diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml
index fd8586e5c..28147894a 100644
--- a/charts/agent/Chart.yaml
+++ b/charts/agent/Chart.yaml
@@ -30,4 +30,4 @@ sources:
- https://app.sysdigcloud.com/#/settings/user
- https://github.com/draios/sysdig
type: application
-version: 1.13.15
+version: 1.14.0
diff --git a/charts/agent/README.md b/charts/agent/README.md
index 7801298d9..2cdd8ae9a 100644
--- a/charts/agent/README.md
+++ b/charts/agent/README.md
@@ -88,8 +88,8 @@ The following table lists the configurable parameters of the Sysdig chart and th
| Parameter | Description | Default |
|---------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------|
| `global.clusterConfig.name` | Sets a unique name to the cluster. You can then use the cluster name to identify events using the `kubernetes.cluster.name` tag. | `quay.io` |
-| `global.sysdig.accessKey` | Specify your Sysdig Agent Access Key. | Either `accessKey` or `accessKeySecret` is required |
-| `global.sysdig.accessKeySecret` | An alternative to using the Sysdig Agent access key. Specify the name of a Kubernetes secret containing an `access-key` entry. | Either `accessKey` or `accessKeySecret` is required |
+| `global.sysdig.accessKey` | Specify your Sysdig Agent Access Key. | Either `accessKey` or `accessKeySecret` is required |
+| `global.sysdig.accessKeySecret` | An alternative to using the Sysdig Agent access key. Specify the name of a Kubernetes secret containing an `access-key` entry. | Either `accessKey` or `accessKeySecret` is required |
| `global.sysdig.region` | The SaaS region for these agents. Possible values: `"us1"`, `"us2"`, `"us3"`, `"us4"`, `"eu1"`, `"au1"`, and `"custom"` | `"us1"` |
| `global.proxy.httpProxy` | Sets `http_proxy` on the `agent` container. | `""` |
| `global.proxy.httpsProxy` | Sets `https_proxy` on the `agent` container. | `""` |
@@ -146,6 +146,7 @@ The following table lists the configurable parameters of the Sysdig chart and th
| `slim.resources.limits.cpu` | Specifies the CPU limit for building the kernel module | `1000m` |
| `slim.resources.limits.memory` | Specifies the memory limit for building the kernel module. | `512Mi` |
| `ebpf.enabled` | Enables eBPF support for Sysdig instead of `sysdig-probe` kernel module. | `false` |
+| `ebpf.kind` | Define which eBPF driver to use, can be `legacy_ebpf` or `universal_ebpf` | `legacy_ebpf` |
| `clusterName` | Sets a unique cluster name which is used to identify events with the `kubernetes.cluster.name` tag. Overrides `global.clusterConfig.name`. | ` ` |
| `sysdig.accessKey` | Your Sysdig Agent Access Key. Overrides `global.sysdig.accessKey` | Either `accessKey` or `existingAccessKeySecret` is required |
| `sysdig.existingAccessKeySecret` | Specifies the name of a Kubernetes secret containing an `access-key ` entry. Overrides `global.sysdig.existingAccessKeySecret` | Either `accessKey` or `existingAccessKeySecret` is required |
@@ -158,7 +159,7 @@ The following table lists the configurable parameters of the Sysdig chart and th
| `auditLog.auditServerUrl` | Specifies the URL where Sysdig Agent listens for the Kubernetes audit log events. | `0.0.0.0` |
| `auditLog.auditServerPort` | Specifies the port where Sysdig Agent listens for the Kubernetes audit log events. | `7765` |
| `auditLog.dynamicBackend.enabled` | Deploys the Audit Sink where Sysdig listens for Kubernetes audit log events. | `false` |
-| `tolerations` | Specifies the tolerations for scheduling. | node-role.kubernetes.io/master:NoSchedule,
node-role.kubernetes.io/control-plane:NoSchedule
| |
+| `tolerations` | Specifies the tolerations for scheduling. | node-role.kubernetes.io/master:NoSchedule,
node-role.kubernetes.io/control-plane:NoSchedule
|
| `leaderelection.enable` | Enables the agent leader election algorithm. | `false` |
| `prometheus.file` | Specifies the file to configure promscrape. | `false` |
| `prometheus.yaml` | Configures the Prometheus metric collection. Performs relabelling and filtering. | ` ` |
diff --git a/charts/agent/templates/_helpers.tpl b/charts/agent/templates/_helpers.tpl
index 880fd3c16..8eda6b069 100644
