Linux Controllers for Kubernetes

Overview

Tambourine

Kubelet replacement with Built in Linux extensions

Development

Success:

  • Install, Manage, and Observe a new systemd service from Kubernetes.
  • Can run in any namespace (however, the controllers must respect your choice)

Stories

Install:

kubectl apply -f tambourinze.yaml

spec:
  name: alice-zfs
  state: installed

kubectl apply -f tambourine.yaml

Manage:

spec:
  command: start/stop/restart/reload

Observe:

kubectl get tambourine

status:
    systemdName: NetworkManager.service - Network Manager
    loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; vendor preset>
    drop-in: /usr/lib/systemd/system/NetworkManager.service.d
    active: active (running) since Fri 2021-03-05 13:38:11 PST; 1 day 21h ago
    docs: man:NetworkManager(8)
    pid: 514 (NetworkManager)
    tasks: 3 (limit: 77070)
    memory: 17.5M
    cgroup: /system.slice/NetworkManager.service

Componets of Tambourine

Examples of Tambourine CRs

  • CNI Toolchains
  • CRI
  • Storage Drivers
    • ZFS
  • Seccomp Configuration
  • AppArmor Configuration
  • Falco Driver
  • SELinux Configuration
  • IPTables Configuration
  • eBPF programs

Kubernetes Components

// These are the convenience components that will live
// in Kubernetes. These will only matter if/when the 
// Tambourine service on the System is configured to
// respect these configurations.
  • Tambourine CRD
  • Tambourine Controller
    • One way Sync Tambourine CRs -> Bombshell socket

Bombshell

Taken from io.proto

// The basic service that can be used for basic IO with tambourine.
//
// The bombshell service can be authenticated with TLS. However, by design
// bombshell will never perform authorization. The service, for lack of a
// better term, will be unintelligent and will accept whatever IO is sent
// to it.
  • gRPC (TLS) service with a Unix Domain Socket
    • basic IO to/from a persistent space (silo) on the host
  • read /proc/tambourine data and service /proc/tambourine

Tambourine

Linux service that is managed with `systemd` and is 
required to be installed on the host alongside the kubelet
    NOTE: Should this be a kubelet feature?
    Note: Should we have a kubelet and tambourine management operator?
  • Read from Silo
  • Write Linux status to /proc (by design tambourine will never write to Silo)
You might also like...
 KEDA is a Kubernetes-based Event Driven Autoscaling component. It provides event driven scale for any container running in Kubernetes
KEDA is a Kubernetes-based Event Driven Autoscaling component. It provides event driven scale for any container running in Kubernetes

Kubernetes-based Event Driven Autoscaling KEDA allows for fine-grained autoscaling (including to/from zero) for event driven Kubernetes workloads. KED

vcluster - Create fully functional virtual Kubernetes clusters - Each cluster runs inside a Kubernetes namespace and can be started within seconds
vcluster - Create fully functional virtual Kubernetes clusters - Each cluster runs inside a Kubernetes namespace and can be started within seconds

Website • Quickstart • Documentation • Blog • Twitter • Slack vcluster - Virtual Clusters For Kubernetes Lightweight & Low-Overhead - Based on k3s, bu

network-node-manager is a kubernetes controller that controls the network configuration of a node to resolve network issues of kubernetes.
network-node-manager is a kubernetes controller that controls the network configuration of a node to resolve network issues of kubernetes.

Network Node Manager network-node-manager is a kubernetes controller that controls the network configuration of a node to resolve network issues of ku

A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers
A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers

k8s-vault-webhook is a Kubernetes admission webhook which listen for the events related to Kubernetes resources for injecting secret directly from sec

Carrier is a Kubernetes controller for running and scaling game servers on Kubernetes.
Carrier is a Kubernetes controller for running and scaling game servers on Kubernetes.

