From 971ace50855e4409d5a0c746eb3b18265d828187 Mon Sep 17 00:00:00 2001
From: jt-dd <julien.terriac@datadoghq.com>
Date: Sat, 14 Sep 2024 14:10:05 +0200
Subject: [PATCH] K8s collector deployment files example

---
 .../k8s/khaas/templates/cluster_role.yaml     | 29 ++++++++++++
 .../khaas/templates/cluster_role_binding.yaml | 13 ++++++
 .../k8s/khaas/templates/deployment-db.yaml    |  2 +-
 .../k8s/khaas/templates/job-collector.yaml    | 44 +++++++++++++++++++
 .../k8s/khaas/templates/service_account.yaml  | 12 +++++
 deployments/k8s/khaas/values.yaml             | 30 +++++++++----
 6 files changed, 121 insertions(+), 9 deletions(-)
 create mode 100644 deployments/k8s/khaas/templates/cluster_role.yaml
 create mode 100644 deployments/k8s/khaas/templates/cluster_role_binding.yaml
 create mode 100644 deployments/k8s/khaas/templates/job-collector.yaml

diff --git a/deployments/k8s/khaas/templates/cluster_role.yaml b/deployments/k8s/khaas/templates/cluster_role.yaml
new file mode 100644
index 00000000..bdcec620
--- /dev/null
+++ b/deployments/k8s/khaas/templates/cluster_role.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubehound-collector
+  namespace: default
+rules:
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources:
+      - roles
+      - rolebindings
+      - clusterroles
+      - clusterrolebindings
+    verbs:
+      - get
+      - list
+  - apiGroups: [""]
+    resources:
+      - pods
+      - nodes
+    verbs:
+      - get
+      - list
+  - apiGroups: ["discovery.k8s.io"]
+    resources:
+      - endpointslices
+    verbs:
+      - get
+      - list
diff --git a/deployments/k8s/khaas/templates/cluster_role_binding.yaml b/deployments/k8s/khaas/templates/cluster_role_binding.yaml
new file mode 100644
index 00000000..aeabe98c
--- /dev/null
+++ b/deployments/k8s/khaas/templates/cluster_role_binding.yaml
@@ -0,0 +1,13 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kubehound-collector
+  namespace: default
+subjects:
+  - kind: ServiceAccount
+    name: kubehound-collector
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: kubehound-collector
+  apiGroup: rbac.authorization.k8s.io
diff --git a/deployments/k8s/khaas/templates/deployment-db.yaml b/deployments/k8s/khaas/templates/deployment-db.yaml
index c6802b45..1643aa0e 100644
--- a/deployments/k8s/khaas/templates/deployment-db.yaml
+++ b/deployments/k8s/khaas/templates/deployment-db.yaml
@@ -36,4 +36,4 @@ spec:
             memory: {{ $.Values.services.db.resources.limits.memory }}
         ports:
           - name: db
-            containerPort: {{ $.Values.services.db.port }}
\ No newline at end of file
+            containerPort: {{ $.Values.services.db.port }}
diff --git a/deployments/k8s/khaas/templates/job-collector.yaml b/deployments/k8s/khaas/templates/job-collector.yaml
new file mode 100644
index 00000000..dd629366
--- /dev/null
+++ b/deployments/k8s/khaas/templates/job-collector.yaml
@@ -0,0 +1,44 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: "{{ $.Chart.Name }}-collector"
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    app: "{{ $.Chart.Name }}-collector"
+    service: {{ $.Chart.Name }}
+    chart_version: {{ $.Chart.Version }}
+    chart_name: {{ $.Chart.Name }}
+    team: {{ $.Values.team }}
+spec:
+  schedule: "0,30 * * * *"
+  failedJobsHistoryLimit: 5
+  successfulJobsHistoryLimit: 5
+  concurrencyPolicy: Replace
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            app: "{{ $.Chart.Name }}-collector"
+            service: {{ $.Chart.Name }}