--- a/charts/agent/templates/_helpers.tpl
+++ b/charts/agent/templates/_helpers.tpl
@@ -54,11 +54,15 @@ Define the proper imageRegistry to use for agent and kmodule image
{{- end -}}
{{/*
-Return the proper Sysdig Agent image name
+Return the proper Sysdig Agent repository name
+
+Force the slim version if customer specify enable the slim mode or if the Universal eBPF driver is enforced
*/}}
{{- define "agent.repositoryName" -}}
{{- if .Values.slim.enabled -}}
{{- .Values.slim.image.repository -}}
+{{- else if (include "agent.universalEbpfEnforced" . ) -}}
+ {{- .Values.slim.image.repository -}}
{{- else -}}
{{- .Values.image.repository -}}
{{- end -}}
@@ -219,6 +223,18 @@ it can act like a boolean
{{- end -}}
{{- end -}}
+{{- define "agent.universalEbpfEnforced" -}}
+ {{- if (and (eq "true" (include "agent.ebpfEnabled" .)) (eq "universal_ebpf" .Values.ebpf.kind )) -}}
+ true
+ {{- end -}}
+{{- end -}}
+
+{{- define "agent.legacyEbpfEnforced" -}}
+ {{- if (and (eq "true" (include "agent.ebpfEnabled" .)) (eq "legacy_ebpf" .Values.ebpf.kind )) -}}
+ true
+ {{- end -}}
+{{- end -}}
+
{{/*
to help the maxUnavailable pick a reasonable value depending on the cluster size
*/}}
diff --git a/charts/agent/templates/daemonset.yaml b/charts/agent/templates/daemonset.yaml
index d2ff2ee23..91eccf6cc 100644
--- a/charts/agent/templates/daemonset.yaml
+++ b/charts/agent/templates/daemonset.yaml
@@ -77,7 +77,8 @@ spec:
imagePullSecrets:
{{ toYaml .Values.global.image.pullSecrets | nindent 8 }}
{{- end }}
- {{- if .Values.slim.enabled }}
+ {{/* When the Universal eBPF is enforced by customer choice there is no reason to start the init container to build the driver */}}
+ {{- if and .Values.slim.enabled (not (include "agent.universalEbpfEnforced" . )) }}
initContainers:
- name: sysdig-agent-kmodule
image: {{ template "agent.image.kmodule" . }}
@@ -95,6 +96,10 @@ spec:
- name: SYSDIG_BPF_PROBE
value:
{{- end }}
+ {{- if (include "agent.legacyEbpfEnforced" .) }}
+ - name: SYSDIG_AGENT_DRIVER
+ value: legacy_ebpf
+ {{- end }}
{{- range $key, $value := .Values.daemonset.kmodule.env }}
- name: {{ $key | quote }}
value: {{ $value | quote }}
@@ -178,10 +183,17 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- {{- if or (include "agent.ebpfEnabled" .) (include "agent.gke.autopilot" .)}}
+ {{- if and (or (include "agent.ebpfEnabled" .) (include "agent.gke.autopilot" .)) (not (include "agent.universalEbpfEnforced" . )) }}
- name: SYSDIG_BPF_PROBE
value:
{{- end }}
+ {{- if (include "agent.universalEbpfEnforced" .) }}
+ - name: SYSDIG_AGENT_DRIVER
+ value: universal_ebpf
+ {{- else if (include "agent.legacyEbpfEnforced" .) }}
+ - name: SYSDIG_AGENT_DRIVER
+ value: legacy_ebpf
+ {{- end }}
{{- if (.Values.proxy.httpProxy | default .Values.global.proxy.httpProxy) }}
- name: http_proxy
value: {{ .Values.proxy.httpProxy | default .Values.global.proxy.httpProxy }}
diff --git a/charts/agent/tests/universal_ebpf_test.yaml b/charts/agent/tests/universal_ebpf_test.yaml
new file mode 100644
index 000000000..0fe156718
--- /dev/null
+++ b/charts/agent/tests/universal_ebpf_test.yaml
@@ -0,0 +1,103 @@
+suite: Universal eBPF tests
+templates:
+ - templates/daemonset.yaml
+tests:
+ - it: Ensure that when the eBPF is disabled we create the sysdig container without SYSDIG_BPF_PROBE and SYSDIG_AGENT_DRIVER environment variables
+ set:
+ ebpf:
+ enabled: false
+ asserts:
+ - isNull:
+ path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_BPF_PROBE")]
+ - isNull:
+ path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")]
+ - isNull:
+ path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_BPF_PROBE")]
+ - isNull:
+ path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")]
+
+ - it: Ensure that when the eBPF is enabled the default driver is "legacy_ebpf" we create the sysdig container with the SYSDIG_BPF_PROBE and SYSDIG_AGENT_DRIVER=legacy_ebpf environment variables
+ set:
+ ebpf:
+ enabled: true
+ asserts:
+ - isEmpty:
+ path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_BPF_PROBE")].value
+ - equal:
+ path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value
