๐ฆ Helm Chart
This document describes how to deploy Jibril to Kubernetes using the Garnet Helm chart. ๐ช๐
โ ๏ธ This manual is outdated (currently using v2.6.10). It will be updated soon.
๐ญ Overviewโ
The Garnet Helm chart supports two deployment modes:
- Garnet Mode ๐ก๏ธ โ Full integration with Garnet API for policy management and security monitoring
- Standalone Mode ๐๏ธ โ Deploy Jibril without Garnet API dependencies
๐ Prerequisitesโ
โธ๏ธ Kubernetesโ
- Version: 1.16+
- Recommended: 1.25+
- ๐ข Cluster access configured
โ Helmโ
- Version: 3.0+
- ๐ ๏ธ Helm CLI installed
- ๐ฆ Repository access
๐ ๏ธ Installationโ
๐๏ธ Jibril Standalone Modeโ
The standalone mode allows you to deploy Jibril without requiring a Garnet API token or connection. This is useful for:
- ๐งช Testing and evaluation
- ๐งฉ Custom integrations
- ๐ง Specialized environments
๐ Basic Standalone Installationโ
# From Helm repository
helm repo add garnet https://helm.garnet.ai
helm repo update
helm install jibril garnet/garnet \
--namespace security \
--create-namespace \
--set standalone.enabled=true
# From local sources
helm install jibril ./helm/garnet \
--namespace security \
--create-namespace \
--set standalone.enabled=true
๐ง Standalone with Specific Versionโ
For compatibility with older kernels, you can specify a particular Jibril version:
helm install jibril garnet/garnet \
--namespace security \
--create-namespace \
--set standalone.enabled=true \
--set standalone.jibrilVersion=v2.6.10
๐ Garnet Mode (Full Integration)โ
Deploy with full Garnet API integration for centralized policy management:
helm install garnet garnet/garnet \
--namespace security \
--create-namespace \
--set garnet.token=YOUR_GARNET_API_TOKEN
โ๏ธ Configurationโ
๐ Key Configuration Parametersโ
| Parameter | Description | Default |
|---|---|---|
standalone.enabled | Enable standalone mode (no Garnet API) | false |
standalone.jibrilVersion | Override Jibril version in standalone mode | "" |
garnet.url | Garnet API URL | https://api.garnet.ai |
garnet.token | Your Garnet API token (required in standard mode) | "" |
cluster.name | Name of the cluster | garnet-cluster |
jibril.image.repository | Repository for Jibril image | garnetlabs/jibril |
jibril.image.tag | Tag for Jibril image | v2.6 |
๐ ๏ธ Custom Jibril Configurationโ
You can provide a custom Jibril configuration file:
# Create a custom config file (e.g., jibril-config.yaml)
cat > jibril-config.yaml <<EOF
#### Standalone Config File.
run-time:
log-level: debug
profiler: true
health: true
cardinal: true
stdout: stdout
stderr: stderr
#### Cadences.
cadences:
file-access: 9
network-peers: 9
network-flows: 9
env-vars: 9
#### Caches.
caches:
rec-tasks: 32
tasks: 64
cmds: 32
args: 32
files: 32
dirs: 8
bases: 16
task-file: 512
file-task: 512
task-ref: 512
flows: 128
task-flow: 128
flow-task: 128
flow-ref: 128
#### Old Config.
# This is the old config file being used for backward compatibility.
# It will be removed in the future.
config:
extension:
- config
- data
- jibril
plugin:
- jibril:hold
- jibril:procfs
- jibril:printers
- jibril:detect
printer:
- jibril:printers:varlog
event:
# Add your custom events here
EOF
# ๐ Deploy with custom config
helm install jibril garnet/garnet \
--namespace security \
--create-namespace \
--set standalone.enabled=true \
--set jibrilConfig.customConfig=true \
--set-file jibrilConfig.configYaml=./jibril-config.yaml
๐ฟ Environment Variablesโ
The chart supports two methods for setting environment variables:
๐งฉ Method 1: Simple Variables (via --set)โ
helm install jibril garnet/garnet \
--namespace security \
--create-namespace \
--set standalone.enabled=true \
--set jibril.env.LOG_LEVEL=debug \
--set jibril.env.CUSTOM_VAR=myvalue
๐๏ธ Method 2: Complex Variables (with valueFrom)โ
Create a values file:
jibril:
customEnv:
- name: MY_SECRET_VAR
valueFrom:
secretKeyRef:
name: my-secret
key: secret-key
- name: MY_CONFIGMAP_VAR
valueFrom:
configMapKeyRef:
name: my-configmap
key: config-key
Then deploy:
helm install jibril garnet/garnet \
--namespace security \
--create-namespace \
--set standalone.enabled=true \
-f custom-env-values.yaml
๐ก Fluent Bit Integrationโ
The Garnet Helm chart includes optional Fluent Bit integration for collecting and forwarding Jibril logs to various destinations. ๐ฅโก๏ธ๐ญ
๐ฅ Enabling Fluent Bitโ
Fluent Bit runs as a DaemonSet to collect logs from all Jibril pods:
helm install jibril garnet/garnet \
--namespace security \
--create-namespace \
--set standalone.enabled=true \
--set fluent-bit.enabled=true
โก Basic Fluent Bit Configurationโ
By default, Fluent Bit will:
- ๐ Collect logs from
/var/log/containers/jibril-*.log - ๐ Parse JSON-formatted logs from Jibril
- ๐งโ๐ป Output to stdout for debugging
๐ฏ Configuring OpenSearch Outputโ
To send Jibril logs to OpenSearch/Elasticsearch, you need to provide a custom outputs configuration. The Fluent Bit subchart requires static configuration for outputs.
โ๏ธ Basic OpenSearch Configurationโ
Create a custom values file fluent-bit-opensearch-values.yaml:
fluent-bit:
enabled: true
config:
outputs: |
[OUTPUT]
Name stdout
Match *
Format json
json_date_key timestamp
json_date_format iso8601
[OUTPUT]
Name opensearch
Match *
Host opensearch.example.com
Port 9200
Index jibril
Logstash_Format On
Logstash_Prefix jibril
Retry_Limit False
Then deploy:
helm install jibril garnet/garnet \
--namespace security \
--create-namespace \
--set standalone.enabled=true \
-f fluent-bit-opensearch-values.yaml
๐ OpenSearch with Authenticationโ
Create a custom values file with authentication:
fluent-bit:
enabled: true
config:
outputs: |
[OUTPUT]
Name stdout
Match *
Format json
json_date_key timestamp
json_date_format iso8601
[OUTPUT]
Name opensearch
Match *
Host opensearch.example.com
Port 9200
Index jibril
Logstash_Format On
Logstash_Prefix jibril
HTTP_User admin
HTTP_Passwd mypassword
tls On
tls.verify On
Retry_Limit False
๐ฆ AWS OpenSearch Serviceโ
For AWS OpenSearch Service (formerly Elasticsearch Service), create a custom values file:
fluent-bit:
enabled: true
config:
outputs: |
[OUTPUT]
Name stdout
Match *
Format json
json_date_key timestamp
json_date_format iso8601
[OUTPUT]
Name opensearch
Match *
Host my-domain.us-east-1.es.amazonaws.com
Port 443
Index jibril
Logstash_Format On
Logstash_Prefix jibril-logs
Logstash_DateFormat %Y.%m.%d
AWS_Auth On
