feat: added container filtering for cloud monitoring agents using new variable cloud_monitoring_container_filter (#419)

Author: Aashiq-J

README.md

@@ -125,6 +125,7 @@ You need the following permissions to run this module.
 | <a name="input_cloud_monitoring_agent_namespace"></a> [cloud\_monitoring\_agent\_namespace](#input\_cloud\_monitoring\_agent\_namespace) | Namespace where to deploy the Cloud Monitoring agent. Default value is 'ibm-observe' | `string` | `"ibm-observe"` | no |
 | <a name="input_cloud_monitoring_agent_tags"></a> [cloud\_monitoring\_agent\_tags](#input\_cloud\_monitoring\_agent\_tags) | List of tags to associate to all matrics that the agent collects. NOTE: Use the 'cloud\_monitoring\_add\_cluster\_name' variable to add the cluster name as a tag. | `list(string)` | `[]` | no |
 | <a name="input_cloud_monitoring_agent_tolerations"></a> [cloud\_monitoring\_agent\_tolerations](#input\_cloud\_monitoring\_agent\_tolerations) | List of tolerations to apply to Cloud Monitoring agent. | <pre>list(object({<br/>    key               = optional(string)<br/>    operator          = optional(string)<br/>    value             = optional(string)<br/>    effect            = optional(string)<br/>    tolerationSeconds = optional(number)<br/>  }))</pre> | <pre>[<br/>  {<br/>    "operator": "Exists"<br/>  },<br/>  {<br/>    "effect": "NoSchedule",<br/>    "key": "node-role.kubernetes.io/master",<br/>    "operator": "Exists"<br/>  }<br/>]</pre> | no |
+| <a name="input_cloud_monitoring_container_filter"></a> [cloud\_monitoring\_container\_filter](#input\_cloud\_monitoring\_container\_filter) | To filter custom containers, specify the Cloud Monitoring containers to include or to exclude. See https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_filter_data. | <pre>list(object({<br/>    type      = string<br/>    parameter = string<br/>    name      = string<br/>  }))</pre> | `[]` | no |
 | <a name="input_cloud_monitoring_enabled"></a> [cloud\_monitoring\_enabled](#input\_cloud\_monitoring\_enabled) | Deploy IBM Cloud Monitoring agent | `bool` | `true` | no |
 | <a name="input_cloud_monitoring_endpoint_type"></a> [cloud\_monitoring\_endpoint\_type](#input\_cloud\_monitoring\_endpoint\_type) | Specify the IBM Cloud Monitoring instance endpoint type (public or private) to use. Used to construct the ingestion endpoint. | `string` | `"private"` | no |
 | <a name="input_cloud_monitoring_instance_region"></a> [cloud\_monitoring\_instance\_region](#input\_cloud\_monitoring\_instance\_region) | The IBM Cloud Monitoring instance region. Used to construct the ingestion endpoint. | `string` | `null` | no |

chart/sysdig-agent/templates/configmap.yaml

@@ -41,3 +41,15 @@ data:
       - {{ $v.type }}: {{ $v.name }}
       {{ end }}
     {{- end -}}
+
+    {{ if .Values.container_filter -}}
+    # Enable the feature
+    use_container_filter: true
+
+    # Include or exclude conditions
+    container_filter:
+      {{ range $c := .Values.container_filter -}}
+      - {{ $c.type }}:
+            {{ $c.parameter }}: {{ $c.name }}
+      {{ end }}
+    {{- end -}}

chart/sysdig-agent/values.yaml

@@ -22,3 +22,13 @@ metrics_filter: []
 psp:
   # true here enables creation of Pod Security Policy to allow the agent run with the required permissions
   create: true
+
+container_filter: []
+# example:
+# container_filter:
+#   - include:
+#         container.image: appdomain/my-app-image
+#   - include:
+#         container.name: my-java-app
+#   - exclude:
+#         kubernetes.namespace.name: kube-system

examples/obs-agent-ocp/main.tf

@@ -197,7 +197,8 @@ module "observability_agents" {
   # Monitoring agent
   cloud_monitoring_access_key = module.observability_instances.cloud_monitoring_access_key
   # example of how to include / exclude metrics - more info https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_log_metrics
-  cloud_monitoring_metrics_filter  = [{ type = "exclude", name = "metricA.*" }, { type = "include", name = "metricB.*" }]
-  cloud_monitoring_agent_tags      = var.resource_tags
-  cloud_monitoring_instance_region = module.observability_instances.region
+  cloud_monitoring_metrics_filter   = [{ type = "exclude", name = "metricA.*" }, { type = "include", name = "metricB.*" }]
+  cloud_monitoring_container_filter = [{ type = "exclude", parameter = "kubernetes.namespace.name", name = "kube-system" }]
+  cloud_monitoring_agent_tags       = var.resource_tags
+  cloud_monitoring_instance_region  = module.observability_instances.region
 }

main.tf

@@ -106,6 +106,8 @@ resource "helm_release" "cloud_monitoring_agent" {
     metrics_filter = var.cloud_monitoring_metrics_filter
     }), yamlencode({
     tolerations = var.cloud_monitoring_agent_tolerations
+    }), yamlencode({
+    container_filter = var.cloud_monitoring_container_filter
   })]
 
   provisioner "local-exec" {

variables.tf

@@ -82,6 +82,20 @@ variable "cloud_monitoring_metrics_filter" {
   }
 }
 
+variable "cloud_monitoring_container_filter" {
+  type = list(object({
+    type      = string
+    parameter = string
+    name      = string
+  }))
+  description = "To filter custom containers, specify the Cloud Monitoring containers to include or to exclude. See https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_filter_data."
+  default     = []
+  validation {
+    condition     = length(var.cloud_monitoring_container_filter) == 0 || can(regex("^(include|exclude)$", var.cloud_monitoring_container_filter[0].type))
+    error_message = "Invalid input for `cloud_monitoring_container_filter`. Valid options for 'type' are: `include` and `exclude`. If empty, no containers are included or excluded."
+  }
+}
+
 variable "cloud_monitoring_agent_tags" {
   type        = list(string)
   description = "List of tags to associate to all matrics that the agent collects. NOTE: Use the 'cloud_monitoring_add_cluster_name' variable to add the cluster name as a tag."