Add GKE DaemonSet for TimeSync configuration

This commit adds a daemonset which is the counterpart of the compute
engine scripts found in the gce folder. It is creating a GKE cluster
with chrony and PTP-KVM enabled clock synchronization, waiting until
chrony is synchronized before allowing workload to run on the node.

Author: shacharr-google

.checkov.baseline

@@ -46,6 +46,31 @@
                     ]
                 }
             ]
+        },
+        {
+            "file": "/time-sync-example/gke/serviceaccount.yaml",
+            "findings": [
+                {
+                    "resource": "ServiceAccount.default.node-initializer-sa",
+                    "check_ids": [
+                        "CKV_K8S_20",
+                        "CKV_K8S_21"
+                    ]
+                }
+            ]
+        },
+        {
+            "file": "/time-sync-example/gke/daemon-set.yaml",
+            "findings": [
+                {
+                    "resource": "DaemonSet.default.node-initializer",
+                    "check_ids": [
+                        "CKV_K8S_17",
+                        "CKV_K8S_18",
+                        "CKV_K8S_19"
+                    ]
+                }
+            ]
         }
     ]
 }

.jscpd.json

@@ -0,0 +1,3 @@
+{
+    "threshold": 5
+}

time-sync-example/gke/cluster-role-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: node-initializer-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: node-initializer-role
+subjects:
+- kind: ServiceAccount
+  name: node-initializer-sa
+  namespace: default

time-sync-example/gke/cluster-role.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: node-initializer-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+  - update

time-sync-example/gke/cm-entrypoint.yaml

@@ -0,0 +1,65 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: entrypoint
+  labels:
+    app: default-init
+data:
+  entrypoint.sh: |
+    #!/usr/bin/env bash
+
+    set -euo pipefail
+
+    DEBIAN_FRONTEND=noninteractive
+    ROOT_MOUNT_DIR="${ROOT_MOUNT_DIR:-/root}"
+
+    echo "Loading PTP-KVM Kernel module"
+    chroot "${ROOT_MOUNT_DIR}" modprobe ptp_kvm
+    echo "ptp_kvm" >${ROOT_MOUNT_DIR}/etc/modules-load.d/ptp_kvm.conf
+
+
+    echo "Configuring chrony to leverage PTP-KVM"
+    grep -v "^log " ${ROOT_MOUNT_DIR}/etc/chrony/chrony.conf > /tmp/chrony_new.conf && mv /tmp/chrony_new.conf ${ROOT_MOUNT_DIR}/etc/chrony/chrony.conf
+    grep -v "^server " ${ROOT_MOUNT_DIR}/etc/chrony/chrony.conf > /tmp/chrony_new.conf && mv /tmp/chrony_new.conf ${ROOT_MOUNT_DIR}/etc/chrony/chrony.conf
+    grep -v "^pool " ${ROOT_MOUNT_DIR}/etc/chrony/chrony.conf > /tmp/chrony_new.conf && mv /tmp/chrony_new.conf ${ROOT_MOUNT_DIR}/etc/chrony/chrony.conf
+    grep "^refclock " ${ROOT_MOUNT_DIR}/etc/chrony/chrony.conf > /dev/null || echo "refclock PHC /dev/ptp_kvm poll -1 prefer" >> ${ROOT_MOUNT_DIR}/etc/chrony/chrony.conf
+    grep "^log " ${ROOT_MOUNT_DIR}/etc/chrony/chrony.conf > /dev/null || echo "log rawmeasurements refclocks selection statistics tracking" >> ${ROOT_MOUNT_DIR}/etc/chrony/chrony.conf
+    grep "^logdir " ${ROOT_MOUNT_DIR}/etc/chrony/chrony.conf > /dev/null ||  echo "logdir /var/log/chrony" >> ${ROOT_MOUNT_DIR}/etc/chrony/chrony.conf
+    chroot "${ROOT_MOUNT_DIR}" mkdir -p /var/log/chrony
+    chroot "${ROOT_MOUNT_DIR}" chown ntp: /var/log/chrony || echo "Chown failed - OK on Ubuntu"
+
+    echo "Restarting chrony"
+    chroot "${ROOT_MOUNT_DIR}" systemctl restart chronyd
+
+    function untaint() {
+      echo "Node name is: ${NODE_NAME}"
+      echo "Finding the taint"
+
+      TAINT_KEY=startup-taint.cluster-autoscaler.kubernetes.io/node-initializer
+      TAINT_VALUE=true
+      TAINT_EFFECT=NoSchedule
+
+      LABEL_KEY=node-initializer
+      LABEL_VALUE=done
+
+      # In case that the untaint patch failed due to a conflict, keep retrying until the taint cannot be found.
+      while true
+      do
+        taint=$(${ROOT_MOUNT_DIR}/home/kubernetes/bin/kubectl get node "${NODE_NAME}" \
+          -o jsonpath="{.spec.taints[?(@.key==\"${TAINT_KEY}\")]}")
+
+        if [[ -n "$taint" ]]; then
+          echo "Found the taint. Untainting."
+          ${ROOT_MOUNT_DIR}/home/kubernetes/bin/kubectl taint nodes ${NODE_NAME} \
+            ${TAINT_KEY}:${TAINT_EFFECT}-
+          ${ROOT_MOUNT_DIR}/home/kubernetes/bin/kubectl label nodes ${NODE_NAME} \
+            ${LABEL_KEY}=${LABEL_VALUE}
+              else
+          echo "Didn't find the taint. Nothing to do."
+          return
+        fi
+      done
+    }
+    # Give chrony a second to stabilize the clock
+    sleep 1
+    untaint

