Merge pull request #277 from bytedance/update-values

Update chart values and template

Author: Danny-Wei

docs/getting_started/installation.md

@@ -73,11 +73,7 @@ You can enable metrics to monitor the operation of vArmor. All metrics are expos
 --set metrics.enabled=true
 ```
 
-You can use the following command to create a `ServiceMonitor` object in the namespace where vArmor is installed. Default: disabled.
-
-```bash
---set metrics.serviceMonitorEnabled=true
-```
+If the `monitoring.coreos.com/v1` API is available in the cluster, vArmor will automatically create a `ServiceMonitor` object during deployment for integration with Prometheus.
 
 #### Set the Log Output Format to JSON
 The default format of agent and manager is TEXT. You can use the following command to set it to JSON.
@@ -122,7 +118,7 @@ The feature extends network access control to restrict container access to speci
 The feature is currently only supported by the BPF enforcer and requires Kubernetes v1.21 or higher.
 
 #### Run Agent in HostNetwork Mode
-The agent runs in its own network namespace and exposes the readinessProbe on port `6080` by default. If you want to run it in the host's network namespace, you can use following options.
+The agent runs in its own network namespace and exposes the readinessProbe on port `9580` by default. If you want to run it in the host's network namespace, you can use following options.
 
 ```bash
 --set agent.network.hostNetwork=true \

docs/getting_started/installation.zh_CN.md

@@ -72,11 +72,7 @@ vArmor 顺序检查系统的审计日志是否存在，并通过监控第一个
 --set metrics.enabled=true
 ```
 
-您可以使用下面的选项在 vArmor 所在命名空间中创建 `ServiceMonitor` 对象，用于与 Prometheus 集成。默认值：关闭。
-
-```bash
---set metrics.serviceMonitorEnabled=true
-```
+如果您的集群支持 `monitoring.coreos.com/v1` API，vArmor 会在部署时自动创建一个 `ServiceMonitor` 对象，用于与 Prometheus 集成。
 
 #### 设置日志格式为 JSON
 Agent 和 Manager 的日志格式默认为文本格式，您可以使用下面的选项将其设置为 JSON 格式。
@@ -122,7 +118,7 @@ vArmor 只会对包含此 label 的 Workloads 开启沙箱防护。你可以使
 当前仅 BPF enforcer 支持此功能，并且需要 Kubernetes v1.21 及以上版本。
 
 #### 在宿主机网络命名空间中运行 Agent
-vArmor 的 Agent 默认运行在独立的网络命名空间中，并在端口 `6080` 暴露就绪探针。如果您想将其部署在宿主网络命名空间中，那么可以使用下面的选项进行配置。
+vArmor 的 Agent 默认运行在独立的网络命名空间中，并在端口 `9580` 暴露就绪探针。如果您想将其部署在宿主网络命名空间中，那么可以使用下面的选项进行配置。
 
 ```bash
 --set agent.network.hostNetwork=true \

docs/getting_started/metrics.md

@@ -15,8 +15,7 @@ vArmor now includes a comprehensive metrics system. This document describes the
 2. Install vArmor with metrics enabled:
    ```bash
    helm install varmor varmor/varmor \
-     --set metrics.enable=true \
-     --set metrics.serviceMonitorEnabled=true
+     --set metrics.enable=true
    ```
 
 3. Import Grafana dashboard:
@@ -26,20 +25,11 @@ vArmor now includes a comprehensive metrics system. This document describes the
     - Select the appropriate Prometheus data source
     - Click Import to finish
 
-## Enabling Metrics
-To enable the metrics system:
-1. Set `metrics.enable` to `true` in your values configuration
-2. To create a Prometheus ServiceMonitor, set `metrics.serviceMonitorEnabled` to `true`
-
-Once enabled, metrics are exposed at the `/metric` endpoint on port 8081 of the manager.
-
 ## Available Metrics
 
 ### Profile Processing Metrics
 These metrics track the status and performance of the ArmorProfile object processed by the Agent.
 All profile processing metrics include the following labels:
-- `namespace`: The namespace of the profile
-- `profile_name`: Name of the profile
 - `node_name`: Name of the node
 
 | Metric Name | Type | Description |
@@ -61,11 +51,9 @@ These metrics provide insights into admission webhook operations of the Manager.
 #### Webhook Latency Metric
 The `varmor_webhook_latency` metric is a histogram that measures webhook processing latency with buckets at 0.1, 0.5, 1, 2, and 5 seconds.
 This metric includes the following labels:
-- `request_uid`: Request UID
 - `request_kind`: The type of workload be submitted
-- `request_namespace`: The namespace of workload be submitted
-- `request_name`: The name of workload be submitted
-- `request_operation`: Whether the workload be mutated by Manager or not
+- `request_operation`: The operation type of the request
+- `request_mutated`: Whether the workload be mutated by Manager or not
 