+            team: {{ $.Values.team }}
+            chart_name: {{ $.Chart.Name }}
+          restartPolicy: Never
+          serviceAccountName: "{{ $.Chart.Name }}-collector"
+          containers:
+          - name: {{ $.Chart.Name }}-collector
+            image: "{{ $.Values.services.collector.image }}:{{ $.Values.services.collector.version}}"
+            imagePullPolicy: Always
+            resources:
+              requests:
+                cpu: {{ $.Values.services.collector.resources.requests.cpu }}
+                memory: {{ $.Values.services.collector.resources.requests.memory }}
+              limits:
+                cpu: {{ $.Values.services.collector.resources.limits.cpu }}
+                memory: {{ $.Values.services.collector.resources.limits.memory }}
+            command: ["/kubehound","dump","remote","--khaas-server","{{ $.Values.services.collector.khaas_server }}","--bucket","{{ $.Values.services.ingestor.bucket_url }}","--region","us-east-1"]
+            env:
+              - name: KH_LOG_FORMAT
+                value: json
+              - name: KH_K8S_CLUSTER_NAME_ENV_PTR
+                value: K8S_CLUSTER_NAME
diff --git a/deployments/k8s/khaas/templates/service_account.yaml b/deployments/k8s/khaas/templates/service_account.yaml
index 28e4883f..5950dfb0 100644
--- a/deployments/k8s/khaas/templates/service_account.yaml
+++ b/deployments/k8s/khaas/templates/service_account.yaml
@@ -9,3 +9,15 @@ metadata:
     team: {{ $.Values.team }}
     chart_name: {{ $.Chart.Name }}
     chart_version: {{ $.Chart.Version }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $.Chart.Name }}-collector
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    app: {{ $.Chart.Name }}-collector
+    service: {{ $.Chart.Name }}
+    team: {{ $.Values.team }}
+    chart_name: {{ $.Chart.Name }}
+    chart_version: {{ $.Chart.Version }}
diff --git a/deployments/k8s/khaas/values.yaml b/deployments/k8s/khaas/values.yaml
index 0e05af02..fc75fa18 100644
--- a/deployments/k8s/khaas/values.yaml
+++ b/deployments/k8s/khaas/values.yaml
@@ -1,6 +1,20 @@
 team: <your_team>
 services:
+  collector:
+    image: ghcr.io/datadog/kubehound-binary
+    version: latest
+    resources:
+      requests:
+        cpu: "4"
+        memory: "8Gi"
+      limits:
+        cpu: "4"
+        memory: "8Gi"
+    khaas_server: kubehound-ingestor.kubehound.cluster-local.local
+
   ingestor:
+    host: 0.0.0.0
+    port: 9000
     image: ghcr.io/datadog/kubehound-binary
     version: latest
     bucket_url: s3://<your_bucket>
@@ -12,10 +26,10 @@ services:
       limits:
         cpu: "4"
         memory: "8Gi"
-    port: 9000
-    host: 0.0.0.0
+
   graph:
-    host: kubehound-graph
+    host: kubehound-graph.kubehound.cluster-local.local
+    port: 8182
     db_name: kubehound
     image: ghcr.io/datadog/kubehound-graph
     version: latest
@@ -26,7 +40,7 @@ services:
       limits:
         cpu: "4"
         memory: "16Gi"
-    port: 8182
+
   ui:
     image: ghcr.io/datadog/kubehound-ui
     version: latest
@@ -37,14 +51,15 @@ services:
       limits:
         cpu: "2"
         memory: "4Gi"
-    ports: 
+    ports:
       lab: 8888
       tree: 8889
+
   db:
-    host: kubehound-db
+    host: kubehound-db.kubehound.cluster-local.local
+    port: 27017
     image: mongo
     version: 6.0.6
-    port: 27017
     resources:
       requests:
         cpu: "4"
@@ -52,4 +67,3 @@ services:
       limits:
         cpu: "4"
         memory: "16Gi"
-    port: 27017