time-sync-example/gke/create_gke_cluster.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+if [ -z "$1" ]; then
+    echo "Usage: create_gke_cluster.sh <project_id> <region> <cluster_name>" >&2
+    exit 1
+fi
+
+PROJECT_ID="$1"
+REGION="$2"
+CLUSTER_NAME="$3"
+MACHINE_TYPE="c3-standard-4"
+
+gcloud beta container --project "$PROJECT_ID" clusters create \
+    "$CLUSTER_NAME" --region "$REGION" --release-channel "regular" \
+    --machine-type "$MACHINE_TYPE" --image-type "COS_CONTAINERD" \
+    --node-taints startup-taint.cluster-autoscaler.kubernetes.io/node-initializer=true:NoSchedule \
+    --logging=SYSTEM,WORKLOAD --monitoring=SYSTEM,STORAGE,POD,DEPLOYMENT,STATEFULSET,DAEMONSET,HPA,JOBSET,CADVISOR,KUBELET,DCGM
+
+gcloud container clusters get-credentials "$CLUSTER_NAME" \
+    --location="$REGION" --project "$PROJECT_ID"
+
+# Add a service account the daemonset will use to untaint the node
+# when chrony is synced.
+kubectl apply -f serviceaccount.yaml
+# Bind the service account to a role allowed to untain nodes
+kubectl apply -f cluster-role.yaml
+kubectl apply -f cluster-role-binding.yaml
+# Add a config map with entrypoint script configuring chrony
+kubectl apply -f cm-entrypoint.yaml
+# Finally, configure daemonset with chrony configuration,
+# node untaint and monitoring
+kubectl apply -f daemonset.yaml

time-sync-example/gke/create_gke_metric.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+if [ -z "$1" ]; then
+    echo "Usage: create_gke_metric.sh <project_id>" >&2
+    exit 1
+fi
+
+PROJECT_ID="$1"
+PROJECT_NUMBER=$(gcloud projects describe "$PROJECT_ID" --format="value(projectNumber)")
+SERVICE_ACCOUNT_EMAIL=${PROJECT_NUMBER}[email protected]
+
+gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
+    --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
+    --role="roles/logging.logWriter"
+
+gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
+    --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
+    --role="roles/compute.instanceAdmin"
+
+gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
+    --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
+    --role="roles/monitoring.metricWriter"
+
+gcloud logging --project "$PROJECT_ID" metrics create phc-clock-max-error --config-from-file=gke-clock-metric.json
+gcloud monitoring --project "$PROJECT_ID" dashboards create --config-from-file=gke-metrics-dashboard.json