Carrier is a Kubernetes controller for running and scaling game servers on Kubernetes. This project is inspired by agones. Introduction Genera

Kubei is a flexible Kubernetes runtime scanner, scanning images of worker and Kubernetes nodes providing accurate vulnerabilities assessment, for more information checkout:
Kubei is a flexible Kubernetes runtime scanner, scanning images of worker and Kubernetes nodes providing accurate vulnerabilities assessment, for more information checkout:

Kubei is a vulnerabilities scanning and CIS Docker benchmark tool that allows users to get an accurate and immediate risk assessment of their kubernet

The OCI Service Operator for Kubernetes (OSOK) makes it easy to connect and manage OCI services from a cloud native application running in a Kubernetes environment.

OCI Service Operator for Kubernetes Introduction The OCI Service Operator for Kubernetes (OSOK) makes it easy to create, manage, and connect to Oracle

Kubernetes IN Docker - local clusters for testing Kubernetes
Kubernetes IN Docker - local clusters for testing Kubernetes

kind is a tool for running local Kubernetes clusters using Docker container "nodes".

An Easy to use Go framework for Kubernetes based on kubernetes/client-go

k8devel An Easy to use Go framework for Kubernetes based on kubernetes/client-go, see examples dir for a quick start. How to test it ? Download the mo

Owner
Kris Nóva
professional grown up business adult
Kris Nóva
Go library to create resilient feedback loop/control controllers.

Gontroller A Go library to create feedback loop/control controllers, or in other words... a Go library to create controllers without Kubernetes resour

Spotahome 147 Sep 21, 2022
Write controller-runtime based k8s controllers that read/write to git, not k8s

Git Backed Controller The basic idea is to write a k8s controller that runs against git and not k8s apiserver. So the controller is reading and writin

Darren Shepherd 50 Dec 10, 2021
ControllerMesh is a solution that helps developers manage their controllers/operators better.

ControllerMesh ControllerMesh is a solution that helps developers manage their controllers/operators better. Key Features Canary update: the controlle

OpenKruise 29 Sep 29, 2022
Controller-check - Run checks against K8s controllers to verify if they meets certain conventions

controller-check Run checks against K8s controllers to verify if they meets cert

Sunny 2 Jan 4, 2022
In this repository, the development of the gardener extension, which deploys the flux controllers automatically to shoot clusters, takes place.

Gardener Extension for Flux Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Its main principle

23 Technologies GmbH 13 Aug 30, 2022
Open Source runtime scanner for Linux containers (LXD), It performs security audit checks based on CIS Linux containers Benchmark specification

lxd-probe Scan your Linux container runtime !! Lxd-Probe is an open source audit scanner who perform audit check on a linux container manager and outp

Chen Keinan 14 May 16, 2022
Kubernetes OS Server - Kubernetes Extension API server exposing OS configuration like sysctl via Kubernetes API

KOSS is a Extension API Server which exposes OS properties and functionality using Kubernetes API, so it can be accessed using e.g. kubectl. At the moment this is highly experimental and only managing sysctl is supported. To make things actually usable, you must run KOSS binary as root on the machine you will be managing.

Mateusz Gozdek 3 May 19, 2021
A Rancher and Kubernetes optimized immutable Linux distribution based on openSUSE

RancherOS v2 WORK IN PROGRESS RancherOS v2 is an immutable Linux distribution built to run Rancher and it's corresponding Kubernetes distributions RKE

Rancher 87 Aug 29, 2022
RancherOS v2 is an immutable Linux distribution built to run Rancher and it's corresponding Kubernetes distributions RKE2 and k3s

RancherOS v2 is an immutable Linux distribution built to run Rancher and it's corresponding Kubernetes distributions RKE2 and k3s. It is built using the cOS-toolkit and based on openSUSE

Rancher Sandbox 97 Sep 29, 2022
Litmus helps Kubernetes SREs and developers practice chaos engineering in a Kubernetes native way.

Litmus Cloud-Native Chaos Engineering Read this in other languages. ???? ???? ???? ???? Overview Litmus is a toolset to do cloud-native chaos engineer

Litmus Chaos 3.3k Sep 25, 2022