add notes around fimwatcher, getting-started

docs/docs/examples/index.html

@@ -14,9 +14,9 @@
 <meta property="og:description" content="Lorem ipsum dolor sit amet, consectetur adipiscing elit." />
 <meta property="og:site_name" content="fim-k8s" />
 <meta property="og:type" content="article" />
-<meta property="article:published_time" content="2018-10-12T14:01:45-04:00" />
+<meta property="article:published_time" content="2018-10-13T16:11:49-04:00" />
 <script type="application/ld+json">
-{"description":"Lorem ipsum dolor sit amet, consectetur adipiscing elit.","dateModified":"2018-10-12T14:01:45-04:00","datePublished":"2018-10-12T14:01:45-04:00","headline":"Examples and Best Practices","mainEntityOfPage":{"@type":"WebPage","@id":"/fim-k8s/docs/examples/"},"@type":"BlogPosting","url":"/fim-k8s/docs/examples/","@context":"http://schema.org"}</script>
+{"description":"Lorem ipsum dolor sit amet, consectetur adipiscing elit.","dateModified":"2018-10-13T16:11:49-04:00","datePublished":"2018-10-13T16:11:49-04:00","headline":"Examples and Best Practices","mainEntityOfPage":{"@type":"WebPage","@id":"/fim-k8s/docs/examples/"},"@type":"BlogPosting","url":"/fim-k8s/docs/examples/","@context":"http://schema.org"}</script>
 <!-- End Jekyll SEO tag -->
 
   <meta property="og:image" content=""/>

docs/docs/fimwatcher/index.html

@@ -14,9 +14,9 @@
 <meta property="og:description" content="Once you have fim-k8s installed on your cluster, you are ready to start setting up watchers for your deployments. All possible configurations of the how, and what, of setting up a FimWatcher on your deployments are described below." />
 <meta property="og:site_name" content="fim-k8s" />
 <meta property="og:type" content="article" />
-<meta property="article:published_time" content="2018-10-12T14:01:45-04:00" />
+<meta property="article:published_time" content="2018-10-13T16:11:49-04:00" />
 <script type="application/ld+json">
-{"description":"Once you have fim-k8s installed on your cluster, you are ready to start setting up watchers for your deployments. All possible configurations of the how, and what, of setting up a FimWatcher on your deployments are described below.","dateModified":"2018-10-12T14:01:45-04:00","datePublished":"2018-10-12T14:01:45-04:00","headline":"Defining a FimWatcher","mainEntityOfPage":{"@type":"WebPage","@id":"/fim-k8s/docs/fimwatcher/"},"@type":"BlogPosting","url":"/fim-k8s/docs/fimwatcher/","@context":"http://schema.org"}</script>
+{"description":"Once you have fim-k8s installed on your cluster, you are ready to start setting up watchers for your deployments. All possible configurations of the how, and what, of setting up a FimWatcher on your deployments are described below.","dateModified":"2018-10-13T16:11:49-04:00","datePublished":"2018-10-13T16:11:49-04:00","headline":"Defining a FimWatcher","mainEntityOfPage":{"@type":"WebPage","@id":"/fim-k8s/docs/fimwatcher/"},"@type":"BlogPosting","url":"/fim-k8s/docs/fimwatcher/","@context":"http://schema.org"}</script>
 <!-- End Jekyll SEO tag -->
 
   <meta property="og:image" content=""/>
@@ -139,6 +139,7 @@ <h4 class="no_toc" id="topics">Topics</h4>
 <ul id="markdown-toc">
   <li><a href="#required-definition" id="markdown-toc-required-definition">Required definition</a>    <ul>
       <li><a href="#list-of-all-possible-events" id="markdown-toc-list-of-all-possible-events">List of all possible <code class="highlighter-rouge">events</code></a></li>
+      <li><a href="#limitations" id="markdown-toc-limitations">Limitations</a></li>
     </ul>
   </li>
   <li><a href="#recursively-watching-a-directory" id="markdown-toc-recursively-watching-a-directory">Recursively watching a directory</a></li>
@@ -154,12 +155,15 @@ <h4 class="no_toc" id="topics">Topics</h4>
 <h2 id="required-definition">Required definition</h2>
 
 <p>At a bare minimum, the fields you need to provide are the <code class="highlighter-rouge">selector</code>, which
-works just like any other label selector in Kubernetes; the <code class="highlighter-rouge">subjects</code> array
-allows you to define any number of path/event combination to watch.</p>
-
-<p>For example, you have an important path that should never receive any kind
-of modification events. You can set a subject as the example below, in order
-to receive any notification when a <code class="highlighter-rouge">modify</code> inode event happens at that path
+works just like any other label selector in Kubernetes. <code class="highlighter-rouge">matchLabels</code> and
+<code class="highlighter-rouge">matchExpressions</code> are both supported, as described in the <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/labels">labels and
+selectors</a>
+documentation. The <code class="highlighter-rouge">subjects</code> array allows you to define any number of path and
+event combination to watch.</p>
+
+<p>For example, you have an important path that should never receive any kind of
+modification events. You can set a subject as the example below, in order to
+receive any notification when a <code class="highlighter-rouge">modify</code> inode event happens at that path
 location. This includes any change to the path itself, as well as children
 inside the path.</p>
 
