MCPcopy
hub / github.com/microsoft/retina / hostNetworkPodForTrace

Function hostNetworkPodForTrace

shell/trace.go:208–256  ·  view source on GitHub ↗

hostNetworkPodForTrace creates a pod manifest for network tracing. The pod runs with host network and required capabilities for bpftrace.

(config TraceConfig, debugPodNamespace, nodeName string)

Source from the content-addressed store, hash-verified

206// hostNetworkPodForTrace creates a pod manifest for network tracing.
207// The pod runs with host network and required capabilities for bpftrace.
208func hostNetworkPodForTrace(config TraceConfig, debugPodNamespace, nodeName string) *v1.Pod {
209 // Use Args (not Command) to preserve the image entrypoint.
210 // The entrypoint.sh in retina-shell image mounts debugfs/tracefs which bpftrace needs.
211 args := []string{"sleep", "infinity"}
212
213 pod := &v1.Pod{
214 ObjectMeta: metav1.ObjectMeta{
215 Name: randomTraceContainerName(),
216 Namespace: debugPodNamespace,
217 Labels: map[string]string{
218 "app": "retina-trace",
219 "retina.sh/component": "trace",
220 "retina.sh/trace-target-node": nodeName,
221 },
222 },
223 Spec: v1.PodSpec{
224 NodeName: nodeName,
225 RestartPolicy: v1.RestartPolicyNever,
226 Tolerations: []v1.Toleration{{Operator: v1.TolerationOpExists}},
227 HostNetwork: true,
228 HostPID: true, // Required for full process visibility
229 Containers: []v1.Container{
230 {
231 Name: "retina-trace",
232 Image: config.RetinaShellImage,
233 Args: args, // Use Args to preserve entrypoint.sh
234 Stdin: false, // Not interactive
235 TTY: false, // Not interactive
236 SecurityContext: &v1.SecurityContext{
237 Privileged: boolPtr(false), // Use capabilities instead
238 Capabilities: &v1.Capabilities{
239 Drop: []v1.Capability{"ALL"},
240 Add: stringSliceToCapabilities(TraceCapabilities()),
241 },
242 // Required for bpftrace (per shell.md documentation)
243 SeccompProfile: &v1.SeccompProfile{
244 Type: v1.SeccompProfileTypeUnconfined,
245 },
246 AppArmorProfile: &v1.AppArmorProfile{
247 Type: v1.AppArmorProfileTypeUnconfined,
248 },
249 },
250 },
251 },
252 },
253 }
254
255 return pod
256}
257
258// randomTraceContainerName generates a unique name for the trace pod.
259func randomTraceContainerName() string {

Callers 3

RunTraceFunction · 0.85

Calls 4

randomTraceContainerNameFunction · 0.85
boolPtrFunction · 0.85
TraceCapabilitiesFunction · 0.85