Kubernetes deployment with the Tawon Operator

The Tawon Kubernetes Operator automates the deployment and management of Tawon on Kubernetes. The operator uses the Operator SDK (Go), and installable via the Operator Lifecycle Manager (OLM).

The Tawon Kubernetes Operator publishes the Directive and TopologyAggregator CRDs which are used to deploy the each Tawon Directive individually. The TopologyAggregator CRD is used to deploy the Tawon Topology Aggregator, which is responsible for aggregating the topology information from a Topology capture Directive and make it available on the Topology API. The KNT uses the Operator SDK and is installable via OLM.

Installation using OLM on OpenShift

The OLM is a tool that helps you install, update, and generally manage the lifecycle of all of the operators (and their associated resources) running across your clusters. It is part of the Operator Framework, an open source toolkit to manage Kubernetes native applications, called Operators, in an effective, automated, and scalable way.

There are two ways to install the Tawon Operator with OLM:

From the web console (recommended)
From the command line

Prerequisites

An OpenShift cluster (tested on OpenShift 4.12)
A namespace with privileged Security Context Constraints (OpenShift only)
Access to quay.io/mantisnet/tawon images

Creating the project

Tawon has special requirements because it is a monitoring tool that needs to run privileged containers and access the host filesystem, network namespaces, run bpf programs, etc. You don’t need to worry about setting up the project to run privileged containers, the OLM bundle already has the required configuration.

In the terminal, run the following command to create the project:

oc new-project tawon

Installing from the OperatorHub in the Openshift Console

The Tawon Operator is available in the OperatorHub via the certified catalog (Red Hat). In order to install it inside tawon namespace, go to the OperatorHub in the web console, select the Tawon operator and click on Install. You can select the namespace where you want to install the operator, or select All namespaces on the cluster to install the operatorfor all the namespaces (using the openshift-operators namespace). Here, we will install the operator in the tawon namespace.

Installing from the command line

Install the operator for all namespaces in the openshift-operators namespace:

oc apply -f subscription-certified.yaml -n tawon

This namespace already has an OperatorGroup, if you want to install the operator in a different namespace, you need to create an OperatorGroup in that namespace, see OC docs for more info.

Download the example subscription-certified.yaml.

Removing the operator and catalog

To remove the operator and catalog, we recommend doing it from the web console. Simply go to Installed Operators and select the Tawon operator, then click on Uninstall.

You can also delete the CRDs with the following command:

oc delete crds directives.tawon.mantisnet.com topologyaggregators.tawon.mantisnet.com

Pull Credentials

As Tawon is hosted privately on our docker registry (quay.io), you need to create a Secret with your credentials to pull the images.

The operator itself is not private, only the Tawon images, which are loaded at runtime by the operator.

A Kubernetes Secret file containing the credentials should be provided to you. You will need to create the Secret to the tawon namespace:

oc apply -f -n tawon ./tawon-pull-credentials.yaml

Private registry

If you are using a private registry, you will need to take a couple of different steps thoughout the examples.

First, if your registry is authenticated, you will need to create a Secret with the default name tawon-pull-credentials used by the Tawon Operator. Alternatively, you can specify a different name for the Secret in the imagePullSecrets field of the Directive CRD.

apiVersion: tawon.mantisnet.com/v1alpha1
kind: Directive
metadata:
  name: payload-coredns
spec:
  image:
    credentialsSecret:
      name: my-secret
  # Rest of the Directive configuration
  # ...

Second, you will need to specify the image path for the private registry. You have 2 options for this: on the operator, or on the Directives.

Starting the operator with the operator with the TAWON_OPERATOR_DEFAULT_TAWON_IMAGE flags set to the image in your registry:

TAWON_OPERATOR_DEFAULT_TAWON_IMAGE=registry.example.com/tawon:v2.22.0

Using the field of the Directive CRD, on each Directive:

apiVersion: tawon.mantisnet.com/v1alpha1
kind: Directive
metadata:
  name: payload-coredns
spec:
  image:
    image: registry.example.com/tawon:v2.22.0
  # Rest of the Directive configuration
  # ...

NATS

If nats is already installed, and its under the name nats in the tawon namespace, there is nothing to do, the publish task will send data there by default.

If the namespace does not have a nats instance, you can install one with the following command:

oc apply -n tawon -f ./examples/nats.yaml

You can download the example nats config from here.

And delete NATS with:

oc delete -n tawon -f ./examples/nats.yaml

If you want nats to be installed automatically with each directive, you can add the following configutation for your directive:

apiVersion: tawon.mantisnet.com/v1alpha1
kind: Directive
metadata:
  name: payload-coredns
spec:
  messaging:
    nats:
      enableDemoDeployment: true
  # Rest of the Directive configuration
  # ...

This will instanciate a nats server in the same namespace as the directive. If you use this technique, your will need to find the nats instance created for this Directive and connect to it directly in order to tail the data.

In our examples below, we will use an already installed nats instance, with the name nats in the tawon namespace, so we do not need to specify anything in the publish tasks.

You can port-forward to the nats instance with the following command:

oc port-forward -n tawon svc/nats 4222:4222

Next Steps

Head to the Operator Usage section to learn how to use the operator.