@@ -201,6 +205,16 @@ <h4 id="list-of-all-possible-events">List of all possible <code class="highlight
   <li><code class="highlighter-rouge">all</code> — includes all events listed above</li>
 </ul>
 
+<h4 id="limitations">Limitations</h4>
+
+<ul>
+  <li>If watching a directory that is symlinked, you will need to watch the
+<strong>source</strong> directory, not the destination. A symlink is a special kind of
+file and does not behave exactly like an actual directory. In the case of
+watching the destination, you would only receive events on that file but not
+on any events on any child objects under it.</li>
+</ul>
+
 <h2 id="recursively-watching-a-directory">Recursively watching a directory</h2>
 
 <p>If you’re familiar with <code class="highlighter-rouge">inotify</code> you’d know it only works on a specified path
@@ -236,9 +250,10 @@ <h2 id="recursively-watching-a-directory-with-a-maximum-depth">Recursively watch
 
 <h2 id="ignoring-specific-paths">Ignoring specific paths</h2>
 
-<p>Also in addition to the recursive watch option, if there are specific paths you
-wish to ignore, such as a cache folder, a SCM folder like <code class="highlighter-rouge">.git</code>, or other
-logical cases, an <code class="highlighter-rouge">ignore</code> array similar to the <code class="highlighter-rouge">paths</code> array can be provided.</p>
+<p>In addition to the recursive watch option, if there are specific paths you wish
+to ignore, such as a cache or SCM folder, an <code class="highlighter-rouge">ignore</code> array similar to <code class="highlighter-rouge">paths</code>
+can be provided. Currently, these ignored paths are a simple direct comparison,
+not a glob or regex check.</p>
 
 <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code>  <span class="na">subjects</span><span class="pi">:</span>
   <span class="pi">-</span> <span class="na">events</span><span class="pi">:</span>
@@ -247,6 +262,7 @@ <h2 id="ignoring-specific-paths">Ignoring specific paths</h2>
     <span class="pi">-</span> <span class="s">/path/to/watch</span>
     <span class="na">ignore</span><span class="pi">:</span>
     <span class="pi">-</span> <span class="s">.cache</span>
+    <span class="pi">-</span> <span class="s">.git</span>
     <span class="na">recursive</span><span class="pi">:</span> <span class="no">true</span>
 </code></pre></div></div>
 

docs/docs/getting-started/index.html

@@ -14,9 +14,9 @@
 <meta property="og:description" content="fim-k8s works by configuring a custom Kubernetes resource that defines paths and events that you want to be notified about for your current deployments. This custom resource, in conjunction with a cluster controller running and listening for lifecycle events, is responsible for maintaining a source of truth between the state of the cluster and the daemons listening for filesystem events on each node." />
 <meta property="og:site_name" content="fim-k8s" />
 <meta property="og:type" content="article" />
-<meta property="article:published_time" content="2018-10-12T14:01:45-04:00" />
+<meta property="article:published_time" content="2018-10-13T16:11:49-04:00" />
 <script type="application/ld+json">
-{"description":"fim-k8s works by configuring a custom Kubernetes resource that defines paths and events that you want to be notified about for your current deployments. This custom resource, in conjunction with a cluster controller running and listening for lifecycle events, is responsible for maintaining a source of truth between the state of the cluster and the daemons listening for filesystem events on each node.","dateModified":"2018-10-12T14:01:45-04:00","datePublished":"2018-10-12T14:01:45-04:00","headline":"Getting Started","mainEntityOfPage":{"@type":"WebPage","@id":"/fim-k8s/docs/getting-started/"},"@type":"BlogPosting","url":"/fim-k8s/docs/getting-started/","@context":"http://schema.org"}</script>
+{"description":"fim-k8s works by configuring a custom Kubernetes resource that defines paths and events that you want to be notified about for your current deployments. This custom resource, in conjunction with a cluster controller running and listening for lifecycle events, is responsible for maintaining a source of truth between the state of the cluster and the daemons listening for filesystem events on each node.","dateModified":"2018-10-13T16:11:49-04:00","datePublished":"2018-10-13T16:11:49-04:00","headline":"Getting Started","mainEntityOfPage":{"@type":"WebPage","@id":"/fim-k8s/docs/getting-started/"},"@type":"BlogPosting","url":"/fim-k8s/docs/getting-started/","@context":"http://schema.org"}</script>
 <!-- End Jekyll SEO tag -->
 
