The Alchemies feature introduces a powerful dynamic recipe generation system for Jibril!
New Feature!
DiscordGarnet🐈‍⬛

Kubernetes

Check out Jibril's public recipes repository at https://github.com/garnet-org/jibril-balag.

Deploy Jibril on Kubernetes Clusters

To deploy Jibril as a DaemonSet on Kubernetes clusters, use the setup-k8s.sh script (also available at GitHub. This script automatically creates a Deployment file with the necessary ConfigMap, DaemonSet, and related resources.

Make sure to use --dry-run so it does not apply the deployment automatically.

Currently almost all development-like Kubernetes distributions (Minikube, Microk8s, ...) are supported, as long as compute nodes are virtual-machines or real hosts.

Container based compute nodes distributions, like Kind, will make resource consumption bigger and is unsupported for now).

Usage

$ ./setup-k8s.sh [OPTIONS]

Options

--namespace=NAME

Kubernetes namespace Default: security

--image=IMAGE

Jibril container image Default: garnetlabs/jibril:v1.4

--log-level=LEVEL

Log level (quiet, fatal, error, warn, info, debug) Default: info

--config=FILE

Path to custom Jibril config.yaml file Defaullt: built-in

--memory-request=SIZE

Memory request Default: 256Mi

--memory-limit=SIZE

Memory limit Default: 512Mi

--cpu-request=AMOUNT

CPU request Default: 100m

--cpu-limit=AMOUNT

CPU limit Default: 500m

--node-selector=EXPR

Node selector expression (e.g. 'role=security')

--toleration=KEY:VAL:EFFECT

Add toleration (can be used multiple times)

--output=FILE

Output YAML to file Default: jibril-k8s.yaml

--dry-run

Print configuration without applying

--cleanup

Remove existing Jibril resources from the cluster

--help

Show help

Examples

  1. Basic deployment with defaults

    $ ./setup-k8s.sh

  2. Deploy to a custom namespace

    $ ./setup-k8s.sh --namespace=monitoring

  3. Add node toleration

    $ ./setup-k8s.sh --toleration=security-agent:true:NoSchedule

  4. Set custom memory limits

    $ ./setup-k8s.sh --memory-limit=1Gi --memory-request=512Mi

  5. Target specific nodes with a node selector

    $ ./setup-k8s.sh --node-selector=role=security

  6. Deploy on GPU nodes with higher CPU limits

    $ ./setup-k8s.sh --node-selector=gpu=true --cpu-limit=2 --cpu-request=500m

  7. Configure multiple tolerations

    $ ./setup-k8s.sh --toleration=security:true:NoSchedule --toleration=critical:true:NoExecute

  8. Use a custom Jibril configuration file

    $ ./setup-k8s.sh --config=/path/to/my-jibril-config.yaml

  9. Preview configuration without applying

    $ ./setup-k8s.sh --dry-run

  10. Save configuration to a custom file

    $ ./setup-k8s.sh --output=jibril-prod.yaml

  11. Clean up existing deployment

    $ ./setup-k8s.sh --cleanup --namespace=security

  12. Complete production deployment example

    $ ./setup-k8s.sh --namespace=security-prod \
  --image=garnetlabs/jibril:latest \
  --config=/etc/jibril/prod-config.yaml \
  --memory-limit=2Gi \
  --memory-request=1Gi \
  --cpu-limit=1 \
  --toleration=security-monitoring:true:NoSchedule \
  --node-selector=security-tier=high

Notes

  • Jibril requires privileged access to run eBPF programs.

  • The script mounts necessary paths from the host:

    • /sys/fs/bpf

    • /sys/kernel/debug

    • /sys

    • /proc

    • /var/log/jibril

  • Log files are stored in /var/log/jibril on the host.

  • Configuration is supplied via a ConfigMap.

Last updated