Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Helm Chart: Move vulnerability processing to be a cronjob by default #25488

Draft
wants to merge 7 commits into
base: main
Choose a base branch
from
Draft

Helm Chart: Move vulnerability processing to be a cronjob by default #25488

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
862722d
Move vulnerability processing into cronjob
pboushy Jan 15, 2025
7183fe0
Fix boolean quoting of environment variable
pboushy Jan 16, 2025
c6df27c
Fix read-only FS issue
pboushy Jan 16, 2025
9f6e4a8
Add additional env vars and annotations
pboushy Jan 16, 2025
cda967e
Add env var for vuln DB path and license key
pboushy Jan 16, 2025
3b535d8
fix indentation level of podAnnotations
pboushy Jan 16, 2025
a1577f3
Make scheduling customizable
pboushy Jan 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
226 changes: 226 additions & 0 deletions charts/fleet/templates/cron-vulnprocessing.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,226 @@
{{- if .Values.vulnProcessing.dedicated }}
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app: fleet
chart: fleet
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: fleet-vulnprocessing
namespace: {{ .Release.Namespace }}
spec:
schedule: {{ .Values.vulnProcessing.schedule }}
jobTemplate:
spec:
ttlSecondsAfterFinished: 100
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
labels:
app: fleet
chart: fleet
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
restartPolicy: Never
shareProcessNamespace: true
containers:
- name: fleet-vulnprocessing
command: ["/bin/sh", "-c"]
args:
- |
/usr/bin/fleet vuln_processing;
{{- if .Values.gke.cloudSQL.enableProxy }}
sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid;
{{- end }}
image: "{{ .Values.imageRepository }}:{{ .Values.imageTag }}"
resources:
limits:
cpu: {{ .Values.vulnProcessing.resources.limits.cpu }}
memory: {{ .Values.vulnProcessing.resources.limits.memory }}
requests:
cpu: {{ .Values.vulnProcessing.resources.requests.cpu }}
memory: {{ .Values.vulnProcessing.resources.requests.memory }}
env:
## BEGIN FLEET SECTION
- name: FLEET_VULNERABILITIES_DATABASES_PATH
value: /tmp/vuln # /tmp might not work on all cloud providers by default
# - name: FLEET_SERVER_ADDRESS
# value: "0.0.0.0:{{ .Values.fleet.listenPort }}"
# - name: FLEET_AUTH_BCRYPT_COST
# value: "{{ .Values.fleet.auth.bcryptCost }}"
# - name: FLEET_AUTH_SALT_KEY_SIZE
# value: "{{ .Values.fleet.auth.saltKeySize }}"
# - name: FLEET_APP_TOKEN_KEY_SIZE
# value: "{{ .Values.fleet.app.tokenKeySize }}"
# - name: FLEET_APP_TOKEN_VALIDITY_PERIOD
# value: "{{ .Values.fleet.app.inviteTokenValidityPeriod }}"
# - name: FLEET_SESSION_KEY_SIZE
# value: "{{ .Values.fleet.session.keySize }}"
# - name: FLEET_SESSION_DURATION
# value: "{{ .Values.fleet.session.duration }}"
- name: FLEET_LOGGING_DEBUG
value: "{{ .Values.fleet.logging.debug }}"
- name: FLEET_LOGGING_JSON
value: "{{ .Values.fleet.logging.json }}"
- name: FLEET_LOGGING_DISABLE_BANNER
value: "{{ .Values.fleet.logging.disableBanner }}"
# - name: FLEET_SERVER_TLS
# value: "{{ .Values.fleet.tls.enabled }}"
# {{- if .Values.fleet.tls.enabled }}
# - name: FLEET_SERVER_TLS_COMPATIBILITY
# value: "{{ .Values.fleet.tls.compatibility }}"
# - name: FLEET_SERVER_CERT
# value: "/secrets/tls/{{ .Values.fleet.tls.certSecretKey }}"
# - name: FLEET_SERVER_KEY
# value: "/secrets/tls/{{ .Values.fleet.tls.keySecretKey }}"
# {{- end }}
{{- if .Values.fleet.license.secretName }}
- name: FLEET_LICENSE_KEY
valueFrom:
secretKeyRef:
key: {{ .Values.fleet.license.licenseKey }}
name: {{ .Values.fleet.license.secretName }}
{{- end }}
## END FLEET SECTION
## BEGIN MYSQL SECTION
- name: FLEET_MYSQL_ADDRESS
value: "{{ .Values.database.address }}"
- name: FLEET_MYSQL_DATABASE
value: "{{ .Values.database.database }}"
- name: FLEET_MYSQL_USERNAME
value: "{{ .Values.database.username }}"
- name: FLEET_MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.database.secretName }}
key: {{ .Values.database.passwordKey }}
- name: FLEET_MYSQL_MAX_OPEN_CONNS
value: "{{ .Values.database.maxOpenConns }}"
- name: FLEET_MYSQL_MAX_IDLE_CONNS
value: "{{ .Values.database.maxIdleConns }}"
- name: FLEET_MYSQL_CONN_MAX_LIFETIME
value: "{{ .Values.database.connMaxLifetime }}"
{{- if .Values.database.tls.enabled }}
{{- if .Values.database.tls.caCertKey }}
- name: FLEET_MYSQL_TLS_CA
value: "/secrets/mysql/{{ .Values.database.tls.caCertKey }}"
{{- end }}
{{- if .Values.database.tls.certKey }}
- name: FLEET_MYSQL_TLS_CERT
value: "/secrets/mysql/{{ .Values.database.tls.certKey }}"
{{- end }}
{{- if .Values.database.tls.keyKey }}
- name: FLEET_MYSQL_TLS_KEY
value: "/secrets/mysql/{{ .Values.database.tls.keyKey }}"
{{- end }}
- name: FLEET_MYSQL_TLS_CONFIG
value: "{{ .Values.database.tls.config }}"
- name: FLEET_MYSQL_TLS_SERVER_NAME
value: "{{ .Values.database.tls.serverName }}"
{{- end }}
## END MYSQL SECTION
## BEGIN REDIS SECTION
- name: FLEET_REDIS_ADDRESS
value: "{{ .Values.cache.address }}"
- name: FLEET_REDIS_DATABASE
value: "{{ .Values.cache.database }}"
{{- if .Values.cache.usePassword }}
- name: FLEET_REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: "{{ .Values.cache.secretName }}"
key: "{{ .Values.cache.passwordKey }}"
{{- end }}
## END REDIS SECTION
## APPEND ENVIRONMENT VARIABLES FROM VALUES
{{- range $key, $value := .Values.environments }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
## APPEND ENVIRONMENT VARIABLES FROM SECRETS/CMs
{{- range .Values.envsFrom }}
- name: {{ .name }}
valueFrom:
{{- if .valueFrom.configMapKeyRef }}
configMapKeyRef:
name: {{ .valueFrom.configMapKeyRef.name }}
key: {{ .valueFrom.configMapKeyRef.key }}
{{- else if .valueFrom.secretKeyRef }}
secretKeyRef:
name: {{ .valueFrom.secretKeyRef.name }}
key: {{ .valueFrom.secretKeyRef.key }}
{{- end }}
{{- end }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
{{- if .Values.gke.cloudSQL.enableProxy }}
add:
- SYS_PTRACE
{{- else }}
drop: [ALL]
{{- end }}
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 3333
runAsUser: 3333
runAsNonRoot: true
volumeMounts:
- name: tmp
mountPath: /tmp
{{- if .Values.database.tls.enabled }}
- name: mysql-tls
readOnly: true
mountPath: /secrets/mysql
{{- end }}
{{- if .Values.gke.cloudSQL.enableProxy }}
- name: cloudsql-proxy
image: "{{ .Values.gke.cloudSQL.imageRepository }}:{{ .Values.gke.cloudSQL.imageTag }}"
command:
- "/cloud_sql_proxy"
- "-verbose={{ .Values.gke.cloudSQL.verbose}}"
- "-instances={{ .Values.gke.cloudSQL.instanceName }}=tcp:3306"
resources:
limits:
cpu: 0.5 # 500Mhz
memory: 150Mi
requests:
cpu: 0.1 # 100Mhz
memory: 50Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: [ALL]
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 3333
runAsUser: 3333
runAsNonRoot: true
{{- end }}
serviceAccountName: fleet
volumes:
- name: tmp
emptyDir:
{{- if .Values.database.tls.enabled }}
- name: mysql-tls
secret:
secretName: "{{ .Values.database.secretName }}"
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
10 changes: 10 additions & 0 deletions charts/fleet/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -269,6 +269,16 @@ spec:
value: "{{ .Values.osquery.logging.pubsub.resultTopic }}"
{{- end }}
## END OSQUERY SECTION