 ## Grafana Dashboard
 A pre-configured Grafana dashboard is available in the codebase for visualizing these metrics. The dashboard provides comprehensive views of both profile processing and webhook performance metrics.

docs/getting_started/metrics.zh_CN.md

@@ -15,8 +15,7 @@ vArmor 目前支持可观测性指标，本文档描述了可用的指标、配
 2. 安装启用了指标系统的 vArmor
    ```bash
    helm install varmor varmor/varmor \
-     --set metrics.enable=true \
-     --set metrics.serviceMonitorEnabled=true
+     --set metrics.enable=true
    ```
 
 3. 导入 Grafana 仪表板：
@@ -26,19 +25,10 @@ vArmor 目前支持可观测性指标，本文档描述了可用的指标、配
     - 选择合适的 Prometheus 数据源
     - 点击导入完成
 
-## 启用指标系统
-要启用指标系统，需要：
-1. 在配置文件中将 `metrics.enable` 设置为 `true`
-2. 如需创建 Prometheus ServiceMonitor，将 `metrics.serviceMonitorEnabled` 设置为 `true`
-
-启用后，指标将在 Manager 的 8081 端口的 `/metric` 端点上暴露。
-
 ## 可用指标
 
 ### 配置文件处理指标
 这些指标用于跟踪由 Agent 处理的 ArmorProfile 对象的状态和性能。所有配置文件处理指标包含以下标签：
-- `namespace`：配置文件所在的命名空间
-- `profile_name`：配置文件名称
 - `node_name`：节点名称
 
 | 指标名称 | 类型 | 描述 |
@@ -60,11 +50,9 @@ vArmor 目前支持可观测性指标，本文档描述了可用的指标、配
 #### Webhook 延迟指标
 `varmor_webhook_latency` 指标是一个直方图，用于测量 webhook 处理延迟，包含 0.1、0.5、1、2 和 5 秒的区间。
 此指标包含以下标签：
-- `request_uid`：请求 UID
 - `request_kind`：工作负载类型
-- `request_namespace`：工作负载的命名空间
-- `request_name`：工作负载的名称
-- `request_operation`：工作负载是否被 Manager 变更
+- `request_operation`：请求操作类型
+- `request_mutated`：工作负载是否被 Manager 变更
 
 ## Grafana 仪表板
 代码库中提供了一个预配置的 Grafana 仪表板，用于可视化这些指标。该仪表板提供了配置文件处理和 webhook 性能指标的全面视图。

docs/guides/performance/README.md

@@ -21,7 +21,7 @@ vArmor user-space components use the resource quotas as shown in the table below
 
 | Manager CPU | Manager Memory | Agent CPU   | Agent Memory |
 |:-----------:|:--------------:|:-----------:|:------------:|
-| 200m / 100m | 300Mi / 200Mi  | 200m / 100m | 100Mi / 40Mi (The BPF enforcer is disabled)<br />200Mi /100Mi (The BPF enforcer is enabled) |
+| 500m / 100m | 300Mi / 200Mi  | 1 / 100m    | 100Mi / 40Mi (The BPF enforcer is disabled)<br />200Mi /100Mi (The BPF enforcer is enabled) |
 
 Explanation:
 

internal/config/config.go

@@ -218,7 +218,7 @@ func getAgentReadinessPort() int {
 			return port
 		}
 	}
-	return 6080
+	return 9580
 }
 
 func getClassifierServicePort() int {

manifests/varmor/templates/deployments/manager.yaml

@@ -149,3 +149,7 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.manager.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}

manifests/varmor/templates/monitor/manager-service-monitor.yaml

@@ -1,4 +1,5 @@
-{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitorEnabled }}
+{{- if .Values.metrics.enabled }}
+{{- if .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" -}}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
@@ -18,4 +19,11 @@ spec:
     path: /metrics
     interval: 15s
     scrapeTimeout: 14s
+    metricRelabelings:
+    - action: keep
+      regex: 'varmor_.*'
+      sourceLabels: [__name__]
+    - action: labeldrop
+      regex: instance|service|container|endpoint
+{{- end }}
 {{- end }}

