From c27860892addb2c82d7e66e329cdccc284fa752e Mon Sep 17 00:00:00 2001 From: Michele Mangili Date: Fri, 26 Sep 2025 11:32:55 +0200 Subject: [PATCH] feat(node-analyzer/runtime-scanner): added configurable size for ephemeralVolumeRequestStorage when specifying a storageClassName --- charts/node-analyzer/Chart.yaml | 2 +- charts/node-analyzer/README.md | 1 + .../templates/daemonset-node-analyzer.yaml | 17 ++- .../tests/runtimescanner_test.yaml | 112 ++++++++++++++++++ charts/node-analyzer/values.yaml | 8 ++ charts/sysdig-deploy/Chart.yaml | 4 +- 6 files changed, 137 insertions(+), 7 deletions(-) diff --git a/charts/node-analyzer/Chart.yaml b/charts/node-analyzer/Chart.yaml index fc010fa50..5e744b2b2 100644 --- a/charts/node-analyzer/Chart.yaml +++ b/charts/node-analyzer/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: node-analyzer description: Sysdig Node Analyzer # currently matching Sysdig's appVersion 1.14.34 -version: 1.36.12 +version: 1.37.0 appVersion: 12.9.2 keywords: - monitoring diff --git a/charts/node-analyzer/README.md b/charts/node-analyzer/README.md index 9bcb0db0f..26f9b7ce3 100644 --- a/charts/node-analyzer/README.md +++ b/charts/node-analyzer/README.md @@ -220,6 +220,7 @@ The following table lists the configurable parameters of the Sysdig Node Analyze | `nodeAnalyzer.runtimeScanner.deploy` | Deploys the Runtime Scanner. | `false` | | `nodeAnalyzer.runtimeScanner.extraMounts` | Specifies a container engine custom socket path (docker, containerd, CRI-O). | | | `nodeAnalyzer.runtimeScanner.storageClassName` | Specifies the Runtime Scanner storage class to use instead of emptyDir for ephemeral storage. | `` | +| `nodeAnalyzer.runtimeScanner.ephemeralVolumeRequestStorage` | Specifies the size of the ephemeral storage volume to be used by the Runtime Scanner when the storageClassName is provided. | `4Gi` | | `nodeAnalyzer.runtimeScanner.image.repository` | Specifies the image repository to pull the Runtime Scanner from. | `sysdig/vuln-runtime-scanner` | | `nodeAnalyzer.runtimeScanner.image.tag` | Specifies the image tag to pull the Runtime Scanner. | `1.8.4` | | `nodeAnalyzer.runtimeScanner.image.digest` | Specifies the image digest to pull. | ` ` | diff --git a/charts/node-analyzer/templates/daemonset-node-analyzer.yaml b/charts/node-analyzer/templates/daemonset-node-analyzer.yaml index 6b13a8bad..348b10c20 100644 --- a/charts/node-analyzer/templates/daemonset-node-analyzer.yaml +++ b/charts/node-analyzer/templates/daemonset-node-analyzer.yaml @@ -114,9 +114,7 @@ spec: storageClassName: {{ .Values.nodeAnalyzer.runtimeScanner.storageClassName }} resources: requests: - storage: {{ index .Values.nodeAnalyzer.runtimeScanner.resources.requests "ephemeral-storage" }} - limits: - storage: {{ index .Values.nodeAnalyzer.runtimeScanner.resources.limits "ephemeral-storage" }} + storage: {{ .Values.nodeAnalyzer.runtimeScanner.ephemeralVolumeRequestStorage }} {{- else }} emptyDir: {} {{- end }} @@ -683,7 +681,18 @@ spec: securityContext: privileged: true resources: -{{ toYaml .Values.nodeAnalyzer.runtimeScanner.resources | indent 10 }} + requests: + cpu: {{ .Values.nodeAnalyzer.runtimeScanner.resources.requests.cpu }} + memory: {{ .Values.nodeAnalyzer.runtimeScanner.resources.requests.memory }} + {{- if not .Values.nodeAnalyzer.runtimeScanner.storageClassName }} + ephemeral-storage: {{ index .Values.nodeAnalyzer.runtimeScanner.resources.requests "ephemeral-storage" | quote }} + {{- end }} + limits: + cpu: {{ .Values.nodeAnalyzer.runtimeScanner.resources.limits.cpu }} + memory: {{ .Values.nodeAnalyzer.runtimeScanner.resources.limits.memory }} + {{- if not .Values.nodeAnalyzer.runtimeScanner.storageClassName }} + ephemeral-storage: {{ index .Values.nodeAnalyzer.runtimeScanner.resources.limits "ephemeral-storage" | quote }} + {{- end }} # Custom volume mount here env: - name: TMPDIR diff --git a/charts/node-analyzer/tests/runtimescanner_test.yaml b/charts/node-analyzer/tests/runtimescanner_test.yaml index e9f6dbcd5..0f5ffeab8 100644 --- a/charts/node-analyzer/tests/runtimescanner_test.yaml +++ b/charts/node-analyzer/tests/runtimescanner_test.yaml @@ -172,3 +172,115 @@ tests: path: spec.template.spec.containers[?(@.name == "sysdig-runtime-scanner")].env[?(@.name == "EVE_ENABLED")] - isNotNull: path: spec.template.spec.containers[?(@.name == "sysdig-runtime-scanner")].env[?