## BEGIN VULNERABILITY PROCESSING
# Disable vulnerability processing in the main deployment when the
# dedicated cron is setup to reduce total cpu/memory utilization
{{- if .Values.vulnProcessing.dedicated }}
- name: FLEET_VULNERABILITIES_DISABLE_SCHEDULE
value: "true"
{{- end }}
## END Vulnerability Processing

## APPEND ENVIRONMENT VARIABLES FROM VALUES
{{- range $key, $value := .Values.environments }}
- name: {{ $key }}
Expand Down
18 changes: 17 additions & 1 deletion charts/fleet/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,8 @@ affinity:
ingress:
enabled: false
className: ""
annotations: {}
annotations:
{}
# kubernetes.io/tls-acme: "true"
# nginx.ingress.kubernetes.io/proxy-body-size: 10m
# kubernetes.io/ingress.class: nginx
Expand Down Expand Up @@ -103,6 +104,21 @@ fleet:
extraVolumes: []
extraVolumeMounts: []

# Whether to make fleet vulnerability processing run in a dedicated container
# if you set dedicated=false, you need to increase the main resources section
# to 4Gi or the fleet container will be OOMKilled when vulnerability processing
# tries to run.
vulnProcessing:
dedicated: true
schedule: "0 1 * * *"
resources:
limits:
cpu: 1 # 1GHz
memory: 4Gi
requests:
cpu: 0.1 # 100Mhz
memory: 50Mi

## Section: osquery
# All of the settings related to osquery's interactions with the Fleet server
osquery:
Expand Down
Loading