Add Kubernetes deployment #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

nuno-faria wants to merge 1 commit into micro-sec:main from nuno-faria:main

daemon/main.py

-Original file line number
+Diff line change
@@ Expand Up / @@ -6,7 +6,7 @@ @@
     from requests import get
     from werkzeug import Response
-    from detector.config import KUBE_PROXY_IP, KUBE_PROXY_PORT, AGENT_PORT, DAEMON_PORT
+    from detector.config import KUBE_PROXY_IP, AGENT_PORT, DAEMON_PORT, REQUESTS_TOKEN, KUBE_PROXY_PORT
     app = Flask(__name__)
     CORS(app)
@@ Expand All / @@ -17,25 +17,47 @@ @@
     def get_nodes():
         global nodes
         nodes = list()
-        response = requests.get("http://" + KUBE_PROXY_IP + ":" + str(KUBE_PROXY_PORT) + "/api/v1/nodes").json()["items"]
-        for node in response:
-            try:
-                if requests.get(
-                        "http://" + node["status"]["addresses"][0]["address"] + ":" + str(AGENT_PORT), timeout=2).status_code == 200:
+        if REQUESTS_TOKEN is None:
+            response = requests.get("http://" + KUBE_PROXY_IP + ":" + str(KUBE_PROXY_PORT) + "/api/v1/nodes").json()["items"]
+            for node in response:
+                try:
+                    if requests.get(
+                            "http://" + node["status"]["addresses"][0]["address"] + ":" + str(AGENT_PORT), timeout=2).status_code == 200:
+                        nodes.append({
+                            "name": node["metadata"]["name"],
+                            "ip_address": node["status"]["addresses"][0]["address"],
+                            "agent": "true"
+                        })
+                    else:
+                        raise Exception
+                except Exception:
                     nodes.append({
                         "name": node["metadata"]["name"],
                         "ip_address": node["status"]["addresses"][0]["address"],
-                        "agent": "true"
+                        "agent": "false"
+                    })
+        else:
+            response = requests.get("https://" + KUBE_PROXY_IP + "/api/v1/pods",
+                                    headers={'Authorization': 'Bearer ' + REQUESTS_TOKEN}).json()["items"]
+            for pod in response:
+                ip = pod["status"]["podIP"]
+                name = pod["spec"]["nodeName"]
+                try:
+                    if pod["metadata"]["name"].startswith("detector-agent-"):
+                        if requests.get(f"http://{ip}:{AGENT_PORT}", timeout=2).status_code == 200:
+                            nodes.append({
+                                "name": name,
+                                "ip_address": ip,
+                                "agent": "true"
+                            })
+                        else:
+                            raise Exception
+                except Exception:
+                    nodes.append({
+                        "name": pod["metadata"]["name"],
+                        "ip_address": pod["status"]["addresses"][0]["address"],
+                        "agent": "false"
                     })
-                else:
-                    raise Exception
-            except Exception:
-                nodes.append({
-                    "name": node["metadata"]["name"],
-                    "ip_address": node["status"]["addresses"][0]["address"],
-                    "agent": "false"
-                })
     @app.route('/', methods=["GET"])
     @app.route('/status', methods=["GET"])
@@ Expand All / @@ -52,7 +74,10 @@ def agents(): @@
     @app.route('/proxy/<path:path>')
     def proxy(path):
-        response = Response(get(f'{path}').content)
+        if REQUESTS_TOKEN is None:
+            response = Response(get(f'{path}').content)
+        else:
+            response = Response(get(f'{path}', headers={'Authorization': 'Bearer ' + REQUESTS_TOKEN}).content)
         response.headers["Access-Control-Allow-Origin"] = "*"
         return response
@@ Expand Down @@

deploy/Dockerfile

-Original file line number
+Diff line change
@@ -0,0 +1,10 @@
+    FROM docker.io/sysdig/sysdig
+    RUN yum install python3.8 -y
+    ADD requirements.txt /detector/requirements.txt
+    WORKDIR /detector
+    RUN pip3 install -r requirements.txt
+    ADD setup.py /detector/setup.py
+    ADD agent /detector/agent
+    ADD daemon /detector/daemon
+    ADD detector /detector/detector
+    RUN pip3 install -e .

deploy/README.md

-Original file line number
+Diff line change
@@ -0,0 +1,19 @@
+    # Deploy instructions
+    - To deploy the container:
+        ```shell
+        docker build . -f deploy/Dockerfile -t detector
+        ```
+    - To deploy in a Kubernetes cluster (one agent per node, one daemon, one detector, one database)
+        - Deploy the container in all nodes;
+        - Apply the manifest:
+            ```shell
+            kubectl apply -f deploy/detector.yml -n detector
+            ```
+        - Wait a while until the setup completes;
+        - The dashboard is available through NodePort 31000 (i.e, `<some_node_ip>:31000`).
+        - To destroy the cluster:
+            ```shell
+            kubectl delete -f deploy/detector.yml -n detector
+            ```

