feat(operator): implement basic fact operator

At this point the operator is a PoC, meant only as a small experiment to
see if it is even possible to implement.

TODO:
* Expose more configuration options.
* Implement some sort of test that will ensure the operator works and
  deploys fact correctly.

Author: Molter73

Cargo.lock

@@ -4,6 +4,7 @@ members = [
     "fact",
     "fact-api",
     "fact-ebpf",
+    "fact-operator",
 ]
 default-members = ["fact"]
 

Cargo.toml

@@ -42,10 +42,11 @@ FROM builder AS build
 ARG FACT_VERSION
 RUN --mount=type=cache,target=/root/.cargo/registry \
     --mount=type=cache,target=/app/target \
-    cargo build --release && \
-    cp target/release/fact fact
+    cargo build --release --all && \
+    cp target/release/fact fact && \
+    cp target/release/fact-operator fact-operator
 
-FROM ubi-micro-base
+FROM ubi-micro-base AS fact
 
 ARG FACT_VERSION
 LABEL name="fact" \
@@ -64,3 +65,23 @@ COPY LICENSE-APACHE LICENSE-MIT LICENSE-GPL2 /licenses/
 RUN update-crypto-policies --set DEFAULT:PQ
 
 ENTRYPOINT ["fact"]
+
+FROM ubi-micro-base AS fact-operator
+
+ARG FACT_VERSION
+LABEL name="fact-operator" \
+      vendor="StackRox" \
+      maintainer="support@stackrox.com" \
+      summary="File activity operator" \
+      description="This image supports an operator for deploying the file activity daemonset" \
+      io.stackrox.fact-operator.version="${FACT_VERSION}"
+
+COPY --from=package_installer /out/ /
+
+COPY --from=build /app/fact-operator /usr/local/bin
+
+COPY LICENSE-APACHE LICENSE-MIT LICENSE-GPL2 /licenses/
+
+RUN update-crypto-policies --set DEFAULT:PQ
+
+ENTRYPOINT ["fact-operator"]

Containerfile

@@ -17,9 +17,21 @@ image:
 		-f Containerfile \
 		--build-arg FACT_VERSION=$(FACT_VERSION) \
 		--build-arg RUST_VERSION=$(RUST_VERSION) \
+		--target fact \
 		-t $(FACT_IMAGE_NAME) \
 		$(CURDIR)
 
+operator:
+	$(DOCKER) build \
+		-f Containerfile \
+		--build-arg FACT_VERSION=$(FACT_VERSION) \
+		--build-arg RUST_VERSION=$(RUST_VERSION) \
+		--target fact-operator \
+		-t $(FACT_OPERATOR_NAME) \
+		$(CURDIR)
+
+images: image operator
+
 licenses:THIRD_PARTY_LICENSES.html
 
 THIRD_PARTY_LICENSES.html:Cargo.lock

Makefile

@@ -3,7 +3,10 @@ RUST_VERSION ?= stable
 FACT_TAG ?= $(shell git describe --always --tags --abbrev=10 --dirty)
 FACT_VERSION ?= $(FACT_TAG)
 FACT_REGISTRY ?= quay.io/stackrox-io/fact
+FACT_OPERATOR_REGISTRY ?= quay.io/stackrox-io/fact-operator
 FACT_IMAGE_NAME ?= $(FACT_REGISTRY):$(FACT_TAG)
+FACT_OPERATOR_REGISTRY ?= quay.io/stackrox-io/fact-operator
+FACT_OPERATOR_NAME ?= $(FACT_OPERATOR_REGISTRY):$(FACT_TAG)
 
 CLANG_FMT ?= $(shell which clang-format)
 

constants.mk

@@ -0,0 +1,17 @@
+[package]
+name = "fact-operator"
+version = "0.1.0"
+edition = "2024"
+license.workspace = true
+
+[dependencies]
+anyhow = { workspace = true }
+env_logger = { workspace = true }
+futures = { version = "0.3.32", default-features = false }
+kube = { version = "4.0.0", default-features = true, features = ["client", "openssl-tls", "derive", "runtime"] }
+k8s-openapi = { version = "0.28.0", features = ["latest", "schemars"] }
+log = { workspace = true }
+schemars = { version = "1" }
+serde = { workspace = true }
+serde_json = { workspace = true }
+tokio = { workspace = true }

