From 53cf82b94b0987601761257715536004ed03ef86 Mon Sep 17 00:00:00 2001 From: Philip Schmid Date: Fri, 4 Oct 2024 11:34:03 +0200 Subject: [PATCH] helm: Added dedicated persistent enforcement flag Added `tetragon.enableKeepSensorsOnExit` to enable persistent enforcement of the sensors although the Tetragon process is gone/exited. Signed-off-by: Philip Schmid --- docs/content/en/docs/reference/helm-chart.md | 1 + install/kubernetes/tetragon/README.md | 1 + install/kubernetes/tetragon/templates/tetragon_configmap.yaml | 4 ++++ install/kubernetes/tetragon/values.yaml | 2 ++ 4 files changed, 8 insertions(+) diff --git a/docs/content/en/docs/reference/helm-chart.md b/docs/content/en/docs/reference/helm-chart.md index 6c85dc5279b..e09127b9245 100644 --- a/docs/content/en/docs/reference/helm-chart.md +++ b/docs/content/en/docs/reference/helm-chart.md @@ -75,6 +75,7 @@ To use [the values available](#values), with `helm install` or `helm upgrade`, u | tetragon.commandOverride | list | `[]` | Override the command. For advanced users only. | | tetragon.debug | bool | `false` | If you want to run Tetragon in debug mode change this value to true | | tetragon.enableK8sAPI | bool | `true` | Access Kubernetes API to associate Tetragon events with Kubernetes pods. | +| tetragon.enableKeepSensorsOnExit | bool | `false` | Persistent enforcement to allow the enforcement policy to continue running even when its Tetragon process is gone. | | tetragon.enableMsgHandlingLatency | bool | `false` | Enable latency monitoring in message handling | | tetragon.enablePolicyFilter | bool | `true` | Enable policy filter. This is required for K8s namespace and pod-label filtering. | | tetragon.enablePolicyFilterDebug | bool | `false` | Enable policy filter debug messages. | diff --git a/install/kubernetes/tetragon/README.md b/install/kubernetes/tetragon/README.md index d49c79b1287..a481c600f88 100644 --- a/install/kubernetes/tetragon/README.md +++ b/install/kubernetes/tetragon/README.md @@ -57,6 +57,7 @@ Helm chart for Tetragon | tetragon.commandOverride | list | `[]` | Override the command. For advanced users only. | | tetragon.debug | bool | `false` | If you want to run Tetragon in debug mode change this value to true | | tetragon.enableK8sAPI | bool | `true` | Access Kubernetes API to associate Tetragon events with Kubernetes pods. | +| tetragon.enableKeepSensorsOnExit | bool | `false` | Persistent enforcement to allow the enforcement policy to continue running even when its Tetragon process is gone. | | tetragon.enableMsgHandlingLatency | bool | `false` | Enable latency monitoring in message handling | | tetragon.enablePolicyFilter | bool | `true` | Enable policy filter. This is required for K8s namespace and pod-label filtering. | | tetragon.enablePolicyFilterDebug | bool | `false` | Enable policy filter debug messages. | diff --git a/install/kubernetes/tetragon/templates/tetragon_configmap.yaml b/install/kubernetes/tetragon/templates/tetragon_configmap.yaml index 4149e6736a7..aa2e107287f 100644 --- a/install/kubernetes/tetragon/templates/tetragon_configmap.yaml +++ b/install/kubernetes/tetragon/templates/tetragon_configmap.yaml @@ -72,3 +72,7 @@ data: event-cache-retries: {{ .Values.tetragon.eventCacheRetries | quote }} event-cache-retry-delay: {{ .Values.tetragon.eventCacheRetryDelay | quote }} {{- include "configmap.extra" . | nindent 2 }} +{{- if .Values.tetragon.enableKeepSensorsOnExit }} + keep-sensors-on-exit: "true" + release-pinned-bpf: "false" +{{- end }} \ No newline at end of file diff --git a/install/kubernetes/tetragon/values.yaml b/install/kubernetes/tetragon/values.yaml index 26c6bfed067..95f2c4a6b79 100644 --- a/install/kubernetes/tetragon/values.yaml +++ b/install/kubernetes/tetragon/values.yaml @@ -228,6 +228,8 @@ tetragon: eventCacheRetries: 15 # -- Configure the delay (in seconds) between retires in tetragon's event cache. eventCacheRetryDelay: 2 + # -- Persistent enforcement to allow the enforcement policy to continue running even when its Tetragon process is gone. + enableKeepSensorsOnExit: false # Tetragon Operator settings tetragonOperator: # -- Enables the Tetragon Operator.