Merge pull request #1 from sa-cloud/master

initial commit

build/Dockerfile

@@ -0,0 +1,4 @@
+FROM quay.io/operator-framework/helm-operator:v0.13.0
+
+COPY watches.yaml ${HOME}/watches.yaml
+COPY helm-charts/ ${HOME}/helm-charts/

deploy/crds/charts.helm.k8s.io_netflowcollectors_crd.yaml

@@ -0,0 +1,18 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: netflowcollectors.charts.helm.k8s.io
+spec:
+  group: charts.helm.k8s.io
+  names:
+    kind: NetflowCollector
+    listKind: NetflowCollectorList
+    plural: netflowcollectors
+    singular: netflowcollector
+  scope: Namespaced
+  subresources:
+    status: {}
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true

deploy/crds/charts.helm.k8s.io_skydives_crd.yaml

@@ -0,0 +1,18 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: skydives.charts.helm.k8s.io
+spec:
+  group: charts.helm.k8s.io
+  names:
+    kind: Skydive
+    listKind: SkydiveList
+    plural: skydives
+    singular: skydive
+  scope: Namespaced
+  subresources:
+    status: {}
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true

deploy/crds/charts.helm.k8s.io_v1alpha1_netflowcollector_cr.yaml

@@ -0,0 +1,24 @@
+apiVersion: charts.helm.k8s.io/v1alpha1
+kind: NetflowCollector
+metadata:
+  name: netflow-collector
+spec:
+  image:
+    repository: cognetive/skydive
+    tag: 2019.10.15___12.24
+  exporter:
+    enabled: true
+    store:
+      bucket: "default"
+      objectPrefix: "default"
+    write:
+      s3:
+        #endpoint is a required value, pointing to a working Object Store endpoint Example value - "http://localhost:9000"
+        endpoint: "http://localhost:9000"
+        #installLocalMinio should be set to false. If set to true a default minio OS will be installed locally (in a container) for testing purposes only.
+        installLocalMinio: true
+        region: "default"
+        use_api_key: false
+        api_key: ""
+        access_key: "admin"
+        secret_key: "admin1234"