fact-operator/Cargo.toml

@@ -0,0 +1,76 @@
+use std::{sync::Arc, time::Duration};
+
+use futures::StreamExt;
+use k8s_openapi::api::{apps::v1::DaemonSet, core::v1::ConfigMap};
+use kube::{
+    Api, Client, ResourceExt,
+    api::{Patch, PatchParams},
+    runtime::{Controller, controller::Action, watcher},
+};
+use log::{info, warn};
+
+use crate::spec::Fact;
+
+mod spec;
+
+struct Context {
+    client: Client,
+}
+
+async fn reconcile(fact: Arc<Fact>, ctx: Arc<Context>) -> Result<Action, kube::Error> {
+    info!("Starting reconciliation loop");
+    let ns = fact.namespace().unwrap();
+
+    let cm = spec::build_configmap(&fact);
+    let api = Api::<ConfigMap>::namespaced(ctx.client.clone(), &ns);
+    api.patch(
+        &format!("{}-config", fact.name_any()),
+        &PatchParams::apply("fact-operator"),
+        &Patch::Apply(cm),
+    )
+    .await?;
+
+    let ds = spec::build_daemonset(&fact);
+    let api = Api::<DaemonSet>::namespaced(ctx.client.clone(), &ns);
+    api.patch(
+        &fact.name_any(),
+        &PatchParams::apply("fact-operator"),
+        &Patch::Apply(ds),
+    )
+    .await?;
+
+    info!("Reconciliation done");
+    Ok(Action::requeue(Duration::from_secs(300)))
+}
+
+fn error_policy(_obj: Arc<Fact>, _err: &kube::Error, _ctx: Arc<Context>) -> Action {
+    Action::requeue(Duration::from_secs(60))
+}
+
+pub async fn run() -> anyhow::Result<()> {
+    env_logger::init();
+    info!("Operator starting...");
+    let client = Client::try_default().await?;
+    let fact = Api::<Fact>::all(client.clone());
+
+    Controller::new(fact, watcher::Config::default())
+        .owns(
+            Api::<DaemonSet>::all(client.clone()),
+            watcher::Config::default(),
+        )
+        .owns(
+            Api::<ConfigMap>::all(client.clone()),
+            watcher::Config::default(),
+        )
+        .run(reconcile, error_policy, Arc::new(Context { client }))
+        .for_each(|res| async move {
+            match res {
+                Ok(o) => info!("reconciled: {o:?}"),
+                Err(e) => warn!("reconciler failed: {e:?}"),
+            }
+        })
+        .await;
+
+    info!("Operator done");
+    Ok(())
+}

fact-operator/src/lib.rs

@@ -0,0 +1,4 @@
+#[tokio::main]
+async fn main() -> anyhow::Result<()> {
+    fact_operator::run().await
+}

