search

undistro / zora

Zora is an open source solution that helps you achieve compliance with Kubernetes best practices recommended by industry-leading frameworks. By scanning your cluster with multiple plugins, Zora identifies potential issues, misconfigurations, and vulnerabilities.
https://getup.io/opensource/zora-oss
Apache License 2.0
280 stars 24 forks source link

Support for arm images #200

Closed wsilva closed 1 year ago

wsilva commented 1 year ago

Feature Description

Ability to run in ARM architecture clusters like raspberries computers or AWS graviton instances

Is your feature request related to a problem?

Yeap, I can not run the zora operator into a arm cluster.

What alternatives have you considered?

Not sure if it's too complicated to compile the container entrypoint command and build the container image for multi architecture.

Additional Context

I have a "cluster" with 4 raspberries 3B and 2 raspberries zero w. We can disregard the Zero W models because they are have armv6l architecture that are not supported by Kubernetes or even Docker, I struggle to put then in a running cluster. But the 3B are running fine with a k3s cluster:

$ k get node -o wide
NAME   STATUS   ROLES                  AGE    VERSION        INTERNAL-IP   EXTERNAL-IP   OS-IMAGE                         KERNEL-VERSION   CONTAINER-RUNTIME
pi4    Ready    <none>                 93m    v1.25.6+k3s1   10.0.0.74     <none>        Debian GNU/Linux 11 (bullseye)   5.15.84-v8+      containerd://1.6.15-k3s1
pi1    Ready    control-plane,master   110m   v1.25.6+k3s1   10.0.0.71     <none>        Debian GNU/Linux 11 (bullseye)   5.15.84-v8+      containerd://1.6.15-k3s1
pi3    Ready    <none>                 99m    v1.25.6+k3s1   10.0.0.73     <none>        Debian GNU/Linux 11 (bullseye)   5.15.84-v8+      containerd://1.6.15-k3s1
pi2    Ready    <none>                 101m   v1.25.6+k3s1   10.0.0.72     <none>        Debian GNU/Linux 11 (bullseye)   5.15.84-v8+      containerd://1.6.15-k3s1

I can even install with the following command:

$ helm upgrade --install zora undistro/zora  --set saas.workspaceID='my-suppressed-id'  -n zora-system  --create-namespace --wait

But the operator is not able to run:

$ k -n zora-system get pod -o wide
NAME                             READY   STATUS             RESTARTS        AGE   IP          NODE   NOMINATED NODE   READINESS GATES
zora-operator-858f7c4959-6xdz6   1/2     CrashLoopBackOff   9 (2m29s ago)   23m   10.42.3.4   pi4    <none>           <none>

The rbac proxy container is ok:

$ k -n zora-system logs -f zora-operator-858f7c4959-6xdz6 -c kube-rbac-proxy
I0307 16:00:16.487611       1 main.go:190] Valid token audiences:
I0307 16:00:16.488076       1 main.go:262] Generating self signed cert as no cert is provided
I0307 16:00:23.703087       1 main.go:311] Starting TCP socket on 0.0.0.0:8443
I0307 16:00:23.704538       1 main.go:318] Listening securely on 0.0.0.0:8443

But the manager throws the following:

$ k -n zora-system logs -f zora-operator-858f7c4959-6xdz6 -c manager
exec /manager: exec format error
matheusfm commented 1 year ago

Hi @wsilva Thank you for reporting this issue.

Your suggestion makes sense.

We can build a multi-platform docker image by using docker buildx. The kube-rbac-proxy container works because it image is already multi-platform.

Could you try to use the multi-platform images that I built in this draft, please?

Just add the following parameters in the helm upgrade --install command:

--set operator.image.tag="feat-multi-platform-support" \
--set worker.image.tag="feat-multi-platform-support" \
--set scan.plugins.popeye.image.tag="v0.11.1-cross"

Below is the difference between the docker manifest inspect command output for both images.

docker manifest inspect ghcr.io/undistro/zora/operator:v0.4.4
Output ``` { "schemaVersion": 2, "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "config": { "mediaType": "application/vnd.docker.container.image.v1+json", "size": 1727, "digest": "sha256:334702e4278923e5d4c547b6a53154fe564904430b9eacd0d574c5606ae7a9e2" }, "layers": [ { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 795825, "digest": "sha256:fc251a6e798157dc3b46fd265da72f39cd848e3f9f4a0b28587d1713b878deb9" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 20953202, "digest": "sha256:dcf23b580ff00402205ffd934a2166ad91bdd122ba4d2dcb51fc90871f655f22" } ] } ``` 
docker manifest inspect ghcr.io/undistro/zora/operator:feat-multi-platform-support
Output ``` { "schemaVersion": 2, "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", "manifests": [ { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 701, "digest": "sha256:036dc83a4dc29a433817cdf21133ede07fd3afe16ec96ae8b69a4ab4f54600a2", "platform": { "architecture": "arm64", "os": "linux" } }, { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 701, "digest": "sha256:e18cc4c0e4c0f3dbf39a0d0e9798f3fc0bfacb0fc12efd69fccbd5aaba700b8c", "platform": { "architecture": "amd64", "os": "linux" } }, { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 701, "digest": "sha256:3480a866dd4e2f13638fe35eda3026056d7b5b311404f654b4c6ce4e1354fd06", "platform": { "architecture": "s390x", "os": "linux" } }, { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 701, "digest": "sha256:011baa4a601409ceb3131314a149904179966ff92e6bd780d5bc51453a8da70e", "platform": { "architecture": "ppc64le", "os": "linux" } } ] } ```
wsilva commented 1 year ago

Wow, thanks. 🙇

You were faster than me. Also made the following PR: https://github.com/undistro/zora/pull/202 but I will close mine since yours is way more complete.

Will make some tests tomorrow and let you know.

matheusfm commented 1 year ago

Oh @wsilva I didn't know you were working on it.

Feel free to reopen your PR and we can work on it. Your contributions are welcome!