32 @@ spec:
name: {{ ( include "kspmCollector.accessKeySecret" .) }}
{{- end }}
key: access-key
- name: KUBE_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: CLUSTER_NAME
valueFrom:
configMapKeyRef:
name: {{ template "kspmCollector.fullname" . }}
key: cluster_name
- name: TRANSPORT_LAYER
valueFrom:
configMapKeyRef:
name: {{ template "kspmCollector.fullname" . }}
key: transport_layer
- name: KUBE_LEADER_ELECTION_LEASE_LOCK_NAME
valueFrom:
configMapKeyRef:
name: {{ template "kspmCollector.fullname" . }}
key: leader_election_lease_lock_name
optional: true
- name: KUBE_LEADER_ELECTION_LEASE_LOCK_NAMESPACE
valueFrom:
configMapKeyRef:
name: {{ template "kspmCollector.fullname" . }}
key: leader_election_lease_lock_namespace
optional: true
- name: INCLUDED_NAMESPACES
valueFrom:
configMapKeyRef:
Expand Down Expand Up @@ -203,12 +229,18 @@ spec:
- name: TLS_CA_PATHS
value: /ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) -}}
{{- end }}
{{- range $key, $value := .Values.env }}
- name: "{{ $key }}"
value: "{{ $value }}"
{{- end }}
volumeMounts:
{{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }}
- mountPath: /ca-certs
name: ca-cert
readOnly: true
{{- end }}
- mountPath: /tmp
name: tmp-dir
volumes:
{{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }}
- name: ca-cert
Expand All @@ -223,3 +255,5 @@ spec:
configMap:
name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.ssl) }}
{{- end }}
- name: tmp-dir
emptyDir: {}
22 changes: 22 additions & 0 deletions charts/kspm-collector/templates/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{{- if .Values.rbac.create }}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kspmCollector.fullname" . }}
namespace: {{ include "kspmCollector.namespace" . }}
labels:
{{ include "kspmCollector.labels" . | indent 4 }}
rules:
{{- if eq (include "kspmCollector.transportLayer" .) "http" }}
- apiGroups: ["", "coordination.k8s.io"]
resources:
- "leases"
resourceNames:
- {{ include "kspmCollector.leaderElectionLeaseLockName" . }}
verbs: ["*"]
- apiGroups: ["", "coordination.k8s.io"]
resources:
- "leases"
verbs: ["create"]
{{- end }}
{{- end }}
16 changes: 16 additions & 0 deletions charts/kspm-collector/templates/rolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{{- if and .Values.rbac.create }}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kspmCollector.fullname" .}}
labels:
{{ include "kspmCollector.labels" . | indent 4 }}
subjects:
- kind: ServiceAccount
name: {{ template "kspmCollector.serviceAccountName" .}}
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: {{ template "kspmCollector.fullname" .}}
apiGroup: rbac.authorization.k8s.io
{{- end }}
12 changes: 10 additions & 2 deletions charts/kspm-collector/tests/ca_cert_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,19 @@ tests:
name: SSL_CERT_FILE
value: "/ca-certs/global_root_ca.crt"
template: deployment.yaml
- isEmpty:
- notContains:
path: spec.template.spec.volumes
content:
name: ca-cert
secret:
secretName: release-name-kspm-collector-ca
template: deployment.yaml
- isEmpty:
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: ca-cert
mountPath: /ca-certs
readOnly: true
template: deployment.yaml

- it: Check Custom CA Cert defined with Values
Expand Down
85 changes: 85 additions & 0 deletions charts/kspm-collector/tests/configmap_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
suite: KSPM Collector ConfigMap Tests
templates:
- configmap.yaml
tests:
- it: check that transport_layer is set with default value
set:
sysdig:
accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
clusterName: test-cluster
asserts:
- equal:
path: data.transport_layer
value: http

- it: check that transport_layer is set with overridden value
set:
sysdig:
accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
clusterName: test-cluster
transportLayer: nats
asserts:
- equal:
path: data.transport_layer
value: nats

