|
| 1 | +# 5-Spot Kata Config Agent DaemonSet (workload cluster) |
| 2 | +# |
| 3 | +# Opt-in node-side delivery of a Kata containerd drop-in. Lands only on nodes |
| 4 | +# the controller has labelled `5spot.finos.org/kata-config=enabled` (which only |
| 5 | +# happens when an SM with `spec.kata` resolves its source object on this cluster). |
| 6 | +# |
| 7 | +# The agent reads its Node's `5spot.finos.org/kata-config-ref` annotation, GETs |
| 8 | +# the referenced ConfigMap/Secret from the workload API (NOT a mounted volume — a |
| 9 | +# DaemonSet cannot template a configMap.name per replica, ADR 0002 §3), and |
| 10 | +# atomically writes the drop-in to the configured destPath under the hostPath |
| 11 | +# /host mount. |
| 12 | +# |
| 13 | +# The pod is `privileged: true` + `hostPID: true` (ADR 0003): writing the host |
| 14 | +# drop-in and bouncing the host k0s service via `nsenter -t 1 -m -u -i -n -p -- |
| 15 | +# systemctl restart <restartService>` require setns into the host namespaces and |
| 16 | +# resolving host PID 1. `privileged` is the architecturally-required escalation, |
| 17 | +# bounded by opt-in label-gating (lands only on nodes the controller labelled), |
| 18 | +# a read-only root filesystem, and seccomp RuntimeDefault. Justification is in |
| 19 | +# `.trivyignore` (kata-config-agent banner) and docs/src/security/threat-model.md. |
| 20 | +apiVersion: apps/v1 |
| 21 | +kind: DaemonSet |
| 22 | +metadata: |
| 23 | + name: 5spot-kata-config-agent |
| 24 | + namespace: 5spot-system |
| 25 | + labels: |
| 26 | + app: 5spot-kata-config-agent |
| 27 | + app.kubernetes.io/name: 5spot |
| 28 | + app.kubernetes.io/component: kata-config-agent |
| 29 | +spec: |
| 30 | + selector: |
| 31 | + matchLabels: |
| 32 | + app: 5spot-kata-config-agent |
| 33 | + updateStrategy: |
| 34 | + type: RollingUpdate |
| 35 | + rollingUpdate: |
| 36 | + maxUnavailable: 10% |
| 37 | + template: |
| 38 | + metadata: |
| 39 | + labels: |
| 40 | + app: 5spot-kata-config-agent |
| 41 | + app.kubernetes.io/name: 5spot |
| 42 | + app.kubernetes.io/component: kata-config-agent |
| 43 | + spec: |
| 44 | + serviceAccountName: 5spot-kata-config-agent |
| 45 | + # Opt-in: only land on nodes the controller has labelled. |
| 46 | + nodeSelector: |
| 47 | + 5spot.finos.org/kata-config: enabled |
| 48 | + # Reach cordoned / NotReady nodes too — delivery is infra-level. |
| 49 | + tolerations: |
| 50 | + - operator: Exists |
| 51 | + priorityClassName: system-node-critical |
| 52 | + terminationGracePeriodSeconds: 5 |
| 53 | + # hostPID so `nsenter -t 1` resolves host PID 1 (systemd) for the k0s |
| 54 | + # service restart (ADR 0003). |
| 55 | + hostPID: true |
| 56 | + securityContext: |
| 57 | + # Root is required to write the drop-in under /etc/k0s on the host. |
| 58 | + # nosemgrep: yaml.kubernetes.security.run-as-non-root-unsafe-value.run-as-non-root-unsafe-value |
| 59 | + runAsNonRoot: false |
| 60 | + runAsUser: 0 |
| 61 | + runAsGroup: 0 |
| 62 | + seccompProfile: |
| 63 | + type: RuntimeDefault |
| 64 | + containers: |
| 65 | + - name: agent |
| 66 | + # Pin a released tag — never :latest in production (KSV-0013). |
| 67 | + image: ghcr.io/finos/5-spot-kata-config-agent:v0.1.0 |
| 68 | + imagePullPolicy: IfNotPresent |
| 69 | + env: |
| 70 | + - name: RUST_LOG |
| 71 | + value: "info" |
| 72 | + - name: RUST_LOG_FORMAT |
| 73 | + value: "json" |
| 74 | + - name: NODE_NAME |
| 75 | + valueFrom: |
| 76 | + fieldRef: |
| 77 | + fieldPath: spec.nodeName |
| 78 | + - name: HOST_ROOT |
| 79 | + value: "/host" |
| 80 | + securityContext: |
| 81 | + # privileged is required for setns into host mount/PID namespaces |
| 82 | + # (the `nsenter` k0s-service restart, ADR 0003). With privileged, |
| 83 | + # allowPrivilegeEscalation must be true; the root filesystem stays |
| 84 | + # read-only and seccomp stays RuntimeDefault to keep the escalation |
| 85 | + # as narrow as the feature allows. |
| 86 | + privileged: true |
| 87 | + runAsUser: 0 |
| 88 | + runAsGroup: 0 |
| 89 | + # nosemgrep: yaml.kubernetes.security.run-as-non-root-unsafe-value.run-as-non-root-unsafe-value |
| 90 | + runAsNonRoot: false |
| 91 | + allowPrivilegeEscalation: true |
| 92 | + readOnlyRootFilesystem: true |
| 93 | + seccompProfile: |
| 94 | + type: RuntimeDefault |
| 95 | + resources: |
| 96 | + limits: |
| 97 | + cpu: 50m |
| 98 | + memory: 64Mi |
| 99 | + requests: |
| 100 | + cpu: 10m |
| 101 | + memory: 16Mi |
| 102 | + volumeMounts: |
| 103 | + # Host root mounted writable so the agent can write the configurable |
| 104 | + # destPath (default /etc/k0s/container.d/). The dest path is |
| 105 | + # operator-configurable per SM, so a narrower subPath cannot be |
| 106 | + # pinned in a shared DaemonSet spec (ADR 0003). |
| 107 | + - name: host-root |
| 108 | + mountPath: /host |
| 109 | + volumes: |
| 110 | + - name: host-root |
| 111 | + hostPath: |
| 112 | + path: / |
| 113 | + type: Directory |
0 commit comments