Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Helm chart: allow unprivileged deployment of Beyla #1128

Merged
merged 5 commits into from
Sep 5, 2024
Merged

Helm chart: allow unprivileged deployment of Beyla #1128

merged 5 commits into from
Sep 5, 2024

Conversation

marevers
Copy link
Collaborator

@marevers marevers commented Sep 4, 2024
edited
Loading

Closes #1075

This PR adds a new property privileged which can be set to false to add the required configurations to the DaemonSet (based on the unprivileged example).

Chart version is increased to 1.4.0 and app version to 1.8.0.

@marevers marevers mentioned this pull request Sep 4, 2024
Closed
@codecov-commenter
Copy link

codecov-commenter commented Sep 4, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.01%. Comparing base (ecc9dc1) to head (2dda464).
Report is 3 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1128      +/-   ##
==========================================
+ Coverage   73.06%   82.01%   +8.94%     
==========================================
  Files         139      140       +1     
  Lines       11553    11562       +9     
==========================================
+ Hits         8441     9482    +1041     
+ Misses       2454     1555     -899     
+ Partials      658      525     -133
Flag Coverage Δ
integration-test 57.30% <ø> (-0.05%) ⬇️
k8s-integration-test 59.11% <ø> (+<0.01%) ⬆️
oats-test 36.87% <ø> (ø)
unittests 52.30% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

mariomac
mariomac approved these changes Sep 4, 2024
View reviewed changes
Copy link
Contributor

@mariomac mariomac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing! Thanks for this.

Waiting for someone else to bring a second pair of eyes before merging.

marctc
marctc reviewed Sep 4, 2024
View reviewed changes
charts/beyla/values.yaml Outdated
@@ -59,13 +59,22 @@ podSecurityContext: {}
# fsGroup: 2000

securityContext:
# -- For an unprivileged / less privileged setup, use privileged: false and uncomment the required capabilities in the values file.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we instead of make users uncomment this add them conditionally?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is absolutely possible. In that case I would propose the following:

We don't use the condition based on securityContext.privileged anymore, instead we add a top-level attribute called privileged and set it by default true which results in the setup like before. If this is set to false, we set the securityContext how it needs to be.

In order to make adding the capabilities SYS_RESOURCE and SYS_ADMIN optional, because they are not always required, we can add a property extraCapabilities that allows for adding those two if needed and other ones.

The only 'downside' I see from this approach is that the control over securityContext is removed from the user once the new privileged attribute is set to false. But I would almost say that is okay, seeing as an unprivileged setup requires a very specific set of configurations to work.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds reasonoble to me @marevers ! thanks

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I will make the required changes and push and then re-request review.

@marevers marevers requested a review from marctc September 4, 2024 13:26
@marctc marctc merged commit 0f695f3 into grafana:main Sep 5, 2024
6 checks passed
@marevers marevers deleted the helm-unprivileged branch September 5, 2024 15:28
mattdurham pushed a commit to mattdurham/beyla that referenced this pull request Jan 22, 2025
@marevers
Helm chart: allow unprivileged deployment of Beyla (grafana#1128)
ea8c539 
* Make privileged optional, add required conditions for the unprivileged / less privileged setup

* Update README, bump Beyla version to 1.8.0 and chart version to 1.4.0

* Fix conditions

* Make securityContext setup conditional based on new privileged attribute

* Fix comments failing validation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mariomac mariomac mariomac approved these changes

@grcevski grcevski Awaiting requested review from grcevski

@rafaelroquetto rafaelroquetto Awaiting requested review from rafaelroquetto

@marctc marctc Awaiting requested review from marctc

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Helm chart: allow unprivileged deployment of Beyla
4 participants
@marevers @codecov-commenter @marctc @mariomac