Merge pull request #315 from manuelbcd/main

Added Sysdig agent support and testing automations

eks-anywhere-common/Addons/Partner/Sysdig/external-secret.yaml

@@ -0,0 +1,16 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: sysdig-secretstore-ekssnow
+  namespace: sysdig
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: eksa-secret-store             #The secret store name we have just created.
+    kind: ClusterSecretStore
+  target:
+    name: sysdig-access-key             # Secret name in k8s
+  data:
+  - secretKey: secret-sysdig-key        # which key it's going to be stored
+    remoteRef:
+      key: secret-sysdig-key            # Our secret-name goes here

eks-anywhere-common/Addons/Partner/Sysdig/namespace.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: sysdig
+  labels:
+      aws.conformance.vendor: sysdig
+      aws.conformance.vendor-solution: sysdig-agent

eks-anywhere-common/Addons/Partner/Sysdig/sysdig-source.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: sysdig
+  namespace: flux-system
+spec:
+  interval: 30s
+  url:  https://charts.sysdig.com

eks-anywhere-common/Addons/Partner/Sysdig/sysdig.yaml

@@ -0,0 +1,54 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: sysdig
+  namespace: sysdig
+spec:
+  chart:
+    spec:
+      chart: sysdig-deploy
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: sysdig
+        namespace: flux-system
+      version: 1.67.5
+  interval: 30s
+  targetNamespace: sysdig
+  values:
+    global:
+      sysdig:
+        region: us2         # us1 | us2 | us3 | us4 | eu1 | au1
+      kspm:
+        deploy: false       # Disabled by default to optimize resources. Activating it without the right cluster sizing could lead to instability
+      clusterConfig:
+        name: myclusterName # Place here a meaningful cluster name to identify it
+    agent:
+      ebpf:
+        enabled: true    
+      tolerations: []   # Nullifying tolerations disallows the agents from being executed in the Control Plane
+      # resourceProfile: custom
+      # resources:
+      #  requests:
+      #    cpu:600m
+      #    memory: 1G
+      #  limits:
+      #    cpu: 1500m
+      #    memory: 1G
+      sysdig:
+        settings:
+          collector_port: 6443
+    nodeAnalyzer:
+      nodeAnalyzer:
+        tolerations: []  # Nullifying tolerations disallows the nodeAnalyzers from being executed in the Control Plane
+        benchmarkRunner:
+          deploy: false   # Benchmark Runner disabled by default
+      secure:
+        vulnerabilityManagement:
+          newEngineOnly: true
+  valuesFrom:
+  - kind: Secret
+    name: sysdig-access-key
+    valuesKey: secret-sysdig-key
+    targetPath: global.sysdig.accessKey

eks-anywhere-common/Testers/Sysdig/sysdig-test-configmap.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: sysdig-test-configmap
+  namespace: sysdig
+data:
+  test.sh: |-
+    #!/bin/bash
+    echo -e "\n # Validation process started #"
+    kubectl wait pods -n sysdig -l app=sysdig-agent --for condition=Ready --timeout=150s
+    sleep 90
+    pods=($(kubectl get pod -l app=sysdig-agent -n sysdig -o jsonpath="{.items[*].metadata.name}"))
+    for pod in "${pods[@]}"; do
+      logs=$(kubectl logs -n sysdig $pod --tail -1)
+      if grep "to collector at host" <<< "$logs"
+      then 
+        echo -e "\n # Sysdig Agent connection with server was success #"
+        # Let's generate events
+        history -c  # Try to clear bash history
+        # Check if the above generated event has been successfully captured
+        sleep 180
+        logs=$(kubectl logs -n sysdig $pod --tail -1)
+        if grep "msgtype=31" <<< "$logs"
+        then
+          echo -e "\n # Sysdig Agent successfully captured the event #"
+          exit 0
+        else
+          echo -e "\n # Error: Sysdig Agent didn't capture any event #"
+          exit 1
+        fi
+      else
+        echo -e "\n # Error: Sysdig Agent couldn't connect with the server. Please check egress, region and token #"
+        exit 1
+      fi
+    done;

eks-anywhere-common/Testers/Sysdig/sysdig-test-cronjob.yaml

@@ -0,0 +1,30 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: sysdig-agent-test
+  namespace: sysdig
+spec:
+  schedule: "0 1 * * *"
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      activeDeadlineSeconds: 1000
+      template:
+        spec:
+          containers:
+            - name: job
+              image: 'alpine/k8s:1.26.2'
+              imagePullPolicy: Always
+              command:
+                - /bin/test.sh
+              volumeMounts:
+                - name: sysdig-test-configmap-volume
+                  mountPath: /bin/test.sh
+                  readOnly: true
+                  subPath: test.sh
+          volumes:
+            - name: sysdig-test-configmap-volume
+              configMap:
+                defaultMode: 0700
+                name: sysdig-test-configmap
+          restartPolicy: Never

eks-anywhere-common/Testers/Sysdig/sysdig-testjob-role.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: sysdig-agent-role
+  namespace: sysdig
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "watch", "list"]
+  - apiGroups: [ "" ]
+    resources: [ "pods/log" ]
+    verbs: [ "get", "watch", "list" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: read-sysdig-agent
+  namespace: sysdig
+subjects:
+  - kind: User
+    name: system:serviceaccount:sysdig:default
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: sysdig-agent-role
+  apiGroup: rbac.authorization.k8s.io