(@.name == "EVE_INTEGRATION_ENABLED")] + + - it: "sets runtime-scanner requests/limits and volumes correctly when the storageClassName is not provided" + set: + secure.vulnerabilityManagement.newEngineOnly: true + global: + clusterConfig: + name: "test" + nodeAnalyzer: + runtimeScanner: + deploy: true + resources: + requests: + cpu: 123m + memory: 456Mi + ephemeral-storage: "69Gi" + limits: + cpu: 789m + memory: 101112Mi + ephemeral-storage: 420Gi + templates: + - ../templates/daemonset-node-analyzer.yaml + asserts: + - equal: + path: "spec.template.spec.containers[1].name" + value: "sysdig-runtime-scanner" + - equal: + path: "spec.template.spec.containers[1].resources.requests.cpu" + value: "123m" + - equal: + path: "spec.template.spec.containers[1].resources.requests.memory" + value: "456Mi" + - equal: + path: "spec.template.spec.containers[1].resources.requests.ephemeral-storage" + value: "69Gi" + - equal: + path: "spec.template.spec.containers[1].resources.limits.cpu" + value: "789m" + - equal: + path: "spec.template.spec.containers[1].resources.limits.memory" + value: "101112Mi" + - equal: + path: "spec.template.spec.containers[1].resources.limits.ephemeral-storage" + value: "420Gi" + - equal: + path: "spec.template.spec.volumes[7].name" + value: "tmp-vol" + - equal: + path: "spec.template.spec.volumes[7].emptyDir" + value: {} + + - it: "sets runtime-scanner requests/limits and volumes correctly when the storageClassName is provided" + set: + secure.vulnerabilityManagement.newEngineOnly: true + global: + clusterConfig: + name: "test" + nodeAnalyzer: + runtimeScanner: + deploy: true + storageClassName: "standard-rwo" + ephemeralVolumeRequestStorage: "90Gi" + resources: + requests: + cpu: 123m + memory: 456Mi + ephemeral-storage: "69Gi" + limits: + cpu: 789m + memory: 101112Mi + ephemeral-storage: 420Gi + templates: + - ../templates/daemonset-node-analyzer.yaml + asserts: + - equal: + path: "spec.template.spec.containers[1].name" + value: "sysdig-runtime-scanner" + - equal: + path: "spec.template.spec.containers[1].resources.requests.cpu" + value: "123m" + - equal: + path: "spec.template.spec.containers[1].resources.requests.memory" + value: "456Mi" + - notExists: + path: "spec.template.spec.containers[1].resources.requests.ephemeral-storage" + - equal: + path: "spec.template.spec.containers[1].resources.limits.cpu" + value: "789m" + - equal: + path: "spec.template.spec.containers[1].resources.limits.memory" + value: "101112Mi" + - notExists: + path: "spec.template.spec.containers[1].resources.limits.ephemeral-storage" + - equal: + path: "spec.template.spec.volumes[7].name" + value: "tmp-vol" + - notExists: + path: "spec.template.spec.volumes[7].emptyDir" + - equal: + path: "spec.template.spec.volumes[7]" + value: + name: tmp-vol + ephemeral: + volumeClaimTemplate: + metadata: + labels: + type: "standard-rwo" + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: "standard-rwo" + resources: + requests: + storage: 90Gi diff --git a/charts/node-analyzer/values.yaml b/charts/node-analyzer/values.yaml index 27ee0a681..cb4d60445 100644 --- a/charts/node-analyzer/values.yaml +++ b/charts/node-analyzer/values.yaml @@ -307,7 +307,15 @@ nodeAnalyzer: httpProxy: null httpsProxy: null noProxy: null + # If set, a PersistentVolumeClaim will be created to store temporary files for the runtime-scanner's ephemeral + # storage using this StorageClass. The data stored in this volume is temporary and not intended for long-term + # retention. + # When specified, you must also set 'ephemeralVolumeRequestStorage' to define the requested storage size. storageClassName: null + # Set the requested storage size for the ephemeral volumeClaimTemplate. + # This value is used as the 'requests.storage' in the volumeClaimTemplate only when storageClassName is set. + # Example: "4Gi" + ephemeralVolumeRequestStorage: "4Gi" extraMounts: [] # example for bottlerocket # extraMounts: diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index df54b2f5c..7e073515f 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.94.0 +version: 1.95.0 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com @@ -36,7 +36,7 @@ dependencies: - name: node-analyzer # repository: https://charts.sysdig.com repository: file://../node-analyzer - version: ~1.36.12 + version: ~1.37.0 alias: nodeAnalyzer condition: nodeAnalyzer.enabled - name: cluster-scanner