hostNetworkPodForTrace creates a pod manifest for network tracing. The pod runs with host network and required capabilities for bpftrace.
(config TraceConfig, debugPodNamespace, nodeName string)
| 206 | // hostNetworkPodForTrace creates a pod manifest for network tracing. |
| 207 | // The pod runs with host network and required capabilities for bpftrace. |
| 208 | func hostNetworkPodForTrace(config TraceConfig, debugPodNamespace, nodeName string) *v1.Pod { |
| 209 | // Use Args (not Command) to preserve the image entrypoint. |
| 210 | // The entrypoint.sh in retina-shell image mounts debugfs/tracefs which bpftrace needs. |
| 211 | args := []string{"sleep", "infinity"} |
| 212 | |
| 213 | pod := &v1.Pod{ |
| 214 | ObjectMeta: metav1.ObjectMeta{ |
| 215 | Name: randomTraceContainerName(), |
| 216 | Namespace: debugPodNamespace, |
| 217 | Labels: map[string]string{ |
| 218 | "app": "retina-trace", |
| 219 | "retina.sh/component": "trace", |
| 220 | "retina.sh/trace-target-node": nodeName, |
| 221 | }, |
| 222 | }, |
| 223 | Spec: v1.PodSpec{ |
| 224 | NodeName: nodeName, |
| 225 | RestartPolicy: v1.RestartPolicyNever, |
| 226 | Tolerations: []v1.Toleration{{Operator: v1.TolerationOpExists}}, |
| 227 | HostNetwork: true, |
| 228 | HostPID: true, // Required for full process visibility |
| 229 | Containers: []v1.Container{ |
| 230 | { |
| 231 | Name: "retina-trace", |
| 232 | Image: config.RetinaShellImage, |
| 233 | Args: args, // Use Args to preserve entrypoint.sh |
| 234 | Stdin: false, // Not interactive |
| 235 | TTY: false, // Not interactive |
| 236 | SecurityContext: &v1.SecurityContext{ |
| 237 | Privileged: boolPtr(false), // Use capabilities instead |
| 238 | Capabilities: &v1.Capabilities{ |
| 239 | Drop: []v1.Capability{"ALL"}, |
| 240 | Add: stringSliceToCapabilities(TraceCapabilities()), |
| 241 | }, |
| 242 | // Required for bpftrace (per shell.md documentation) |
| 243 | SeccompProfile: &v1.SeccompProfile{ |
| 244 | Type: v1.SeccompProfileTypeUnconfined, |
| 245 | }, |
| 246 | AppArmorProfile: &v1.AppArmorProfile{ |
| 247 | Type: v1.AppArmorProfileTypeUnconfined, |
| 248 | }, |
| 249 | }, |
| 250 | }, |
| 251 | }, |
| 252 | }, |
| 253 | } |
| 254 | |
| 255 | return pod |
| 256 | } |
| 257 | |
| 258 | // randomTraceContainerName generates a unique name for the trace pod. |
| 259 | func randomTraceContainerName() string { |