deploy/crds/charts.helm.k8s.io_v1alpha1_skydive_cr.yaml

@@ -0,0 +1,156 @@
+apiVersion: charts.helm.k8s.io/v1alpha1
+kind: Skydive
+metadata:
+  name: skydive
+spec:
+  nameOverride: "skydive"
+
+  ###############################################################################
+  ############################ Skydive ##########################################
+  ###############################################################################
+
+  ##################
+  ## Image variables
+  arch:
+    amd64: "2 - No preference"
+    ppc64le: "2 - No preference"
+    s390x: "2 - No preference"
+
+  image:
+    repository: skydive/skydive
+    tag: "0.24.0"
+    secretName: ""
+    imagePullPolicy: IfNotPresent
+
+  ##################
+  ## Resources
+  resources:
+    limits:
+      cpu: 2000m
+      memory: 8192Mi
+    requests:
+      cpu: 100m
+      memory: 512Mi
+
+  ##################
+  ## Service variables
+  service:
+    name: skydive
+    port: 8082
+    type: NodePort
+
+  etcd:
+    port: 12379
+
+  analyzer:
+    topology:
+      fabric: "TOR1->*[Type=host]/eth0"
+
+  agent:
+    topology:
+      probes: "ovsdb docker runc"
+
+  ## env variables
+  env: []
+
+  ###################
+  ## Elastic search image 
+  elasticsearch:
+    image:
+      repository: "elastic/elasticsearch"
+      tag: "5.5.1"
+
+  ##################
+  ## Data / Storage
+  ##
+  ## - Persistence disables by default
+  persistence:
+    enabled: false
+    useDynamicProvisioning: false
+
+  dataVolume:
+    name: "datavolume"
+    existingClaimName: ""
+    storageClassName: ""
+    size: 10Gi
+
+  storage:
+    flows:
+      indicesToKeep: 10
+      indexEntriesLimit: 10000
+    topology:
+      indicesToKeep: 10
+      indexEntriesLimit: 10000
+    elasticsearch:
+      port: 9200
+      host: 127.0.0.1
+
+  exporter:
+    enabled: false
+    image:
+      repository: docker.io/bluesecure/skydive-exporter
+      tag: 1
+    store:
+      bucket: "default"
+      objectPrefix: "default"
+      buffered:
+        max_flows_per_object: 60000
+    write:
+      s3:
+        #endpoint is a required value, pointing to a working Object Store endpoint Example value - "http://localhost:9000"
+        endpoint: "http://127.0.0.1:9000"
+        #installLocalMinio should be set to false if using an external endpoint. If set to true a default minio OS will be installed locally (in a container).
+        #the below minioImage, minioImageTag - are rellevant only in case of installLocalMinio=true - for the default case for testing purposes
+        installLocalMinio: true
+        minioImage: "docker.io/bitnami/minio"
+        minioImageTag: "2019.7.31-debian-9-r1"
+        region: "default"
+        use_api_key: false
+        api_key: ""
+        access_key: "admin"
+        secret_key: "admin1234"
+    env_exporter:
+      # Maximum number of flows per object
+      - name: SKYDIVE_PIPELINE_STORE_BUFFERED_MAX_FLOWS_PER_OBJECT
+        value: "60000"
+
+      # Maximum time period for object
+      - name: SKYDIVE_PIPELINE_STORE_BUFFERED_MAX_SECONDS_PER_OBJECT
+        value: "60"
+
+      - name: SKYDIVE_PIPELINE_STORE_BUFFERED_MAX_FLOW_ARRAY_SIZE
+        value: "100000"
+
+      # New stream (folder) is opened every such period
+      - name: SKYDIVE_PIPELINE_STORE_BUFFERED_MAX_SECONDS_PER_STREAM
+        value: "86400"
+
+    env:
+      # For debug purposes
+      - name: SKYDIVE_LOGGING_LEVEL
+        value: "INFO"
+
+      # the rate in which the agents transfer flow updates to the analyzer
+      # Flows to be updated every 30 seconds (thus, every 60 seconds to defender)
+      - name: SKYDIVE_FLOW_UPDATE
+        value: "30"
+
+      # ANALYZER_STARTUP_CAPTURE_GREMLIN invoke at startup capturing in selected nodes (sets automatic capture on all but he loopback nodes)
+      - name: SKYDIVE_ANALYZER_STARTUP_CAPTURE_GREMLIN
+        value: "G.V().has('Name', NE('lo'))"
+
+      #capture all but skydive (8082)
+      - name: SKYDIVE_ANALYZER_STARTUP_CAPTURE_BPF
+        value: "not (tcp dst port 8082)"
+
+      # DEFAULT_LAYER_KEY_MODE - the layers used to identify a unique flow.
+      - name: SKYDIVE_FLOW_DEFAULT_LAYER_KEY_MODE
+        value: "L3"
+
+      # use pcap userland capture. Not very efficient but works on all linux kernel version
+      - name: SKYDIVE_ANALYZER_STARTUP_CAPTURE_TYPE
+        value: "pcap"
+
+      - name: SKYDIVE_AGENT_CAPTURE_SYN
+        value: "True"
+

deploy/operator.yaml

@@ -0,0 +1,29 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: skydive-operator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: skydive-operator
+  template:
+    metadata:
+      labels:
+        name: skydive-operator
+    spec:
+      serviceAccountName: skydive-operator
+      containers:
+        - name: skydive-operator
+          # Replace this with the built image name
+          image: quay.io/sacloud/skydive-op:v0.0.2
+          imagePullPolicy: Always
+          env:
+            - name: WATCH_NAMESPACE
+              value: ""
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: OPERATOR_NAME
+              value: "skydive-operator"

deploy/role.yaml

@@ -0,0 +1,105 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: skydive-operator
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  verbs:
+  - '*'
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - networkpolicies
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - serviceaccounts
+  - services
+  verbs:
+  - '*'
+- apiGroups:
+  - extensions
+  resources:
+  - daemonsets
+  - deployments
+  - ingresses
+  - podsecuritypolicies
+  verbs:
+  - '*'
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  - deployments
+  verbs:
+  - '*'
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - servicemonitors
+  verbs:
+  - get
+  - create
+- apiGroups:
+  - apps
+  resourceNames:
+  - skydive-operator
+  resources:
+  - deployments/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  verbs:
+  - get
+- apiGroups:
+  - charts.helm.k8s.io
+  resources:
+  - '*'
+  - netflowcollectors
+  verbs:
+  - '*'
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - '*'
+- apiGroups:
+  - rbac.authorization.k8s.io
+  - roles.rbac.authorization.k8s.io
+  - authorization.k8s.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - '*'

deploy/role_binding.yaml

@@ -0,0 +1,13 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: skydive-operator
+subjects:
+- kind: ServiceAccount
+  name: skydive-operator
+  # Replace this with the namespace the operator is deployed in.
+  namespace: default
+roleRef:
+  kind: ClusterRole
+  name: skydive-operator
+  apiGroup: rbac.authorization.k8s.io

deploy/service_account.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: skydive-operator