Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(discovery): implement All Namespaces discovery #213

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat(discovery): implement All Namespaces discovery #213

wants to merge 3 commits into from

Conversation

andrewazores
Copy link
Member

@andrewazores andrewazores commented Nov 26, 2024
edited
Loading

Fixes #212
Depends on cryostatio/cryostat#725

To test:

  1. cd cryostat-operator
  2. for ns in apps1 apps2; do oc new-project $ns ; make sample_app ; done
  3. oc new-project test
  4. cd cryostat-helm
  5. helm install cryostat --set core.image.repository=quay.io/andrewazores/cryostat --set core.image.tag=k8s-all-namespaces-7 cryostat ./charts/cryostat this is an image built from feat(k8s): implement wildcard All Namespaces discovery cryostat#725
  6. Follow post-installation steps for port forwarding, then open Cryostat UI
  7. Go to Topology and ensure that two sample applications, in apps1 and apps2 namespaces, are discovered

@andrewazores andrewazores added feat New feature or request safe-to-test labels Nov 26, 2024
@andrewazores andrewazores marked this pull request as ready for review November 28, 2024 20:56
@andrewazores andrewazores mentioned this pull request Nov 28, 2024
Open
7 tasks
tthvo
tthvo reviewed Nov 30, 2024
View reviewed changes
Copy link
Member

@tthvo tthvo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with cryostatio/cryostat-operator#976 (comment) here, this might introduce more elevated access than intended.

charts/cryostat/values.yaml
portNames: []
## @param core.discovery.kubernetes.builtInPortNumbersDisabled When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets.
builtInPortNumbersDisabled: false
## @param core.discovery.kubernetes.portNumbers [array] List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable
## @param core.discovery.kubernetes.portNumbers [array] List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we can remove the periods for consistency with other descriptions :D

charts/cryostat/values.yaml
@@ -75,15 +75,17 @@ core:
enabled: true
## @param core.discovery.kubernetes.installNamespaceDisabled When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`)
installNamespaceDisabled: false
## @param core.discovery.kubernetes.namespaces [array] List of namespaces whose workloads the Cryostat application should be permitted to access and profile
## @param core.discovery.kubernetes.allNamespaces When true, this overrides the `namespaces` list and configures Cryostat to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the rbac.create value is true. WARNING: this allows Cryostat to discover, and potentially connect to and collect data from, applications in *any* Namespace in the cluster. ALL users with access to this Cryostat instance will be able to read data from potentially any application in the cluster. For data security and isolation concerns it is best to leave this setting disabled, and instead install multiple Cryostat instances with lists of target namespaces, and apply sensible access controls for users to each Cryostat instance as needed.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## @param core.discovery.kubernetes.allNamespaces When true, this overrides the `namespaces` list and configures Cryostat to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the rbac.create value is true. WARNING: this allows Cryostat to discover, and potentially connect to and collect data from, applications in *any* Namespace in the cluster. ALL users with access to this Cryostat instance will be able to read data from potentially any application in the cluster. For data security and isolation concerns it is best to leave this setting disabled, and instead install multiple Cryostat instances with lists of target namespaces, and apply sensible access controls for users to each Cryostat instance as needed.
## @param core.discovery.kubernetes.allNamespaces When true, this overrides the `core.discovery.kubernetes.namespaces` list and configures the Cryostat application to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the `rbac.create` value is `true`. WARNING: This allows Cryostat to discover, and potentially connect to and collect data from, applications in *any* Namespace in the cluster. ALL users with access to this Cryostat instance will be able to read data from potentially any application in the cluster. For data security and isolation concerns it is recommended to leave this setting disabled, and instead install multiple Cryostat instances with lists of target namespaces, and apply sensible access controls for users to each instance as needed.

nit: just some formatting that I think will make a bit clearer :D I suggested the word recommended to be consistent with other descriptions.

charts/cryostat/templates/cryostat_deployment.yaml
Comment on lines 120 to 133
value: "true"
{{- if .Values.core.discovery.kubernetes.allNamespaces }}
- name: CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES
value: '*'
{{- else }}
{{- with .Values.core.discovery.kubernetes }}
- name: CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES
value: {{ include "cryostat.commaSepList" (list .namespaces $.Release.Namespace .installNamespaceDisabled) }}
{{- end }}
{{- end }}
{{- with .Values.core.discovery.kubernetes }}
- name: CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES
value: {{ include "cryostat.commaSepList" (list .portNames "jfr-jmx" .builtInPortNamesDisabled) }}
- name: CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I think these configurations can be refactored in a single {{- with .Values.core.discovery.kubernetes }}.

charts/cryostat/values.yaml
@@ -75,15 +75,17 @@ core:
enabled: true
## @param core.discovery.kubernetes.installNamespaceDisabled When false and `namespaces` is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. `{{ .Release.Namespace }}`)
installNamespaceDisabled: false
## @param core.discovery.kubernetes.namespaces [array] List of namespaces whose workloads the Cryostat application should be permitted to access and profile
## @param core.discovery.kubernetes.allNamespaces When true, this overrides the `namespaces` list and configures Cryostat to monitor all namespaces in the cluster. This requires elevated permissions to create a ClusterRole and ClusterRoleBinding, which will be done automatically if the rbac.create value is true. WARNING: this allows Cryostat to discover, and potentially connect to and collect data from, applications in *any* Namespace in the cluster. ALL users with access to this Cryostat instance will be able to read data from potentially any application in the cluster. For data security and isolation concerns it is best to leave this setting disabled, and instead install multiple Cryostat instances with lists of target namespaces, and apply sensible access controls for users to each Cryostat instance as needed.
allNamespaces: false
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: How about a field like (i.e. just feel a bit k8s-like, such as allowPrivilegeEscalation, runAsNonRoot)?

allowAllNamespaces: false
# or allNamespacesAllowed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tthvo tthvo tthvo left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
feat New feature or request safe-to-test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Task] Configure Cryostat for All Namespaces discovery mode
2 participants
@andrewazores @tthvo