├── .github
    └── CODEOWNERS
├── epsagon-role.yaml
└── epsagon_kubernetes_subscription.sh


/.github/CODEOWNERS:
--------------------------------------------------------------------------------
1 | # Each line is a file pattern followed by one or more owners.
2 | * @epsagon/the-fabulous-team
3 | 


--------------------------------------------------------------------------------
/epsagon-role.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Namespace
 3 | metadata:
 4 |   name: epsagon-monitoring
 5 |   labels:
 6 |     name: epsagon-monitoring
 7 | ---
 8 | apiVersion: v1
 9 | kind: ServiceAccount
10 | metadata:
11 |   name: epsagon-monitoring
12 |   namespace: epsagon-monitoring
13 | ---
14 | apiVersion: rbac.authorization.k8s.io/v1beta1
15 | kind: ClusterRole
16 | metadata:
17 |   name: epsagon-prometheus
18 | rules:
19 | - apiGroups: [""]
20 |   resources:
21 |   - nodes
22 |   - nodes/proxy
23 |   - services
24 |   - services/proxy
25 |   - endpoints
26 |   - pods
27 |   - pods/proxy
28 |   - pods/log
29 |   - namespaces
30 |   - configmaps
31 |   verbs: ["get", "list", "watch"]
32 | - apiGroups:
33 |   - extensions
34 |   resources:
35 |   - ingresses
36 |   verbs: ["get", "list", "watch"]
37 | - apiGroups: ["extensions", "apps"]
38 |   resources: ["deployments"]
39 |   verbs: ["get", "list", "watch"]
40 | - nonResourceURLs: ["/metrics"]
41 |   verbs: ["get"]
42 | ---
43 | apiVersion: rbac.authorization.k8s.io/v1beta1
44 | kind: ClusterRoleBinding
45 | metadata:
46 |   name: epsagon-prometheus
47 | roleRef:
48 |   apiGroup: rbac.authorization.k8s.io
49 |   kind: ClusterRole
50 |   name: epsagon-prometheus
51 | subjects:
52 | - kind: ServiceAccount
53 |   name: epsagon-monitoring
54 |   namespace: epsagon-monitoring
55 | 


--------------------------------------------------------------------------------
/epsagon_kubernetes_subscription.sh:
--------------------------------------------------------------------------------
  1 | #! /bin/bash
  2 | 
  3 | ## Script to attach Epsagon Role to kubernetes
  4 | 
  5 | function usage {
  6 |     echo "Usage: epsagon_kubernetes_subscription.sh EPSAGON_TOKEN"
  7 | }
  8 | 
  9 | ROLE_FILE=epsagon-role.yaml
 10 | ROLE_URL=https://raw.githubusercontent.com/epsagon/epsagon-k8s-role/master/epsagon-role.yaml
 11 | RANCHER_TOKEN=""
 12 | 
 13 | function track {
 14 |     EPSAGON_TOKEN=$1
 15 |     EVENT_NAME=$2
 16 |     EVENT_DATA=$3
 17 |     curl -s -X POST https://track.epsagon.com/production/record -d "{\"event_name\": \"$EVENT_NAME\", \"token\": \"$EPSAGON_TOKEN\", \"event_data\": $EVENT_DATA}" -H 'Content-Type: application/json' > /dev/null
 18 | }
 19 | 
 20 | function fetch_epsagon_role {
 21 |     echo "Fetching ${ROLE_FILE}"
 22 |     if [ -f $ROLE_FILE ] ; then
 23 |         echo "${ROLE_FILE} already exists - replacing it"
 24 |         rm -f $ROLE_FILE
 25 |     fi
 26 |     if [ `which wget` ] ; then
 27 |         wget $ROLE_URL
 28 |     else
 29 |         if [ `which curl` ] ; then
 30 |             curl $ROLE_URL -o ${ROLE_FILE}
 31 |         else
 32 |             if [ -s ${ROLE_FILE} ] ; then
 33 |                 echo "Could not get ${ROLE_FILE}"
 34 |                 echo "Please download the role from:"
 35 |                 echo $ROLE_URL
 36 |                 exit 1
 37 |             fi
 38 |         fi
 39 |     fi
 40 | }
 41 | 
 42 | function test_connection {
 43 |     SERVER=$1
 44 |     EPSAGON_TOKEN=$2
 45 |     ROLE_TOKEN=$3
 46 |     echo "Testing Epsagon connection to server ${SERVER}..."