   <meta property="og:image" content=""/>
@@ -130,19 +130,20 @@ <h1 class="uk-article-title">Getting Started</h1>
                     <p class="subtitle uk-text-lead uk-text-muted">Installing fim-k8s in your Kubernetes cluster</p>
 
                     <div class="article-content">
-                        <p><strong>fim-k8s</strong> works by configuring a custom Kubernetes resource that defines paths
-and events that you want to be notified about for your current deployments.
-This custom resource, in conjunction with a cluster controller running and
-listening for lifecycle events, is responsible for maintaining a source of truth
-between the state of the cluster and the daemons listening for filesystem events
-on each node.</p>
+                        <p><strong>fim-k8s</strong> works by configuring a custom Kubernetes resource that defines
+paths and events that you want to be notified about for your current
+deployments. This custom resource, in conjunction with a cluster controller
+running and listening for lifecycle events, is responsible for maintaining a
+source of truth between the state of the cluster and the daemons listening for
+filesystem events on each node.</p>
 
 <h2 id="quickstart">Quickstart</h2>
 
 <p>In order to properly run these components, a Kubernetes cluster running v1.9 or
 above is required. Depending on your environment, there may be additional
-requirements to run both the daemon as a privileged container and the controller
-with an appropriate level of access to receive cluster events.</p>
+requirements to run both the daemon as a privileged container and the
+controller with an appropriate level of access to receive cluster events. A
+multi-tenancy environment will likely not allow for this kind of entitlement.</p>
 
 <p>We provide multiple paths of configuration for both vanilla Kubernetes and
 OpenShift, which has additional security measures in place.</p>
@@ -160,8 +161,8 @@ <h2 id="quickstart">Quickstart</h2>
 <ul class="uk-switcher uk-margin">
 
 	<li>
-<p>To deploy <strong>fim-k8s</strong> on a vanilla Kubernetes environment, simply run an <code class="highlighter-rouge">apply</code>
-on the following hosted configuration:</p>
+<p>To deploy <strong>fim-k8s</strong> on a vanilla Kubernetes environment, simply run an
+<code class="highlighter-rouge">apply</code> on the following hosted configuration:</p>
 
 <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl apply <span class="nt">-f</span> <span class="se">\</span>
   https://raw.githubusercontent.com/clustergarage/fim-k8s/master/configs/fim-k8s.yaml
@@ -190,8 +191,8 @@ <h2 id="quickstart">Quickstart</h2>
 </li>
 
 	<li>
-<p>To install using a Helm chart, we provide a couple ways to do this. The simplest
-being an archive file included in each release:</p>
+<p>To install using a Helm chart, we provide a couple ways to do this. The
+simplest being an archive file included in each release:</p>
 
 <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>helm install <span class="se">\</span>
   https://github.com/clustergarage/fim-k8s/releases/download/v0.1.0/fim-k8s-0.1.0.tgz
@@ -213,18 +214,21 @@ <h2 id="quickstart">Quickstart</h2>
 </ul>
 
 <p>Under the <strong>fim</strong> namespace is a <code class="highlighter-rouge">ServiceAccount</code> used to run all items of
-fim-k8s; this service account will also get a <code class="highlighter-rouge">ClusterRoleBinding</code> with settings
-that allow the controller and daemon to be run with their required privileges.</p>
+fim-k8s; this service account will also get a <code class="highlighter-rouge">ClusterRoleBinding</code> with
+settings that allow the controller and daemon to be run with their required
+privileges.</p>
 
 <p>A <code class="highlighter-rouge">CustomResourceDefinition</code> is included to define a custom <strong>FimWatcher</strong>
-type housing the pod selector, paths, events, and optional flags for the watcher.</p>
+type housing the pod selector, paths, events, and optional flags for the
+watcher.</p>
 
 <p>Finally, the <strong>fimcontroller</strong> <code class="highlighter-rouge">Deployment</code> and <strong>fimd</strong> <code class="highlighter-rouge">DaemonSet</code> are the
 core of the product. There is a headless <code class="highlighter-rouge">Service</code> used to communicate between
 the controller and all instances of the daemons.</p>
 
 <blockquote>
-  <p>You can verify that it installed properly by inspecting <code class="highlighter-rouge">kubectl -n fim get all</code></p>
+  <p>You can verify that it installed properly by inspecting <code class="highlighter-rouge">kubectl -n fim get
+all</code></p>
 </blockquote>
 
