Steadybit extension-container
This Steadybit extension provides a host discovery and the various actions for container
targets.
Learn about the capabilities of this extension in
our Reliability Hub.
Configuration
Environment Variable |
Helm value |
Meaning |
Required |
Default |
STEADYBIT_EXTENSION_CONTAINER_RUNTIME |
container.runtime |
The container runtime to user either docker , containerd or cri-o . Will be automatically configured if not specified. |
yes |
(auto) |
STEADYBIT_EXTENSION_CONTAINER_SOCKET |
containerRuntimes.(docker/containerd/cri-o).socket |
The socket used to connect to the container runtime. Will be automatically configured if not specified. |
yes |
(auto) |
STEADYBIT_EXTENSION_CONTAINERD_NAMESPACE |
|
The containerd namespace to use. |
yes |
k8s.io |
STEADYBIT_EXTENSION_RUNC_ROOT |
containerRuntimes.(docker/containerd/cri-o).runcRoot |
The runc root to use. |
yes |
(auto) |
STEADYBIT_EXTENSION_RUNC_DEBUG |
|
Activate debug mode for runc. |
yes |
k8s.io |
STEADYBIT_EXTENSION_RUNC_ROOTLESS |
|
Set value for runc --rootless parameter |
yes |
k8s.io |
STEADYBIT_EXTENSION_RUNC_SYSTEMD_CGROUP |
|
Set value for runc --systemd-cgroup parameter |
yes |
k8s.io |
STEADYBIT_EXTENSION_DISCOVERY_CALL_INTERVAL |
|
Interval for container discovery |
false |
30s |
STEADYBIT_EXTENSION_DISABLE_DISCOVERY_EXCLUDES |
discovery.disableExcludes |
Ignore discovery excludes specified by steadybit.com/discovery-disabled |
false |
false |
STEADYBIT_EXTENSION_DISCOVERY_ATTRIBUTES_EXCLUDES |
discovery.attributes.excludes |
List of Target Attributes which will be excluded during discovery. Checked by key equality and supporting trailing "*" |
false |
|
The extension supports all environment variables provided
by steadybit/extension-kit.
Needed capabilities
The capabilities needed by this extension are: (which are provided by the helm chart)
- SYS_ADMIN
- SYS_CHROOT
- SYS_RESOURCE
- SYS_PTRACE
- KILL
- NET_ADMIN
- DAC_OVERRIDE
- SETUID
- SETGID
- AUDIT_WRITE
Installation
Using Helm in Kubernetes
helm repo add steadybit-extension-container https://steadybit.github.io/extension-container
helm repo update
helm upgrade steadybit-extension-container \
--install \
--wait \
--timeout 5m0s \
--create-namespace \
--namespace steadybit-extension \
--set container.runtime=docker \
steadybit-extension-container/steadybit-extension-container
Using Docker
This extension is by default deployed using
our outpost.sh docker compose script.
Or you can run it manually:
docker run \
--rm \
-p 8086 \
--privileged \
--pid=host \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /run/docker/runtime-runc/moby:/run/docker/runtime-runc/moby\
-v /sys/fs/cgroup:/sys/fs/cgroup\
--name steadybit-extension-container \
ghcr.io/steadybit/extension-container:latest
Linux Package
Please use our outpost-linux.sh script to install the
extension on your Linux machine.
The script will download the latest version of the extension and install it using the package manager.
Register the extension
Make sure to register the extension at the steadybit platform. Please refer to
the documentation for more
information.
Anatomy of the extension / Security
We try to limit the needed access needed for the extension to the absolute minimum. So the extension itself can run as a
non-root user on a read-only root file-system and will by default if deployed using the provided helm-chart.
In order do execute certain actions the extension needs certain capabilities.
discovery / state attacks
For discovery and executing state attacks such as stop or pause container the extension needs access to the container
runtime socket.
resource and network attacks
Resource attacks starting stress-ng processes, the network attacks are starting ip or tc processes as runc container
reusing the target container's linux namespace(s), control group(s) and user.
This requires the following capabilities: SYS_CHROOT, SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, KILL, NET_ADMIN, DAC_OVERRIDE, SETUID,
SETGID, AUDIT_WRITE.
The needed binaries are included in the extension container image.
mark resources as "do not discover"
to exclude container from discovery you can add the label LABEL "steadybit.com.discovery-disabled"="true"
to the container Dockerfile.