Skip to content

feat(node-analyzer): added configurable request storage size when specifying a storageClassName in runtime-scanner #2393

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 30, 2025
+137 −7
Merged

feat(node-analyzer): added configurable request storage size when specifying a storageClassName in runtime-scanner #2393

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/node-analyzer/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: node-analyzer
description: Sysdig Node Analyzer
# currently matching Sysdig's appVersion 1.14.34
version: 1.36.12
version: 1.37.0
appVersion: 12.9.2
keywords:
- monitoring
Expand Down
1 change: 1 addition & 0 deletions charts/node-analyzer/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,7 @@ The following table lists the configurable parameters of the Sysdig Node Analyze
| `nodeAnalyzer.runtimeScanner.deploy` | Deploys the Runtime Scanner. | `false` |
| `nodeAnalyzer.runtimeScanner.extraMounts` | Specifies a container engine custom socket path (docker, containerd, CRI-O). | |
| `nodeAnalyzer.runtimeScanner.storageClassName` | Specifies the Runtime Scanner storage class to use instead of emptyDir for ephemeral storage. | `` |
| `nodeAnalyzer.runtimeScanner.ephemeralVolumeRequestStorage` | Specifies the size of the ephemeral storage volume to be used by the Runtime Scanner when the storageClassName is provided. | `4Gi` |
| `nodeAnalyzer.runtimeScanner.image.repository` | Specifies the image repository to pull the Runtime Scanner from. | `sysdig/vuln-runtime-scanner` |
| `nodeAnalyzer.runtimeScanner.image.tag` | Specifies the image tag to pull the Runtime Scanner. | `1.8.4` |
| `nodeAnalyzer.runtimeScanner.image.digest` | Specifies the image digest to pull. | ` ` |
Expand Down
17 changes: 13 additions & 4 deletions charts/node-analyzer/templates/daemonset-node-analyzer.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,9 +114,7 @@ spec:
storageClassName: {{ .Values.nodeAnalyzer.runtimeScanner.storageClassName }}
resources:
requests:
storage: {{ index .Values.nodeAnalyzer.runtimeScanner.resources.requests "ephemeral-storage" }}
limits:
storage: {{ index .Values.nodeAnalyzer.runtimeScanner.resources.limits "ephemeral-storage" }}
storage: {{ .Values.nodeAnalyzer.runtimeScanner.ephemeralVolumeRequestStorage }}
{{- else }}
emptyDir: {}
{{- end }}
Expand Down Expand Up @@ -683,7 +681,18 @@ spec:
securityContext:
privileged: true
resources:
{{ toYaml .Values.nodeAnalyzer.runtimeScanner.resources | indent 10 }}
requests:
cpu: {{ .Values.nodeAnalyzer.runtimeScanner.resources.requests.cpu }}
memory: {{ .Values.nodeAnalyzer.runtimeScanner.resources.requests.memory }}
{{- if not .Values.nodeAnalyzer.runtimeScanner.storageClassName }}
ephemeral-storage: {{ index .Values.nodeAnalyzer.runtimeScanner.resources.requests "ephemeral-storage" | quote }}
{{- end }}
limits:
cpu: {{ .Values.nodeAnalyzer.runtimeScanner.resources.limits.cpu }}
memory: {{ .Values.nodeAnalyzer.runtimeScanner.resources.limits.memory }}
{{- if not .Values.nodeAnalyzer.runtimeScanner.storageClassName }}
ephemeral-storage: {{ index .Values.nodeAnalyzer.runtimeScanner.resources.limits "ephemeral-storage" | quote }}
{{- end }}
# Custom volume mount here
env:
- name: TMPDIR
Expand Down
112 changes: 112 additions & 0 deletions charts/node-analyzer/tests/runtimescanner_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,3 +172,115 @@ tests:
path: spec.template.spec.containers[?(@.name == "sysdig-runtime-scanner")].env[?(@.name == "EVE_ENABLED")]
- isNotNull:
path: spec.template.spec.containers[?(@.name == "sysdig-runtime-scanner")].env[?(@.name == "EVE_INTEGRATION_ENABLED")]