manifests/varmor/values.yaml

@@ -11,8 +11,6 @@ fullnameOverride: ""
 
 metrics:
   enabled: false
-  serviceMonitorEnabled: false
-#  syncMetricsSecond: 10
 
 restartExistWorkloads:
   enabled: true
@@ -154,11 +152,11 @@ manager:
 
   resources:
     limits:
-      cpu: 200m
-      memory: 300Mi
+      cpu: "500m"
+      memory: "300Mi"
     requests:
-      cpu: 100m
-      memory: 200Mi
+      cpu: "100m"
+      memory: "200Mi"
 
   autoscaling:
     enabled: false
@@ -173,6 +171,20 @@ manager:
 
   tolerations: []
 
+  topologySpreadConstraints:
+  - labelSelector:
+      matchLabels:
+        app.kubernetes.io/component: varmor-manager
+    maxSkew: 1
+    topologyKey: kubernetes.io/hostname
+    whenUnsatisfiable: ScheduleAnyway
+  - labelSelector:
+      matchLabels:
+        app.kubernetes.io/component: varmor-manager
+    maxSkew: 1
+    topologyKey: topology.kubernetes.io/zone
+    whenUnsatisfiable: ScheduleAnyway
+
 
 agent:
   name: agent
@@ -210,7 +222,7 @@ agent:
   network:
     hostNetwork: false
     dnsPolicy: ClusterFirstWithHostNet
-    readinessPort: 6080
+    readinessPort: 9580
 
   args: []
 
@@ -231,22 +243,22 @@ agent:
       name: apparmor-dir
     resources:
       limits:
-        cpu: 200m
-        memory: 100Mi
+        cpu: "1"
+        memory: "100Mi"
       requests:
-        cpu: 100m
-        memory: 40Mi
+        cpu: "100m"
+        memory: "40Mi"
 
   bpfLsmEnforcer:
     args:
     - --enableBpfEnforcer
     resources:
       limits:
-        cpu: 200m
-        memory: 200Mi
+        cpu: "1"
+        memory: "200Mi"
       requests:
-        cpu: 100m
-        memory: 100Mi
+        cpu: "100m"
+        memory: "100Mi"
 
   unloadAllAaProfiles:
     args:
@@ -269,11 +281,11 @@ agent:
       name: auditdata
     resources:
       limits:
-        cpu: 2
-        memory: 2Gi
+        cpu: "2"
+        memory: "2Gi"
       requests:
-        cpu: 500m
-        memory: 500Mi
+        cpu: "500m"
+        memory: "500Mi"
 
   bpfRelated:
     volumeMounts:
@@ -347,17 +359,13 @@ classifier:
   network:
     servicePort: 5000
 
-  resources: {}
-    # We usually recommend not to specify default resources and to leave this as a conscious
-    # choice for the user. This also increases chances charts run on environments with little
-    # resources, such as Minikube. If you do want to specify resources, uncomment the following
-    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-    # limits:
-    #   cpu: 100m
-    #   memory: 128Mi
-    # requests:
-    #   cpu: 100m
-    #   memory: 128Mi
+  resources: 
+    limits:
+      cpu: "2"
+      memory: "2Gi"
+    requests:
+      cpu: "500m"
+      memory: "500Mi"
 
   autoscaling:
     enabled: false

website/docs/getting_started/installation.md

@@ -77,11 +77,7 @@ You can enable metrics to monitor the operation of vArmor. All metrics are expos
 --set metrics.enabled=true
 ```
 
-You can use the following command to create a `ServiceMonitor` object in the namespace where vArmor is installed. Default: disabled.
-
-```bash
---set metrics.serviceMonitorEnabled=true
-```
+If the `monitoring.coreos.com/v1` API is available in the cluster, vArmor will automatically create a `ServiceMonitor` object during deployment for integration with Prometheus.
 
 #### Set the Log Output Format to JSON
 The default format of agent and manager is TEXT. You can use the following command to set it to JSON.
@@ -127,7 +123,7 @@ The feature extends network access control to restrict container access to speci
 The feature is currently only supported by the BPF enforcer and requires Kubernetes v1.21 or higher.
 
 #### Run Agent in HostNetwork Mode
-The agent runs in its own network namespace and exposes the readinessProbe on port `6080` by default. If you want to run it in the host's network namespace, you can use following options.
+The agent runs in its own network namespace and exposes the readinessProbe on port `9580` by default. If you want to run it in the host's network namespace, you can use following options.
 
 ```bash
 --set agent.network.hostNetwork=true \