+ value: legacy_ebpf
+ - isEmpty:
+ path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_BPF_PROBE")].value
+ - equal:
+ path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value
+ value: legacy_ebpf
+
+ - it: Ensure that when the eBPF is enabled and we specify to use the "legacy_ebpf" driver we create the sysdig container with the SYSDIG_BPF_PROBE and with SYSDIG_AGENT_DRIVER environment variables
+ set:
+ ebpf:
+ enabled: true
+ kind: legacy_ebpf
+ asserts:
+ - isEmpty:
+ path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_BPF_PROBE")].value
+ - equal:
+ path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value
+ value: legacy_ebpf
+ - isEmpty:
+ path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_BPF_PROBE")].value
+ - equal:
+ path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value
+ value: legacy_ebpf
+
+ - it: Ensure that when the eBPF is enabled and we specify to use the "universal_ebpf" driver we create the sysdig container without the SYSDIG_BPF_PROBE and with the SYSDIG_AGENT_DRIVER environment variables
+ set:
+ ebpf:
+ enabled: true
+ kind: universal_ebpf
+ asserts:
+ - isNull:
+ path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_BPF_PROBE")]
+ - equal:
+ path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value
+ value: universal_ebpf
+
+ - it: Ensure that when the eBPF is enabled and we specify to use the "universal_ebpf" driver we don't create the init container
+ set:
+ ebpf:
+ enabled: true
+ kind: universal_ebpf
+ asserts:
+ - isNull:
+ path: spec.template.spec.initContainers
+
+ - it: Ensure that when the eBPF is enabled and we specify to use the "legacy_ebpf" driver we create the init container
+ set:
+ ebpf:
+ enabled: true
+ kind: legacy_ebpf
+ asserts:
+ - matchRegex:
+ path: spec.template.spec.initContainers[*].image
+ pattern: quay.io/sysdig/agent-kmodule:.*
+
+ - it: Ensure that when the eBPF is enabled and we specify to use the "universal_ebpf" driver we use the slim container
+ set:
+ ebpf:
+ enabled: true
+ kind: universal_ebpf
+ asserts:
+ - matchRegex:
+ path: spec.template.spec.containers[*].image
+ pattern: quay.io/sysdig/agent-slim:.*
+
+ - it: Ensure that when the eBPF is enabled and we specify to use the "universal_ebpf" driver we use the slim container also if is slim container is not enabled
+ set:
+ slim:
+ enabled: false
+ ebpf:
+ enabled: true
+ kind: universal_ebpf
+ asserts:
+ - matchRegex:
+ path: spec.template.spec.containers[*].image
+ pattern: quay.io/sysdig/agent-slim:.*
diff --git a/charts/agent/values.schema.json b/charts/agent/values.schema.json
new file mode 100644
index 000000000..65eeb0df9
--- /dev/null
+++ b/charts/agent/values.schema.json
@@ -0,0 +1,28 @@
+{
+ "$schema": "http://json-schema.org/schema#",
+ "type": "object",
+ "required": [
+ "ebpf"
+ ],
+ "properties": {
+ "ebpf": {
+ "type": "object",
+ "required": [
+ "enabled",
+ "kind"
+ ],
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "kind": {
+ "type": "string",
+ "enum": [
+ "legacy_ebpf",
+ "universal_ebpf"
+ ]
+ }
+ }
+ }
+ }
+}
diff --git a/charts/agent/values.yaml b/charts/agent/values.yaml
index 88ba80d60..d507e8bee 100644
--- a/charts/agent/values.yaml
+++ b/charts/agent/values.yaml
@@ -169,6 +169,10 @@ priorityClassValue: 10
ebpf:
# Enable eBPF support for Sysdig Agent
enabled: false
+
+ # Define the kind of eBPF driver that will be used by the agent. Can be `legacy_ebpf` or `universal_ebpf`
+ kind: legacy_ebpf
+
slim:
# Uses a slim version of the Sysdig Agent
enabled: true
diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml
index 199c7a848..d318f3e36 100644
--- a/charts/sysdig-deploy/Chart.yaml
+++ b/charts/sysdig-deploy/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
name: sysdig-deploy
description: A chart with various Sysdig components for Kubernetes
type: application
-version: 1.24.7
+version: 1.25.0
maintainers:
- name: AlbertoBarba
email: alberto.barba@sysdig.com
@@ -26,7 +26,7 @@ dependencies:
- name: agent
# repository: https://charts.sysdig.com
repository: file://../agent
- version: ~1.13.15
+ version: ~1.14.0
alias: agent
condition: agent.enabled
- name: common