Tetragon oci hook setup #1842
Merged
Tetragon oci hook setup #1842
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
kkourt
force-pushed
the
pr/kkourt/tetragon-oci-hook-setup
branch
from
ed896f2
to
1ef642f
Compare
kkourt
added
the
release-note/minor
lambdanis
approved these changes
Dec 5, 2023
This is a preparation patch for subsequent patches. Signed-off-by: Kornilios Kourtis <[email protected]>
tetragon-oci-hook-setup is meant to be executed in an init container to setup run-time hooks on the host. Currently, it only supports the oci-hooks interface (as, for example, used by cri-o). NRI or other interfaces fall into future work. There are two commands: install and uninstall. Install will copy the hook binary to a directory (which should be a host mount) and add a configuration file to the hooks directory (also should be a host mount) to call the binary. Signed-off-by: Kornilios Kourtis <[email protected]>
Add tetragon-oci-hook and tetragon-oci-hook-setup in the tetragon image. This will enable us to use it as an init container to setup the OCI hooks. Signed-off-by: Kornilios Kourtis <[email protected]>
This patch adds the ociHookSetup helm value to configure the tetragon oci hook. For now, it is disabled by default. Signed-off-by: Kornilios Kourtis <[email protected]>
This is mostly for illustration purposes until we find something better. Signed-off-by: Kornilios Kourtis <[email protected]>
Add a developer demo. We will move this to docuemntation proper once the PR is merged, and the image is updated. Signed-off-by: Kornilios Kourtis <[email protected]>
kkourt
force-pushed
the
pr/kkourt/tetragon-oci-hook-setup
branch
from
1ef642f
to
28d751f
Compare
lambdanis
approved these changes
Dec 12, 2023
kkourt
added
release-note/major
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add an init container for installing the tetragon OCI hook.
This, currently, only supports
cri-o, but it can be extended to support containerd's NRI: https://github.com/containerd/containerd/blob/main/docs/NRI.md.See for a developer demo: https://github.com/cilium/tetragon/blob/pr/kkourt/tetragon-oci-hook-setup/contrib/rthooks/tetragon-oci-hook/docs/demo.md.