[CWS] fix system-probe auth_token (#695)

DataDog · Feb 2, 2023 · 934f32a · 934f32a
1 parent cffabf1
commit 934f32a
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 4 deletions.
diff --git a/controllers/datadogagent/agent_test.go b/controllers/datadogagent/agent_test.go
@@ -882,6 +882,10 @@ func defaultEnvVars(extraEnv map[string]string) []corev1.EnvVar {
 			Name:      "DD_API_KEY",
 			ValueFrom: apiKeyValue(),
 		},
+		{
+			Name:  apicommon.DDAuthTokenFilePath,
+			Value: "/etc/datadog-agent/auth/token",
+		},
 	}
 
 	if ddSite := createEnvFromExtra(extraEnv, "DD_SITE"); ddSite != nil {
@@ -936,6 +940,10 @@ func defaultAPMContainerEnvVars() []corev1.EnvVar {
 			Name:  "DD_DOGSTATSD_SOCKET",
 			Value: "/var/run/datadog/statsd/statsd.sock",
 		},
+		{
+			Name:  apicommon.DDAuthTokenFilePath,
+			Value: "/etc/datadog-agent/auth/token",
+		},
 	}
 }
 
@@ -1001,6 +1009,10 @@ func defaultSystemProbeEnvVars() []corev1.EnvVar {
 			Name:  apicommon.DDSystemProbeOOMKillEnabled,
 			Value: "false",
 		},
+		{
+			Name:  apicommon.DDAuthTokenFilePath,
+			Value: "/etc/datadog-agent/auth/token",
+		},
 	}
 }
 
@@ -1071,6 +1083,10 @@ func securityAgentEnvVars(compliance, runtime bool, policiesdir bool, extraEnv m
 			Name:      "DD_API_KEY",
 			ValueFrom: apiKeyValue(),
 		},
+		{
+			Name:  apicommon.DDAuthTokenFilePath,
+			Value: "/etc/datadog-agent/auth/token",
+		},
 	}...)
 
 	if ddSite := createEnvFromExtra(extraEnv, "DD_SITE"); ddSite != nil {
@@ -1583,6 +1599,10 @@ func defaultOrchestratorEnvVars(dda *datadoghqv1alpha1.DatadogAgent) []corev1.En
 			Name:      "DD_API_KEY",
 			ValueFrom: apiKeyValue(),
 		},
+		{
+			Name:  apicommon.DDAuthTokenFilePath,
+			Value: "/etc/datadog-agent/auth/token",
+		},
 	}
 	orchestratorEnvs, _ := orchestrator.EnvVars(&explorerConfig)
 	newVars = append(newVars, orchestratorEnvs...)
@@ -1940,6 +1960,10 @@ func customKubeletConfigPodSpec(kubeletConfig *commonv1.KubeletConfig) corev1.Po
 			Name:      "DD_API_KEY",
 			ValueFrom: apiKeyValue(),
 		},
+		{
+			Name:  apicommon.DDAuthTokenFilePath,
+			Value: "/etc/datadog-agent/auth/token",
+		},
 		{
 			Name:      "DD_CLUSTER_AGENT_AUTH_TOKEN",
 			ValueFrom: authTokenValue(),

diff --git a/controllers/datadogagent/component/agent/default.go b/controllers/datadogagent/component/agent/default.go
@@ -72,6 +72,7 @@ func DefaultCapabilitiesForSystemProbe() []corev1.Capability {
 		"NET_RAW",
 		"IPC_LOCK",
 		"CHOWN",
+		"DAC_READ_SEARCH",
 	}
 }
 

diff --git a/controllers/datadogagent/utils.go b/controllers/datadogagent/utils.go
@@ -680,10 +680,6 @@ func getEnvVarsForSystemProbe(dda *datadoghqv1alpha1.DatadogAgent) ([]corev1.Env
 				Name:  apicommon.DDRuntimeSecurityConfigPoliciesDir,
 				Value: apicommon.SecurityAgentRuntimePoliciesDirVolumePath,
 			},
-			corev1.EnvVar{
-				Name:  apicommon.DDAuthTokenFilePath,
-				Value: filepath.Join(apicommon.AuthVolumePath, "token"),
-			},
 		)
 	}
 
@@ -701,6 +697,10 @@ func getEnvVarsCommon(dda *datadoghqv1alpha1.DatadogAgent, needAPIKey bool) ([]c
 			Name:  apicommon.KubernetesEnvVar,
 			Value: "yes",
 		},
+		{
+			Name:  apicommon.DDAuthTokenFilePath,
+			Value: filepath.Join(apicommon.AuthVolumePath, "token"),
+		},
 	}
 
 	envVars = append(envVars, getKubeletEnvVars(dda)...)