mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 17:05:18 +00:00
dbcb638809
Update the default file carver block size to be compatible with MySQL 8 & S3. Update surrounding docs. Various other updates to references of MySQL versions (all terraform deploys are now defaulted MySQL 8 in AWS) # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`.
182 lines
5.8 KiB
YAML
182 lines
5.8 KiB
YAML
# Copyright (c) 2020-present, The kubequery authors
|
|
# Copyright (c) 2022-present, Fleet
|
|
#
|
|
# This source code is licensed as defined by the LICENSE file found in the
|
|
# root directory of this source tree.
|
|
#
|
|
# SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)
|
|
|
|
# Adapted from original provided by Kubequery project.
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: kubequery
|
|
labels:
|
|
app.kubernetes.io/name: kubequery
|
|
app.kubernetes.io/part-of: kubequery
|
|
app.kubernetes.io/version: latest
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: kubequery-sa
|
|
namespace: kubequery
|
|
labels:
|
|
app.kubernetes.io/name: kubequery-sa
|
|
app.kubernetes.io/part-of: kubequery
|
|
app.kubernetes.io/version: latest
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kubequery-clusterrole
|
|
labels:
|
|
app.kubernetes.io/name: kubequery-clusterrole
|
|
app.kubernetes.io/part-of: kubequery
|
|
app.kubernetes.io/version: latest
|
|
rules:
|
|
- apiGroups: ["", "admissionregistration.k8s.io", "apps", "autoscaling", "batch", "events.k8s.io", "networking.k8s.io", "policy", "rbac.authorization.k8s.io", "storage.k8s.io"]
|
|
resources: ["*"]
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: kubequery-clusterrolebinding
|
|
labels:
|
|
app.kubernetes.io/name: kubequery-clusterrolebinding
|
|
app.kubernetes.io/part-of: kubequery
|
|
app.kubernetes.io/version: latest
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: kubequery-clusterrole
|
|
apiGroup: rbac.authorization.k8s.io
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kubequery-sa
|
|
namespace: kubequery
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: kubequery-config
|
|
namespace: kubequery
|
|
labels:
|
|
app.kubernetes.io/name: kubequery-config
|
|
app.kubernetes.io/part-of: kubequery
|
|
app.kubernetes.io/version: latest
|
|
data:
|
|
enroll.secret: TODO
|
|
kubequery.flags: |
|
|
# Server
|
|
--tls_hostname=host.docker.internal:8080
|
|
--tls_server_certs=/opt/uptycs/etc/fleet.pem
|
|
# Enrollment
|
|
--enroll_secret_path=/opt/uptycs/etc/enroll.secret
|
|
--enroll_tls_endpoint=/api/v1/osquery/enroll
|
|
# Configuration
|
|
--config_plugin=tls
|
|
--config_tls_endpoint=/api/v1/osquery/config
|
|
--config_refresh=10
|
|
# Live query
|
|
--disable_distributed=false
|
|
--distributed_plugin=tls
|
|
--distributed_interval=10
|
|
--distributed_tls_max_attempts=3
|
|
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
|
|
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
|
|
# Logging
|
|
--logger_plugin=tls
|
|
--logger_tls_endpoint=/api/v1/osquery/log
|
|
--logger_tls_period=10
|