- it: check that leader_election_lease_lock_name is set with default value
set:
sysdig:
accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
clusterName: test-cluster
asserts:
- equal:
path: data.leader_election_lease_lock_name
value: kspm-collector-leader-election

- it: check that leader_election_lease_lock_name is set with overridden value
set:
sysdig:
accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
clusterName: test-cluster
leaderElection:
lockName: test-lock
asserts:
- equal:
path: data.leader_election_lease_lock_name
value: test-lock

- it: check that leader_election_lease_lock_name is required when transport is http
set:
sysdig:
accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
clusterName: test-cluster
transportLayer: http
leaderElection:
lockName: ""
asserts:
- failedTemplate:
errorMessage: A valid lock name for the leader election is required when transport is http

- it: check that leader_election_lease_lock_namespace is equal to release namespace
set:
sysdig:
accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
clusterName: test-cluster
transportLayer: http
release:
namespace: test-namespace-release
asserts:
- equal:
path: data.leader_election_lease_lock_namespace
value: test-namespace-release

- it: check that leader_election_lease_lock_namespace is equal to namespace value if set
set:
sysdig:
accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
clusterName: test-cluster
transportLayer: http
namespace: test-namespace-value
release:
namespace: test-namespace-release
asserts:
- equal:
path: data.leader_election_lease_lock_namespace
value: test-namespace-value
16 changes: 16 additions & 0 deletions charts/kspm-collector/tests/deployment_envvars_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
suite: KSPM Collector Deployment Env Var Tests
templates:
- deployment.yaml
tests:
- it: check that KUBE_POD_NAME is set with the name of the pod
set:
sysdig:
accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
asserts:
- contains:
path: spec.template.spec.containers[?(@.name=="kspm-collector")].env
content:
name: KUBE_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
6 changes: 3 additions & 3 deletions charts/kspm-collector/tests/global_overrides_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ tests:
existingAccessKeySecret: standard_key
asserts:
- equal:
path: spec.template.spec.containers[0].env[0].valueFrom.secretKeyRef.name
path: spec.template.spec.containers[0].env[?(@.name=="ACCESS_KEY")].valueFrom.secretKeyRef.name
value: standard_key
template: deployment.yaml

Expand All @@ -67,7 +67,7 @@ tests:
accessKeySecret: standard_key
asserts:
- equal:
path: spec.template.spec.containers[0].env[0].valueFrom.secretKeyRef.name
path: spec.template.spec.containers[0].env[?(@.name=="ACCESS_KEY")].valueFrom.secretKeyRef.name
value: standard_key
template: deployment.yaml

Expand All @@ -82,7 +82,7 @@ tests:
existingAccessKeySecret: override_key
asserts:
- equal:
path: spec.template.spec.containers[0].env[0].valueFrom.secretKeyRef.name
path: spec.template.spec.containers[0].env[?(@.name=="ACCESS_KEY")].valueFrom.secretKeyRef.name
value: override_key
template: deployment.yaml

Expand Down
48 changes: 48 additions & 0 deletions charts/kspm-collector/tests/role_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
suite: KSPM Collector Role Tests
templates:
- templates/role.yaml
tests:
- it: Should not create document if rbac.create is false
set:
rbac:
create: false
asserts:
- containsDocument:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
not: true

- it: Should not create rules if transportLayer is not http
set:
transportLayer: nats
asserts:
- isNullOrEmpty:
path: rules

- it: Should grant permissions to create lease if transport is http
set:
transportLayer: http
asserts:
- contains:
path: rules
content:
apiGroups: ["", "coordination.k8s.io"]
resources:
- "leases"
verbs: ["create"]

- it: Should grant all permissions on specific lease if transport is http
set:
transportLayer: http
leaderElection:
lockName: test-lock-name
asserts:
- contains:
path: rules
content:
apiGroups: ["", "coordination.k8s.io"]
resources:
- "leases"
resourceNames:
- "test-lock-name"
verbs: ["*"]
Loading
Loading