deploy/detector.yml

-Original file line number
+Diff line change
@@ -0,0 +1,257 @@
+    apiVersion: v1
+    kind: Namespace
+    metadata:
+      name: detector
+      labels:
+        name: detector
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRole
+    metadata:
+      name: detector-role
+      namespace: detector
+    rules:
+    - apiGroups: ["apps", ""]
+      resources: ["namespaces", "nodes", "pods", "services", "deployments", "deployments.apps", "apps.deployments"]
+      verbs: ["get", "list", "watch"]
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: detector-rbac
+    subjects:
+    - kind: ServiceAccount
+      name: default
+      namespace: detector
+    roleRef:
+      kind: ClusterRole
+      name: detector-role
+      apiGroup: rbac.authorization.k8s.io
+    ---
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: detector-daemon
+    spec:
+      selector:
+        matchLabels:
+          app: detector-daemon
+      template:
+        metadata:
+          labels:
+            app: detector-daemon
+        spec:
+          containers:
+            - name: detector-daemon
+              image: detector
+              env:
+                - name: KUBE_PROXY_IP
+                  value: kubernetes.default.svc
+                - name: DAEMON_PORT
+                  value: "9001"
+                - name: AGENT_PORT
+                  value: "9002"
+                - name: REQUESTS_CA_BUNDLE
+                  value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+                - name: REQUESTS_TOKEN_FILE
+                  value: /var/run/secrets/kubernetes.io/serviceaccount/token
+              imagePullPolicy: Never
+              ports:
+                - containerPort: 9001
+              command:
+                - "python3"
+                - "daemon/main.py"
+    ---
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: detector-daemon
+    spec:
+      selector:
+        app: detector-daemon
+      type: ClusterIP
+      ports:
+      - port: 9001
+        targetPort: 9001
+    ---
+    apiVersion: apps/v1
+    kind: DaemonSet
+    metadata:
+      name: detector-agent
+    spec:
+      selector:
+        matchLabels:
+          app: detector-agent
+      template:
+        metadata:
+          labels:
+            app: detector-agent
+        spec:
+          containers:
+            - name: detector-agent
+              image: detector
+              env:
+                - name: AGENT_PORT
+                  value: "9002"
+                - name: WS_PORT
+                  value: "9003"
+              imagePullPolicy: Never
+              ports:
+                - containerPort: 9002
+              command: ["/bin/sh", "-c"]
+              args: ["/docker-entrypoint.sh; python3 agent/main.py;"]
+              securityContext:
+                privileged: true
+              volumeMounts:
+                - name: docker-sock
+                  mountPath: /host/var/run/docker.sock
+                - name: dev
+                  mountPath: /host/dev
+                - name: proc
+                  mountPath: /host/proc
+                  readOnly: true
+                - name: boot
+                  mountPath: /host/boot
+                  readOnly: true
+                - name: modules
+                  mountPath: /host/lib/modules
+                  readOnly: true
+                - name: usr
+                  mountPath: /host/usr
+                  readOnly: true
+                - name: etc
+                  mountPath: /host/etc
+                  readOnly: true
+          volumes:
+            - name: docker-sock
+              hostPath:
+                path: /var/run/docker.sock
+                type: Socket
+            - name: dev
+              hostPath:
+                path: /dev
+                type: Directory
+            - name: proc
+              hostPath:
+                path: /proc
+                type: Directory
+            - name: boot
+              hostPath:
+                path: /boot
+                type: Directory
+            - name: modules
+              hostPath:
+                path: /lib/modules
+                type: Directory
+            - name: usr
+              hostPath:
+                path: /usr
+                type: Directory
+            - name: etc
+              hostPath:
+                path: /etc
+                type: Directory
+    ---
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: detector-db
+    spec:
+      selector:
+        matchLabels:
+          app: detector-db
+      template:
+        metadata:
+          labels:
+            app: detector-db
+        spec:
+          containers:
+            - name: detector-db
+              image: redis:7.0.11
+              imagePullPolicy: Always
+              ports:
+                - containerPort: 6379
+    ---
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: detector-db
+    spec:
+      selector:
+        app: detector-db
+      type: ClusterIP
+      ports:
+      - port: 6379
+        targetPort: 6379
+    ---
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: detector-detector
+    spec:
+      selector:
+        matchLabels:
+          app: detector-detector
+      template:
+        metadata:
+          labels:
+            app: detector-detector
+        spec:
+          containers:
+            - name: detector-detector
+              image: detector
+              env:
+                - name: KUBE_PROXY_IP
+                  value: kubernetes.default.svc
+                - name: REDIS_IP
+                  value: detector-db
+                - name: REDIS_PORT
+                  value: "6379"
+                - name: DETECTOR_PORT
+                  value: "5001"
+                - name: DAEMON_IP
+                  value: detector-daemon
+                - name: DAEMON_PORT
+                  value: "9001"
+                - name: WS_PORT
+                  value: "9003"
+                - name: REQUESTS_TOKEN_FILE
+                  value: /var/run/secrets/kubernetes.io/serviceaccount/token
+              imagePullPolicy: Never
+              ports:
+                - containerPort: 5001
+              command:
+                - "python3"
+                - "detector/main.py"
+    ---
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: detector-detector
+    spec:
+      selector:
+        app: detector-detector
+      type: NodePort
+      ports:
+      - port: 5001
+        nodePort: 31000

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add Kubernetes deployment #4

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Add Kubernetes deployment #4

Are you sure you want to change the base?

Uh oh!

Add Kubernetes deployment #4

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!