helm: Added dedicated persistent enforcement flag

Added `tetragon.enableKeepSensorsOnExit` to enable persistent enforcement of the sensors although the Tetragon process is gone/exited. Signed-off-by: Philip Schmid <[email protected]>
cilium · Oct 4, 2024 · 53cf82b · 53cf82b
1 parent 6c7e7c5
commit 53cf82b
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 0 deletions.
diff --git a/docs/content/en/docs/reference/helm-chart.md b/docs/content/en/docs/reference/helm-chart.md
diff --git a/install/kubernetes/tetragon/README.md b/install/kubernetes/tetragon/README.md
diff --git a/install/kubernetes/tetragon/templates/tetragon_configmap.yaml b/install/kubernetes/tetragon/templates/tetragon_configmap.yaml
@@ -72,3 +72,7 @@ data:
   event-cache-retries: {{ .Values.tetragon.eventCacheRetries | quote }}
   event-cache-retry-delay: {{ .Values.tetragon.eventCacheRetryDelay | quote }}
   {{- include "configmap.extra" . | nindent 2 }}
+{{- if .Values.tetragon.enableKeepSensorsOnExit }}
+  keep-sensors-on-exit: "true"
+  release-pinned-bpf: "false"
+{{- end }}
diff --git a/install/kubernetes/tetragon/values.yaml b/install/kubernetes/tetragon/values.yaml
@@ -228,6 +228,8 @@ tetragon:
   eventCacheRetries: 15
   # -- Configure the delay (in seconds) between retires in tetragon's event cache.
   eventCacheRetryDelay: 2
+  # -- Persistent enforcement to allow the enforcement policy to continue running even when its Tetragon process is gone.
+  enableKeepSensorsOnExit: false
 # Tetragon Operator settings
 tetragonOperator:
   # -- Enables the Tetragon Operator.