 47 |     RESULT=`curl -X POST https://api.epsagon.com/containers/k8s/check_cluster_connection -d "{\"k8s_cluster_url\": \"$SERVER\", \"epsagon_token\": \"$EPSAGON_TOKEN\", \"cluster_token\": \"$ROLE_TOKEN\"}" -H 'Content-Type: application/json'`
 48 |     #Expected Response format:
 49 |     # {
 50 |     #   "connection_status": "successful" / "failed",
 51 |     #   "connection_failure_reason": "" # Optional, failure reason string, only relevant if "status"=="failed"
 52 |     # }
 53 |     CONNECTION_STATUS=`echo $RESULT | grep -o -E "\"connection_status\": \"[^\"]+\"" | awk -F\: '{print $2}'`
 54 |     CONNECTION_STATUS=`echo $CONNECTION_STATUS | xargs`
 55 |     if [ ! -z $CONNECTION_STATUS ]; then
 56 |         if [ "$CONNECTION_STATUS" == "successful" ]; then
 57 |             echo "Succesfully connected to server ${SERVER}"
 58 |             return 0
 59 |         else
 60 |             ERROR=`echo $RESULT | grep -o -E "\"connection_failure_reason\": \".+\"" | awk '{print $2}'`
 61 |             echo "Integration failed, see https://docs.epsagon.com/docs/environments-kubernetes. Error message: ${ERROR}"
 62 |             return 1
 63 |         fi
 64 |     else
 65 |         echo "Connection to Epsagon failed, please see: https://docs.epsagon.com/docs/environments-kubernetes"
 66 |         track $EPSAGON_TOKEN "K8s Integration Failed" "{\"K8s Cluster URL\": \"$SERVER\", \"Failure Reason\": \"Connection to Epsagon for connection check failed\"}"
 67 |         return 1
 68 |     fi
 69 | }
 70 | 
 71 | function send_to_epsagon {
 72 |     EPSAGON_TOKEN=$1
 73 |     ROLE_TOKEN=$2
 74 |     CONTEXT=$3
 75 |     if [ $# == 4 ]; then
 76 |         CONFIG=$4
 77 |         KUBECTL="kubectl config view --kubeconfig ${CONFIG}"
 78 |     else
 79 |         KUBECTL="kubectl config view"
 80 |     fi
 81 |     SERVER=`${KUBECTL} --context ${CONTEXT} | grep -B 3 -E "[[:space:]]$CONTEXT\>" | grep -E "\<server: " | awk '{print $2}' | head -1`
 82 |     if [ -z $SERVER ] ; then
 83 |         echo "Could not find the server endpoint for context: ${CONTEXT}."
 84 |         echo " Please type the server endpoint:"
 85 |         read SERVER
 86 |         track $EPSAGON_TOKEN "K8s Integration Server Auto Detect Failed" "{\"Context\": \"$CONTEXT\", \"Manually Entered Server URL\": \"$SERVER\"}"
 87 |     fi
 88 |     if [ `which curl` ] ; then
 89 |         if test_connection $SERVER $EPSAGON_TOKEN $ROLE_TOKEN; then
 90 |             echo "Integrating cluster into epsagon..."
 91 |             curl -X POST https://api.epsagon.com/containers/k8s/add_cluster_by_token -d "{\"k8s_cluster_url\": \"$SERVER\", \"epsagon_token\": \"$EPSAGON_TOKEN\", \"cluster_token\": \"$ROLE_TOKEN\"}" -H 'Content-Type: application/json'
 92 |             echo ""
 93 |         fi
 94 |     else
 95 |         echo "Could not find 'curl' command to send data to epsagon, please enter manually"
 96 |         echo "server=${SERVER}"
 97 | 
 98 |         echo ""
 99 |         echo "--------"
100 |         echo ""
101 |         echo "The token for the epsagon role is: "
102 |         echo ""
103 |         echo $ROLE_TOKEN
104 |         echo ""
105 |     fi
106 | }
107 | 
108 | function remove_mutation_controller {
109 |     if [ -d epsagon-mutation-controller ] ; then
110 |         rm -rf epsagon-mutation-controller
111 |     fi
112 | }
113 | 
114 | function clone_mutation_controller {
115 |     remove_mutation_controller
116 |     if [ `which git` ] ; then
117 |         git clone https://github.com/epsagon/epsagon-mutation-controller.git
118 |     fi
119 | }
120 | 
121 | 
122 | function apply_mutation_controller {
123 |     EPSAGON_TOKEN=$1
124 |     CONTEXT=$2
125 |     if [ -d epsagon-mutation-controller ] ; then
126 |         ORIGINAL_DIR=`pwd`
127 |         cd epsagon-mutation-controller/kubernetes
128 |         if [ $# == 3 ] ; then
129 |             CONFIG=$3
130 |             source ./deploy.sh --context $CONTEXT --kubeconfig $CONFIG --token $EPSAGON_TOKEN
131 |         else
132 |             source ./deploy.sh --context $CONTEXT --token $EPSAGON_TOKEN
133 |         fi
134 |         cd $ORIGINAL_DIR
135 |     fi
136 | }
137 | 
138 | function apply_role {
139 |     EPSAGON_TOKEN=$1
140 |     CONTEXT=$2
141 |     KUBECTL="kubectl --context ${CONTEXT}"
142 |     if [ ! -z $3 ] ; then
143 |         CONFIG=$3
144 |         KUBECTL="kubectl --context ${CONTEXT} --kubeconfig=${CONFIG}"
