Kubernetes

Deploy Jibril on Kubernetes Clusters

To deploy Jibril as a DaemonSet on Kubernetes clusters, use the script (also available at . This script automatically creates a Deployment file with the necessary ConfigMap, DaemonSet, and related resources.

Make sure to use --dry-run so it does not apply the deployment automatically.

Currently almost all development-like Kubernetes distributions (Minikube, Microk8s, ...) are supported, as long as compute nodes are virtual-machines or real hosts.

Usage

$ ./setup-k8s.sh [OPTIONS]

Options

--namespace=NAME

Kubernetes namespace Default: security

--image=IMAGE

Jibril container image Default: garnetlabs/jibril:v1.4

--log-level=LEVEL

Log level (quiet, fatal, error, warn, info, debug) Default: info

--config=FILE

Path to custom Jibril config.yaml file Defaullt: built-in

--memory-request=SIZE

Memory request Default: 256Mi

--memory-limit=SIZE

Memory limit Default: 512Mi

--cpu-request=AMOUNT

CPU request Default: 100m

--cpu-limit=AMOUNT

CPU limit Default: 500m

--node-selector=EXPR

Node selector expression (e.g. 'role=security')

--toleration=KEY:VAL:EFFECT

Add toleration (can be used multiple times)

--output=FILE

Output YAML to file Default: jibril-k8s.yaml

--dry-run

Print configuration without applying

--cleanup

Remove existing Jibril resources from the cluster

--help

Show help

Examples

Basic deployment with defaults
```
$ ./setup-k8s.sh
```
Deploy to a custom namespace
```
$ ./setup-k8s.sh --namespace=monitoring
```

Add node toleration

$ ./setup-k8s.sh --toleration=security-agent:true:NoSchedule

Set custom memory limits

$ ./setup-k8s.sh --memory-limit=1Gi --memory-request=512Mi

Target specific nodes with a node selector

$ ./setup-k8s.sh --node-selector=role=security

Deploy on GPU nodes with higher CPU limits

$ ./setup-k8s.sh --node-selector=gpu=true --cpu-limit=2 --cpu-request=500m

Configure multiple tolerations

$ ./setup-k8s.sh --toleration=security:true:NoSchedule --toleration=critical:true:NoExecute

Use a custom Jibril configuration file

$ ./setup-k8s.sh --config=/path/to/my-jibril-config.yaml

Preview configuration without applying
```
$ ./setup-k8s.sh --dry-run
```

Save configuration to a custom file

$ ./setup-k8s.sh --output=jibril-prod.yaml

Clean up existing deployment

$ ./setup-k8s.sh --cleanup --namespace=security

Complete production deployment example

$ ./setup-k8s.sh --namespace=security-prod \
  --image=garnetlabs/jibril:latest \
  --config=/etc/jibril/prod-config.yaml \
  --memory-limit=2Gi \
  --memory-request=1Gi \
  --cpu-limit=1 \
  --toleration=security-monitoring:true:NoSchedule \
  --node-selector=security-tier=high

Notes

Jibril requires privileged access to run eBPF programs.
The script mounts necessary paths from the host:
- /sys/fs/bpf
- /sys/kernel/debug
- /sys
- /proc
- /var/log/jibril
Log files are stored in /var/log/jibril on the host.
Configuration is supplied via a ConfigMap.

Last updated 19 days ago

Deploy Jibril on Kubernetes Clusters

Make sure to use --dry-run so it does not apply the deployment automatically.

Currently almost all development-like Kubernetes distributions (Minikube, Microk8s, ...) are supported, as long as compute nodes are virtual-machines or real hosts.

Container based compute nodes distributions, like , will make resource consumption bigger and is unsupported for now).

Usage

$ ./setup-k8s.sh [OPTIONS]

Options

--namespace=NAME

Kubernetes namespace Default: security

--image=IMAGE

Jibril container image Default: garnetlabs/jibril:v1.4

--log-level=LEVEL

Log level (quiet, fatal, error, warn, info, debug) Default: info

--config=FILE

Path to custom Jibril config.yaml file Defaullt: built-in

--memory-request=SIZE

Memory request Default: 256Mi

--memory-limit=SIZE

Memory limit Default: 512Mi

--cpu-request=AMOUNT

CPU request Default: 100m

--cpu-limit=AMOUNT

CPU limit Default: 500m

--node-selector=EXPR

Node selector expression (e.g. 'role=security')

--toleration=KEY:VAL:EFFECT

Add toleration (can be used multiple times)

--output=FILE

Output YAML to file Default: jibril-k8s.yaml

--dry-run

Print configuration without applying

--cleanup

Remove existing Jibril resources from the cluster

--help

Show help

Examples

Basic deployment with defaults

$ ./setup-k8s.sh

Deploy to a custom namespace

$ ./setup-k8s.sh --namespace=monitoring

Add node toleration

$ ./setup-k8s.sh --toleration=security-agent:true:NoSchedule

Set custom memory limits

$ ./setup-k8s.sh --memory-limit=1Gi --memory-request=512Mi

Target specific nodes with a node selector

$ ./setup-k8s.sh --node-selector=role=security

Deploy on GPU nodes with higher CPU limits

$ ./setup-k8s.sh --node-selector=gpu=true --cpu-limit=2 --cpu-request=500m

Configure multiple tolerations

$ ./setup-k8s.sh --toleration=security:true:NoSchedule --toleration=critical:true:NoExecute

Use a custom Jibril configuration file

$ ./setup-k8s.sh --config=/path/to/my-jibril-config.yaml

Preview configuration without applying

$ ./setup-k8s.sh --dry-run

Save configuration to a custom file

$ ./setup-k8s.sh --output=jibril-prod.yaml

Clean up existing deployment

$ ./setup-k8s.sh --cleanup --namespace=security

Complete production deployment example

$ ./setup-k8s.sh --namespace=security-prod \
  --image=garnetlabs/jibril:latest \
  --config=/etc/jibril/prod-config.yaml \
  --memory-limit=2Gi \
  --memory-request=1Gi \
  --cpu-limit=1 \
  --toleration=security-monitoring:true:NoSchedule \
  --node-selector=security-tier=high