|
# File carving
|
|
--disable_carver=false
|
|
--carver_start_endpoint=/api/v1/osquery/carve/begin
|
|
--carver_continue_endpoint=/api/v1/osquery/carve/block
|
|
--carver_block_size=8000000
|
|
kubequery.conf: |
|
|
fleet.pem: |
|
|
-----BEGIN CERTIFICATE-----
|
|
MIIE5jCCAs6gAwIBAgIJAKq0+FAVArUhMA0GCSqGSIb3DQEBCwUAMBUxEzARBgNV
|
|
BAMMCkZsZWV0IFRlc3QwHhcNMjAxMDE1MTg1ODE5WhcNMzAwNzE1MTg1ODE5WjAV
|
|
MRMwEQYDVQQDDApGbGVldCBUZXN0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
|
|
CgKCAgEAttQ62lpMq48/XjQFxYg47D2fgKgTBMjDNSfCt9VpqE3xPnybmWo8VZtk
|
|
jmrFM50IhagyYSjvl9iqdrnsl3ZV8KYbWEy6849zDYF1SudmC7/pJyH7QvpKgL7V
|
|
4McM62jM905hyFy9KZTAlFiaeezWSWJre7kHsK2u5tsqS6ElatEZmF59sInixaRw
|
|
RqVxOhtDm7Sl1c5xKWM6phWoJfykspFpu5J6N2jRQXCfzBYoQWN76OohGouit/BQ
|
|
C1xvm+f7wgGZgbbfDjUoHAe9Yhd3XzZsYTgMDt/SRJRDnxFZwo8BAkY9yJm7f3dQ
|
|
AEhgJ66KbyoxITdgma1hgmeWibZY4hVymcRxB1B3RNN2at19RNy2J+brMxlG0KZk
|
|
nD77EqidrwLAlYcdeU3yLjt0vYPxT+RW7l1jiZlVi/oaykAmVfOhWnTnTwbsYs7O
|
|
UMyMyYHQECEs98ex7wrjThIBJScqhsSN1ipAxr5RgaDr+U5IR+tLhMewBy8So+nf
|
|
2YuMhLfkCgoY80ELhz5F8avts5hksB0hqnNYr+Nlwm6eXqEPZSzFJmdc1IbmWzq2
|
|
7UH1OQmBFF2qr2j/8dcM+oPNgjrEEQjtyW0S4j2PhjSEbINgcwu0AaABssLI80Vm
|
|
Gp1TjUGA92rMwIjlAtcUUB5FOKSS8vAXb1VcDWMkybh9sHj4Z0ECAwEAAaM5MDcw
|
|
NQYDVR0RBC4wLIIJbG9jYWxob3N0ghRob3N0LmRvY2tlci5pbnRlcm5hbIIJMTI3
|
|
LjAuMC4xMA0GCSqGSIb3DQEBCwUAA4ICAQBZOY++LNRTVG8XlQGVlOloEKA2WY3P
|
|
gXKJLSM7xWSxj2co0v+noyhoInHT7ysub8en59Et+vN53/0OobxNIdEKDUdqs38R
|
|
F++Oy6s/MhFHSo87F06t+W91/60ub4iFRHfev1qeNFV6Yzv9sFJ5LpXLFk+qVDb8
|
|
pPyFFE1bXjctDPjD5gUj+Y34XikVKzMb7xddWCNs34v1KCaCBW7kkfefxiZiDR6g
|
|
lCEkDzp6xaLS898oCbfFakjr4bvOgBP1IqXLIDLPMhivaxNAooHTtu/3ezp7puix
|
|
TSDkjlkStDtEFw/wjyaMcEkk51Gs1ponBbADLRxQ50AHDWk/4vy8GcIVc6CdVEOA
|
|
Zw12FN06C4Jviiiv6uCXZ6iZ+V+pjGiGmSNYF+kruUs8BfrJIB89lqxpdQ4Kx01j
|
|
AuSFvjRRvIPmvApSdKEjLcY3AYRivXsB/hASMBbjh/p1f/JzSJdxoqSvONhNQJuh
|
|
+wcdNVQhGAv3kkLn/HMHTBl2Ur+9tQaJrnR1tWl1IzwLRJIi0Soyp/q5ZjQyFglj
|
|
32xW83DZhtpQ2SI1QGy4AvWIPnGHZhMfav02KnKRhZdOMW4oekXRMrwiyXCqIazc
|
|
xXzAlCq8dHdP2Y9uvfFxVFyE+uSfkcPxX+DG/ZnpgCS27oKA/qLCybJamlqtveNs
|
|
RSjNe5qwGi0ifA==
|
|
-----END CERTIFICATE-----
|
|
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: kubequery
|
|
namespace: kubequery
|
|
labels:
|
|
app.kubernetes.io/name: kubequery
|
|
app.kubernetes.io/part-of: kubequery
|
|
app.kubernetes.io/version: latest
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: kubequery
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: kubequery
|
|
app.kubernetes.io/part-of: kubequery
|
|
app.kubernetes.io/version: latest
|
|
spec:
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
terminationGracePeriodSeconds: 10
|
|
serviceAccountName: kubequery-sa
|
|
containers:
|
|
- name: kubequery
|
|
image: uptycs/kubequery:latest
|
|
imagePullPolicy: Always
|
|
resources:
|
|
requests:
|
|
cpu: 200m
|
|
memory: 128Mi
|
|
limits:
|
|
cpu: 1000m
|
|
memory: 512Mi
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: /opt/uptycs/config
|
|
volumes:
|
|
- name: config
|
|
configMap:
|
|
name: kubequery-config
|