145 |     fi
146 |     echo "Applying ${ROLE_FILE} to ${CONTEXT}"
147 |     echo ""
148 |     ${KUBECTL} apply -f ${ROLE_FILE}
149 |     if [ ! -z $RANCHER_TOKEN ] ; then
150 |         send_to_epsagon $EPSAGON_TOKEN $RANCHER_TOKEN $CONTEXT $CONFIG
151 |     else
152 |         SA_SECRET_NAME=`${KUBECTL} -n epsagon-monitoring get secrets | grep 'epsagon-monitoring-token' | awk '{print $1}'`
153 |         if [ `which python` ] ; then
154 |             ROLE_TOKEN=`${KUBECTL} -n epsagon-monitoring get secrets $SA_SECRET_NAME -o json | python -c 'import sys, json; print(json.load(sys.stdin)["data"]["token"])' | base64 --decode`
155 |         else
156 |             ROLE_TOKEN=`${KUBECTL} -n epsagon-monitoring get secrets $SA_SECRET_NAME -o json | grep '\"token\"' | cut -d: -f2 | cut -d'"' -f2 | base64 --decode`
157 |         fi
158 | 
159 |         if [ -z $ROLE_TOKEN ]; then
160 |             echo "Deploying epsagon role to the cluster failed - could not extract role token"
161 |             track $EPSAGON_TOKEN "K8s Integration Failed" "{\"Context\": \"$CONTEXT\", \"Failure Reason\": \"could not extract role token\"}"
162 |         else
163 |             send_to_epsagon $EPSAGON_TOKEN $ROLE_TOKEN $CONTEXT $CONFIG
164 |         fi
165 |     fi
166 | 
167 | }
168 | 
169 | function does_config_file_exist {
170 |     if [ -f ~/.kube/config ]; then
171 |         return 0
172 |     fi
173 |     for i in `echo $KUBECONFIG | tr ':' '\n'`; do
174 |         if [ -f "$i" ]; then
175 |             return 0
176 |         fi
177 |     done
178 |     return 1
179 | }
180 | 
181 | function is_positive_answer {
182 |     answer=$1
183 |     if [ ${answer} == 'y' ] ; then
184 |         answer='Y'
185 |     fi
186 |     if [ ${answer} == 'Y' ] ; then
187 |         return 0;
188 |     fi
189 |     return 1;
190 | }
191 | 
192 | function apply_epsagon_on_all_contexts {
193 |     echo "          Welcome to Epsagon!"
194 |     echo "
195 |              ######               # ##  
196 |              ######              #####  
197 |            ############## #     ######  
198 |            ###################  ######  
199 |       #### ###########################  
200 |      ##### ###########################  
201 |  ### ################################## 
202 |  ####  ###     ##   ###################  
203 |  ###                 #################   
204 |                           ##########    
205 |                           ############  
206 |                              ###    ###"
207 | 
208 |     config_file_path=""
209 |     KUBECTL="kubectl"
210 |     if [ ! does_config_file_exist ] ; then
211 |         echo "Could not find any config file for kubectl"
212 |         echo "Please insert your kubectl config file path:"
213 |         read config_file_path
214 |         KUBECTL="${KUBECTL} --kubeconfig ${config_file_path}"
215 |     fi
216 |     
217 |     echo -n "Are you using Rancher Management System? [Y/N] "
218 |     read answer
219 |     is_positive_answer $answer
220 |     if [ $? -eq 0 ] ; then
221 |         echo "Please insert your Rancher API Key:"
222 |         read RANCHER_TOKEN
223 |         track $1 "K8s Integration With Rancher" "{\"Started\": \"True\"}"
224 |     fi
225 | 
226 |     echo "Available clusters:"
227 |     index=1
228 |     for context in `${KUBECTL} config get-contexts --no-headers | awk {'gsub(/^\*/, ""); print $1'}`; do
229 |         echo "${index}. $context"
230 |         ((index = index + 1))
231 |     done
232 | 
233 |     echo ""
234 |     echo "Choose clusters to integrate. Use spaces for multiple clusters, e.g: 1 2 3..."
235 |     read -a choices
236 | 
237 |     index=1
238 |     for context in `${KUBECTL} config get-contexts --no-headers | awk {'gsub(/^\*/, ""); print $1'}`; do
239 |         if [[ " ${choices[@]} " =~ " ${index} " ]]; then
240 |             echo ""
241 |             echo "Now installing Epsagon to: $context"
242 |             apply_role $1 $context $config_file_path
243 |         fi
244 |         ((index = index + 1))
245 |     done
246 | }
247 | 
248 | 
249 | track $1 "K8s Integration Started" "{\"Started\": \"True\"}"
250 | if [ $# -ne 1 ] ; then
251 |     usage
252 | else
253 |     fetch_epsagon_role
254 |     apply_epsagon_on_all_contexts $1
255 | fi
256 | 


--------------------------------------------------------------------------------