AWS_Region us-east-1
AWS_Service_Name es
tls On
tls.verify On
Compress gzip
Retry_Limit False
With IAM role for service account (IRSA) on EKS, add the role ARN:
fluent-bit:
enabled: true
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/fluent-bit-opensearch-role
config:
outputs: |
[OUTPUT]
Name stdout
Match *
Format json
json_date_key timestamp
json_date_format iso8601
[OUTPUT]
Name opensearch
Match *
Host my-domain.us-west-2.es.amazonaws.com
Port 443
Index jibril
Logstash_Format On
Logstash_Prefix jibril-logs
AWS_Auth On
AWS_Region us-west-2
AWS_Service_Name es
AWS_Role_ARN arn:aws:iam::123456789012:role/fluent-bit-opensearch-role
tls On
tls.verify On
Compress gzip
Retry_Limit False
โ๏ธ Fluent Bit Configuration Optionsโ
Since Fluent Bit outputs require static configuration, you'll need to configure OpenSearch parameters directly in the outputs section of your values file. Here are the key OpenSearch output parameters:
| Parameter | Description | Example |
|---|---|---|
Host | OpenSearch host | opensearch.example.com |
Port | OpenSearch port | 9200 or 443 for HTTPS |
Index | Index name (if not using logstash format) | jibril |
Logstash_Format | Use daily indices | On |
Logstash_Prefix | Prefix for daily indices | jibril |
Logstash_DateFormat | Date format for indices | %Y.%m.%d |
HTTP_User | Basic auth username | admin |
HTTP_Passwd | Basic auth password | password |
tls | Enable TLS | On or Off |
tls.verify | Verify TLS certificates | On or Off |
AWS_Auth | Enable AWS authentication | On or Off |
AWS_Region | AWS region | us-east-1 |
AWS_Service_Name | AWS service name | es |
Compress | Enable compression | gzip |
๐ฏ Advanced Fluent Bit Examplesโ
๐พ Custom Index Pattern with Authenticationโ
Create a values file with custom index pattern:
fluent-bit:
enabled: true
config:
outputs: |
[OUTPUT]
Name stdout
Match *
Format json
json_date_key timestamp
json_date_format iso8601
[OUTPUT]
Name opensearch
Match *
Host opensearch.example.com
Port 9200
Logstash_Format On
Logstash_Prefix security-jibril
Logstash_DateFormat %Y.%m
Time_Key @timestamp
Include_Tag_Key On
Tag_Key k8s_tag
HTTP_User fluentbit
HTTP_Passwd secretpassword
Replace_Dots On
Suppress_Type_Name On
Retry_Limit False
๐ Complete Production Setupโ
Create a values file for production:
# production-values.yaml
standalone:
enabled: true
fluent-bit:
enabled: true
image:
tag: 4.0.4
resources:
limits:
memory: 256Mi
cpu: 500m
requests:
memory: 128Mi
cpu: 200m
opensearch:
enabled: true
host: opensearch-cluster.elastic.svc.cluster.local
port: 9200
logstashFormat: true
logstashPrefix: prod-jibril
logstashDateFormat: "%Y.%m.%d"
httpUser: fluent
httpPasswd: ${OPENSEARCH_PASSWORD}
tls: On
tlsVerify: On
compress: gzip
bufferSize: "8MB"
includeTagKey: true
tagKey: "@log_tag"
replaceDots: On
suppressTypeName: On
Deploy with:
helm install jibril garnet/garnet \
--namespace security \
--create-namespace \
-f production-values.yaml
Note: โ ๏ธ Since the outputs configuration is static, sensitive values like passwords should be handled securely:
- Use Kubernetes secrets and mount them as environment variables ๐
- Use a secure values file that's not committed to version control ๐๏ธ
- Consider using tools like Helm Secrets or Sealed Secrets for production deployments ๐ก๏ธ
๐ Verifying Fluent Bitโ
Check Fluent Bit status:
# Check Fluent Bit pods
kubectl get pods -n security -l app.kubernetes.io/name=fluent-bit
# View Fluent Bit logs
kubectl logs -n security -l app.kubernetes.io/name=fluent-bit -f
# Check if logs are being collected
kubectl logs -n security -l app.kubernetes.io/name=fluent-bit | grep -i "jibril"
๐ ๏ธ Troubleshooting Fluent Bitโ
-
Fluent Bit pods not starting:
kubectl describe pod -n security <fluent-bit-pod-name> -
Logs not appearing in OpenSearch:
- ๐ง Check Fluent Bit logs for errors
- ๐ Verify network connectivity to OpenSearch
- ๐ Check authentication credentials
- ๐๏ธ Ensure proper index permissions in OpenSearch
-
High memory usage:
- ๐ Reduce
mem_buf_limitin configuration - ๐ฌ Adjust
buffer_chunk_sizeandbuffer_max_size
- ๐ Reduce
๐ก๏ธ Network Policy Supportโ
The chart supports deploying Jibril with custom network policies for enhanced security. ๐
๐ฆ Enabling Network Policyโ
- Create a network policy file:
# netpolicy.yaml
version: v1
policies:
- name: block-malicious
rules:
- action: drop
domains:
- malicious.com
- badsite.org
ips:
- 10.0.0.1
- 192.168.1.100
- Deploy with network policy:
helm install jibril garnet/garnet \
--namespace security \
--create-namespace \
--set standalone.enabled=true \
--set networkPolicyConfig.enabled=true \
--set-file networkPolicyConfig.policyYaml=./netpolicy.yaml
- Update the network policy:
# Modify your netpolicy.yaml file, then:
helm upgrade jibril garnet/garnet \
--namespace security \
--set standalone.enabled=true \
--set networkPolicyConfig.enabled=true \
--set-file networkPolicyConfig.policyYaml=./netpolicy.yaml
๐ The pods will automatically restart to apply the new policy.
๐ Network Policy Configuration Requirementsโ
When using network policy, ensure your Jibril configuration includes:
plugin:
- jibril:netpolicy:file=/var/run/secrets/jibril/network-policy.yaml
event:
- jibril:netpolicy:dropip
- jibril:netpolicy:dropdomain
๐๏ธ Advanced Examplesโ
๐๏ธ Complete Standalone Deploymentโ
Deploy Jibril with custom configuration, network policy, and environment variables:
helm install jibril garnet/garnet \
--namespace security \
--create-namespace \
--set standalone.enabled=true \
--set standalone.jibrilVersion=v2.6 \
--set jibrilConfig.customConfig=true \
--set-file jibrilConfig.configYaml=./jibril-config.yaml \
--set networkPolicyConfig.enabled=true \
--set-file networkPolicyConfig.policyYaml=./netpolicy.yaml \
--set jibril.env.AI_URL="https://api.example.com" \
--set jibril.env.AI_TOKEN="your-token-here"
๐ท๏ธ Custom Registry and Image Pull Secretsโ
helm install jibril garnet/garnet \
--namespace security \
--create-namespace \
--set standalone.enabled=true \
--set image.registry=my-registry.example.com/ \
--set image.pullSecrets[0]=my-registry-secret
๐ Resource Customizationโ
helm install jibril garnet/garnet \
--namespace security \
--create-namespace \
--set standalone.enabled=true \
--set jibril.resources.requests.memory=512Mi \
--set jibril.resources.requests.cpu=200m \
--set jibril.resources.limits.memory=1Gi \
--set jibril.resources.limits.cpu=500m
โ Verifying the Deploymentโ
After installation, verify that Jibril is running:
# Check pods
kubectl get pods -n security
# Check logs
kubectl logs -n security daemonset/jibril-jibril
# Run helm tests
helm test jibril -n security
๐ฉน Troubleshootingโ
Common Issuesโ
- Pods not starting: ๐ต๏ธ Check logs for missing configuration or permissions
- Network policy not working: ๐งฉ Ensure the netpolicy plugin is enabled in Jibril config
- High CPU usage: ๐งฎ Consider adjusting the profiler settings or event filters
๐งฐ Debug Commandsโ
# Get detailed pod information
kubectl describe pod -n security -l app.kubernetes.io/name=jibril
# Check configuration
kubectl exec -n security daemonset/jibril-jibril -- cat /etc/jibril/config.yaml
# Check network policy (if enabled)
kubectl exec -n security daemonset/jibril-jibril -- cat /var/run/secrets/jibril/network-policy.yaml
๐๏ธ Uninstallingโ
To remove the Jibril deployment:
helm uninstall jibril -n security