fact-operator/src/main.rs

@@ -0,0 +1,167 @@
+use std::collections::BTreeMap;
+
+use k8s_openapi::{
+    api::{
+        apps::v1::{DaemonSet, DaemonSetSpec},
+        core::v1::{
+            Capabilities, ConfigMap, ConfigMapVolumeSource, Container, ContainerPort, EnvVar,
+            HostPathVolumeSource, PodSpec, PodTemplateSpec, SecurityContext, Volume, VolumeMount,
+        },
+    },
+    apimachinery::pkg::apis::meta::v1::LabelSelector,
+};
+use kube::{CustomResource, Resource, ResourceExt, api::ObjectMeta};
+use schemars::JsonSchema;
+use serde::{Deserialize, Serialize};
+
+#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema, CustomResource)]
+#[serde(rename_all = "camelCase")]
+#[kube(
+    group = "fact.stackrox.io",
+    version = "v1alpha1",
+    kind = "Fact",
+    namespaced
+)]
+pub(crate) struct FactSpec {
+    pub image: String,
+    #[serde(default = "default_log_level")]
+    pub log_level: String,
+    #[serde(default = "default_rate_limit")]
+    pub rate_limit: u64,
+}
+
+fn default_log_level() -> String {
+    String::from("info")
+}
+
+fn default_rate_limit() -> u64 {
+    0
+}
+
+pub(crate) fn build_configmap(fact: &Fact) -> ConfigMap {
+    let data = BTreeMap::from([(
+        "fact.yml".into(),
+        format!("rate_limit: {}", fact.spec.rate_limit),
+    )]);
+    ConfigMap {
+        data: Some(data),
+        metadata: ObjectMeta {
+            name: Some(format!("{}-config", fact.name_any())),
+            namespace: fact.namespace(),
+            owner_references: fact.controller_owner_ref(&()).map(|r| vec![r]),
+            ..Default::default()
+        },
+        ..Default::default()
+    }
+}
+
+pub(crate) fn build_daemonset(fact: &Fact) -> DaemonSet {
+    let spec = &fact.spec;
+    let name = fact.name_any();
+    let namespace = fact.namespace();
+    let labels = BTreeMap::from([("app".into(), "fact".into())]);
+
+    let metadata = ObjectMeta {
+        labels: Some(labels.clone()),
+        name: Some(name),
+        namespace,
+        owner_references: fact.controller_owner_ref(&()).map(|r| vec![r]),
+        ..Default::default()
+    };
+
+    let container = Container {
+        name: "fact".into(),
+        image: Some(spec.image.clone()),
+        image_pull_policy: Some("IfNotPresent".into()),
+        args: Some(vec![
+            "--paths".into(),
+            "/etc:/bin:/sbin:/usr/bin:/usr/sbin".into(),
+        ]),
+        ports: Some(vec![ContainerPort {
+            container_port: 9000,
+            name: Some("monitoring".into()),
+            ..Default::default()
+        }]),
+        env: Some(vec![
+            EnvVar {
+                name: "FACT_LOGLEVEL".into(),
+                value: Some(spec.log_level.clone()),
+                ..Default::default()
+            },
+            EnvVar {
+                name: "FACT_HOST_MOUNT".into(),
+                value: Some("/host".into()),
+                ..Default::default()
+            },
+        ]),
+        security_context: Some(SecurityContext {
+            capabilities: Some(Capabilities {
+                drop: Some(vec!["NET_RAW".into()]),
+                ..Default::default()
+            }),
+            privileged: Some(true),
+            read_only_root_filesystem: Some(true),
+            ..Default::default()
+        }),
+        volume_mounts: Some(vec![
+            VolumeMount {
+                name: "root-ro".into(),
+                mount_path: "/host".into(),
+                read_only: Some(true),
+                mount_propagation: Some("HostToContainer".into()),
+                ..Default::default()
+            },
+            VolumeMount {
+                mount_path: "/etc/stackrox".into(),
+                name: "fact-config".into(),
+                read_only: Some(true),
+                ..Default::default()
+            },
+        ]),
+        ..Default::default()
+    };
+
+    let volumes = vec![
+        Volume {
+            host_path: Some(HostPathVolumeSource {
+                path: "/".into(),
+                ..Default::default()
+            }),
+            name: "root-ro".into(),
+            ..Default::default()
+        },
+        Volume {
+            name: "fact-config".into(),
+            config_map: Some(ConfigMapVolumeSource {
+                name: format!("{}-config", fact.name_any()),
+                ..Default::default()
+            }),
+            ..Default::default()
+        },
+    ];
+
+    let spec = DaemonSetSpec {
+        selector: LabelSelector {
+            match_labels: Some(labels.clone()),
+            ..Default::default()
+        },
+        template: PodTemplateSpec {
+            metadata: Some(ObjectMeta {
+                labels: Some(labels),
+                ..Default::default()
+            }),
+            spec: Some(PodSpec {
+                containers: vec![container],
+                volumes: Some(volumes),
+                ..Default::default()
+            }),
+        },
+        ..Default::default()
+    };
+
+    DaemonSet {
+        metadata,
+        spec: Some(spec),
+        ..Default::default()
+    }
+}

fact-operator/src/spec.rs

@@ -0,0 +1,9 @@
+apiVersion: fact.stackrox.io/v1alpha1
+kind: Fact
+metadata:
+  name: fact
+  namespace: default
+spec:
+  image: quay.io/stackrox-io/fact:0.3.0
+  logLevel: debug
+  rateLimit: 60000