Whisperers as sidecars
Whisperers may be included in Kubernetes PODs as sidecars.
As sidecars, they share the same network as the container(s) being observed.
This pattern is great to have everlasting whisperers attached to gateways in your applicative infrastructure.
Setup
There are many ways to define Kubernetes worload manifests (Command line, Helm charts...).
We'll focus here on the final manifest result. Please adapt to your own Kube infra as code setup.
- The configuration is given as a kubernetes secret.
Kubernetes DNS does not list the PODs IPs, but only the services.
Spider offers a way to get the PODs IPs resolved by the Whisperer:
- Provide the Whisperer configuration to a Spider Controller deployed in the cluster.
- The latter has all required permissions and acts as a DNS proxy.
This name resolution is optional.
Kubernetes manifest
---
# Define the configuration as a secret
apiVersion: v1
kind: Secret
metadata:
name: whisperer-config-secret
stringData: # copy here the whisperer configuration generated by the UI
CONFIG: |
{
"whisperer": "123afg546",
"spiderConfigURI": "...",
"privatePem": "..."
}
---
# Add the whisperer as a sidecar container in the deployment
apiVersion: apps/v1
kind: Deployment
# ...
spec:
selector:
#...
template:
spec:
containers:
- name: my-container
#...
- name: my-container-whisperer
# Gossiper image have replaced Whisperer original one in sept. 2024
image: registry.gitlab.com/spider-analyzer/public-images/gossiper
resources:
# Requests are very low
requests:
cpu: 10m
memory: 30Mi
limits:
cpu: 1000m
memory: 500Mi
env:
- name: WHISPERER
value: 123afg546
- name: CONTAINER_NAME
value: my-container-whisperer
- name: DNSCACHE_HOST # must be the FQDN or IP of the Controller
value: spider-controller.spider-controller-namespace.svc.cluster.local
- name: DNSCACHE_PORT
value: '53'
envFrom:
- secretRef:
name: whisperer-config-secret
Whisperer options
Options may be defined from environment variables.
New Gossiper client do not support all options, as some features have been deprecated.
| Name (*: mandatory) | Description | Default |
|---|---|---|
| CONFIG * | JSON configuration value for the Whisperer. May also be mounted as ./whisperer-config.json in the container. | |
| WHISPERER | Whisperer id. Tells what Whisperer is used by this Sidecar. It is also present in the configuration, but required for the Whisperer to be identified by the Controller. This also enables TLS secrets capture for this Whisperer. | |
| LOG_LEVEL | Define the log level. May be FATAL, ERROR, WARN, INFO, DEBUG, TRACE | INFO |
| HOSTNAME or PARENT_HOSTNAME | Sent back to the server in the hostname field of status.Used for proper identification in the UI. | |
| INSTANCE_ID | Used to differentiate replicas of a same Whisperer. Must be unique by Whisperer. | os.hostname() |
| CONTAINER_NAME | Sent back to the server in the containeName field of status.Used for proper identification in the UI. | |
| DNSCACHE_HOST | Used to force a DNS server. Even to connect to Spider server. Specifies its hostname or IP. | |
| DNSCACHE_PORT | Used to force a DNS server. Even to connect to Spider server. Specifies its port. | 53 |
| CAPTURE_OWN_COMS | If set - whatever value -, the Whisperer will also capture its communications to Spider. DANGEROUS! |