- it: "sets runtime-scanner requests/limits and volumes correctly when the storageClassName is not provided"
set:
secure.vulnerabilityManagement.newEngineOnly: true
global:
clusterConfig:
name: "test"
nodeAnalyzer:
runtimeScanner:
deploy: true
resources:
requests:
cpu: 123m
memory: 456Mi
ephemeral-storage: "69Gi"
limits:
cpu: 789m
memory: 101112Mi
ephemeral-storage: 420Gi
templates:
- ../templates/daemonset-node-analyzer.yaml
asserts:
- equal:
path: "spec.template.spec.containers[1].name"
value: "sysdig-runtime-scanner"
- equal:
path: "spec.template.spec.containers[1].resources.requests.cpu"
value: "123m"
- equal:
path: "spec.template.spec.containers[1].resources.requests.memory"
value: "456Mi"
- equal:
path: "spec.template.spec.containers[1].resources.requests.ephemeral-storage"
value: "69Gi"
- equal:
path: "spec.template.spec.containers[1].resources.limits.cpu"
value: "789m"
- equal:
path: "spec.template.spec.containers[1].resources.limits.memory"
value: "101112Mi"
- equal:
path: "spec.template.spec.containers[1].resources.limits.ephemeral-storage"
value: "420Gi"
- equal:
path: "spec.template.spec.volumes[7].name"
value: "tmp-vol"
- equal:
path: "spec.template.spec.volumes[7].emptyDir"
value: {}

- it: "sets runtime-scanner requests/limits and volumes correctly when the storageClassName is provided"
set:
secure.vulnerabilityManagement.newEngineOnly: true
global:
clusterConfig:
name: "test"
nodeAnalyzer:
runtimeScanner:
deploy: true
storageClassName: "standard-rwo"
ephemeralVolumeRequestStorage: "90Gi"
resources:
requests:
cpu: 123m
memory: 456Mi
ephemeral-storage: "69Gi"
limits:
cpu: 789m
memory: 101112Mi
ephemeral-storage: 420Gi
templates:
- ../templates/daemonset-node-analyzer.yaml
asserts:
- equal:
path: "spec.template.spec.containers[1].name"
value: "sysdig-runtime-scanner"
- equal:
path: "spec.template.spec.containers[1].resources.requests.cpu"
value: "123m"
- equal:
path: "spec.template.spec.containers[1].resources.requests.memory"
value: "456Mi"
- notExists:
path: "spec.template.spec.containers[1].resources.requests.ephemeral-storage"
- equal:
path: "spec.template.spec.containers[1].resources.limits.cpu"
value: "789m"
- equal:
path: "spec.template.spec.containers[1].resources.limits.memory"
value: "101112Mi"
- notExists:
path: "spec.template.spec.containers[1].resources.limits.ephemeral-storage"
- equal:
path: "spec.template.spec.volumes[7].name"
value: "tmp-vol"
- notExists:
path: "spec.template.spec.volumes[7].emptyDir"
- equal:
path: "spec.template.spec.volumes[7]"
value:
name: tmp-vol
ephemeral:
volumeClaimTemplate:
metadata:
labels:
type: "standard-rwo"
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "standard-rwo"
resources:
requests:
storage: 90Gi
8 changes: 8 additions & 0 deletions charts/node-analyzer/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -307,7 +307,15 @@ nodeAnalyzer:
httpProxy: null
httpsProxy: null
noProxy: null
# If set, a PersistentVolumeClaim will be created to store temporary files for the runtime-scanner's ephemeral
# storage using this StorageClass. The data stored in this volume is temporary and not intended for long-term
# retention.
# When specified, you must also set 'ephemeralVolumeRequestStorage' to define the requested storage size.
storageClassName: null
# Set the requested storage size for the ephemeral volumeClaimTemplate.
# This value is used as the 'requests.storage' in the volumeClaimTemplate only when storageClassName is set.
# Example: "4Gi"
ephemeralVolumeRequestStorage: "4Gi"
extraMounts: []
# example for bottlerocket
# extraMounts:
Expand Down
4 changes: 2 additions & 2 deletions charts/sysdig-deploy/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: sysdig-deploy
description: A chart with various Sysdig components for Kubernetes
type: application
version: 1.94.0
version: 1.95.0
maintainers:
- name: AlbertoBarba
email: alberto.barba@sysdig.com
Expand Down Expand Up @@ -36,7 +36,7 @@ dependencies:
- name: node-analyzer
# repository: https://charts.sysdig.com
repository: file://../node-analyzer
version: ~1.36.12
version: ~1.37.0
alias: nodeAnalyzer
condition: nodeAnalyzer.enabled
- name: cluster-scanner
Expand Down
Loading