time-sync-example/gke/daemonset.yaml

@@ -0,0 +1,78 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: node-initializer
+  labels:
+    app: default-init
+  annotations:
+    checkov.io/skip1: CKV_K8S_21:This service account is part of the node-initializer app.
+spec:
+  selector:
+    matchLabels:
+      app: default-init
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        name: node-initializer
+        app: default-init
+    spec:
+      serviceAccount: node-initializer-sa
+      # Startup taints are meant to be used when there is an operation that has to complete before
+      # any pods can run on the node
+      tolerations:  # The daemonset has the toleration to get scheduled on the new nodes
+      - key: "startup-taint.cluster-autoscaler.kubernetes.io/node-initializer"  # NOTE: In GKE 1.27, use ignore-taint instead of startup-taint
+        operator: "Equal"
+        value: "true"
+        effect: "NoSchedule"
+      - key: "kubernetes.io/arch"
+        operator: "Equal"
+        value: "arm64"
+        effect: "NoSchedule"
+      hostPID: true
+      hostIPC: true
+      hostNetwork: true
+      volumes:
+        - name: root-mount
+          hostPath:
+            path: /
+        - name: entrypoint
+          configMap:
+            name: entrypoint
+            defaultMode: 0744
+      initContainers:
+        - image: ubuntu:22.04
+          name: node-initializer
+          command: ["/scripts/entrypoint.sh"]
+          env:
+            - name: ROOT_MOUNT_DIR
+              value: /root
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - name: root-mount
+              mountPath: /root
+            - name: entrypoint
+              mountPath: /scripts
+        - name: logshipper
+          image: ubuntu:22.04
+          restartPolicy: Always
+          command: ['sh', '-c', 'tail -F ${ROOT_MOUNT_DIR}/var/log/chrony/tracking.log | xargs -L 1 echo ${NODE_NAME}: ']
+          env:
+            - name: ROOT_MOUNT_DIR
+              value: /root
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          volumeMounts:
+            - name: root-mount
+              mountPath: /root
+      containers:
+        - image: "k8s.gcr.io/pause:3.3"
+          name: pause

time-sync-example/gke/gke-clock-metric.json

@@ -0,0 +1,26 @@
+{
+    "name": "phc-clock-max-error",
+    "description": "Maximum error of the VM clock from the host clock exposed by ptp_kvm",
+    "filter": "resource.type=\"k8s_container\"\n resource.labels.namespace_name=\"default\"\n resource.labels.container_name=\"logshipper\"",
+    "metricDescriptor": {
+        "metricKind": "DELTA",
+        "valueType": "DISTRIBUTION",
+        "unit": "s",
+        "labels": [
+            {
+                "key": "resourceName",
+                "valueType": "STRING",
+                "description": "The name of the resource extracted from the log payload"
+            }
+        ]
+    },
+    "valueExtractor": "REGEXP_EXTRACT(textPayload, \"^.*PHC0.* ([-\\\\d\\\\.eE]+)$\")",
+    "labelExtractors": { "resourceName" : "REGEXP_EXTRACT(textPayload, \"(.*): .*\")"},
+    "bucketOptions": {
+        "explicitBuckets": {
+            "bounds": [
+                0.0, 5.0E-7, 1.0E-6, 2.0E-6, 4.0E-6, 5.0E-6, 8.0E-6, 1.0E-5, 2.0E-5, 1.0E-4, 0.001, 0.01, 0.1, 1.0
+            ]
+        }
+    }
+}

time-sync-example/gke/gke-metrics-dashboard.json

@@ -0,0 +1,37 @@
+{
+    "displayName": "Overall Clock Accuracy",
+    "dashboardFilters": [],
+    "labels": {},
+    "mosaicLayout": {
+        "columns": 48,
+        "tiles": [
+            {
+                "width": 28,
+                "height": 28,
+                "widget": {
+                    "xyChart": {
+                        "dataSets": [
+                            {
+                                "plotType": "LINE",
+                                "targetAxis": "Y1",
+                                "timeSeriesQuery": {
+                                    "prometheusQuery": "label_replace(\nhistogram_quantile(1, sum by (le, resourceName) (\nincrease(logging_googleapis_com:phc_clock_max_error_bucket{monitored_resource=\"k8s_container\"}[1m])\n)) * 1000000000,\n\"instance_name\", \"$1\", \"resourceName\", \"(.*)\"\n) +\non(instance_name) (\ncompute_googleapis_com:instance_clock_accuracy_ptp_kvm_nanosecond_accuracy{monitored_resource=\"gce_instance\"}\n)\n",
+                                    "unitOverride": "ns"
+                                }
+                            }
+                        ],
+                        "chartOptions": {
+                            "displayHorizontal": false,
+                            "mode": "COLOR"
+                        },
+                        "yAxis": {
+                            "label": "Clock Accuracy",
+                            "scale": "LINEAR"
+                        },
+                        "thresholds": []
+                    }
+                }
+            }
+        ]
+    }
+}