 <p>All pods should eventually converge into <code class="highlighter-rouge">Running</code> state. The daemon pods in

docs/docs/monitoring/index.html

@@ -14,9 +14,9 @@
 <meta property="og:description" content="Lorem ipsum dolor sit amet, consectetur adipiscing elit." />
 <meta property="og:site_name" content="fim-k8s" />
 <meta property="og:type" content="article" />
-<meta property="article:published_time" content="2018-10-12T14:01:45-04:00" />
+<meta property="article:published_time" content="2018-10-13T16:11:49-04:00" />
 <script type="application/ld+json">
-{"description":"Lorem ipsum dolor sit amet, consectetur adipiscing elit.","dateModified":"2018-10-12T14:01:45-04:00","datePublished":"2018-10-12T14:01:45-04:00","headline":"Monitoring Watches","mainEntityOfPage":{"@type":"WebPage","@id":"/fim-k8s/docs/monitoring/"},"@type":"BlogPosting","url":"/fim-k8s/docs/monitoring/","@context":"http://schema.org"}</script>
+{"description":"Lorem ipsum dolor sit amet, consectetur adipiscing elit.","dateModified":"2018-10-13T16:11:49-04:00","datePublished":"2018-10-13T16:11:49-04:00","headline":"Monitoring Watches","mainEntityOfPage":{"@type":"WebPage","@id":"/fim-k8s/docs/monitoring/"},"@type":"BlogPosting","url":"/fim-k8s/docs/monitoring/","@context":"http://schema.org"}</script>
 <!-- End Jekyll SEO tag -->
 
   <meta property="og:image" content=""/>

docs/docs/overview/index.html

@@ -14,9 +14,9 @@
 <meta property="og:description" content="fim-k8s is a set of custom Kubernetes resources that facilitates filesystem event monitoring on specified paths. It provides a rich set of configurations to run alongside your existing Kubernetes deployments to make it easy to denote audit-ready file integrity monitoring." />
 <meta property="og:site_name" content="fim-k8s" />
 <meta property="og:type" content="article" />
-<meta property="article:published_time" content="2018-10-12T14:01:45-04:00" />
+<meta property="article:published_time" content="2018-10-13T16:11:49-04:00" />
 <script type="application/ld+json">
-{"description":"fim-k8s is a set of custom Kubernetes resources that facilitates filesystem event monitoring on specified paths. It provides a rich set of configurations to run alongside your existing Kubernetes deployments to make it easy to denote audit-ready file integrity monitoring.","dateModified":"2018-10-12T14:01:45-04:00","datePublished":"2018-10-12T14:01:45-04:00","headline":"Overview","mainEntityOfPage":{"@type":"WebPage","@id":"/fim-k8s/docs/overview/"},"@type":"BlogPosting","url":"/fim-k8s/docs/overview/","@context":"http://schema.org"}</script>
+{"description":"fim-k8s is a set of custom Kubernetes resources that facilitates filesystem event monitoring on specified paths. It provides a rich set of configurations to run alongside your existing Kubernetes deployments to make it easy to denote audit-ready file integrity monitoring.","dateModified":"2018-10-13T16:11:49-04:00","datePublished":"2018-10-13T16:11:49-04:00","headline":"Overview","mainEntityOfPage":{"@type":"WebPage","@id":"/fim-k8s/docs/overview/"},"@type":"BlogPosting","url":"/fim-k8s/docs/overview/","@context":"http://schema.org"}</script>
 <!-- End Jekyll SEO tag -->
 
   <meta property="og:image" content=""/>
@@ -144,12 +144,12 @@ <h1 class="uk-article-title">Overview</h1>
 when certain filesystem events happen on the desired paths inside the pod.</p>
 
 <blockquote>
-  <p>It will be up to you to store, monitor, and alert on these logged events using
-your favorite tools of choice.</p>
+  <p>It will be up to you to store, monitor, and alert on these logged events
+using your favorite tools of choice.</p>
 </blockquote>
 
-<p>We will provide some common patterns using sets of popular tools further in this
-documentation.</p>
+<p>We will provide some common patterns using sets of popular tools further in
+this documentation.</p>
 
 <h2 id="architecture">Architecture</h2>
 

docs/feed.xml

@@ -1 +1 @@
-<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="3.7.4">Jekyll</generator><link href="/fim-k8s/feed.xml" rel="self" type="application/atom+xml" /><link href="/fim-k8s/" rel="alternate" type="text/html" /><updated>2018-10-12T14:01:45-04:00</updated><id>/fim-k8s/</id><title type="html">fim-k8s</title><subtitle>File Integrity Monitoring for Kubernetes</subtitle></feed>
+<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="3.7.4">Jekyll</generator><link href="/fim-k8s/feed.xml" rel="self" type="application/atom+xml" /><link href="/fim-k8s/" rel="alternate" type="text/html" /><updated>2018-10-13T16:11:49-04:00</updated><id>/fim-k8s/</id><title type="html">fim-k8s</title><subtitle>File Integrity Monitoring for Kubernetes</subtitle></feed>