Add SecurityContextConstraints (#622)

* Add scc
DataDog · Oct 7, 2022 · c27f7d2 · c27f7d2
1 parent 91fee1e
commit c27f7d2
Show file tree

Hide file tree

Showing 21 changed files with 1,159 additions and 36 deletions.
diff --git a/apis/datadoghq/v2alpha1/datadogagent_types.go b/apis/datadoghq/v2alpha1/datadogagent_types.go
@@ -6,6 +6,7 @@
 package v2alpha1
 
 import (
+	securityv1 "github.com/openshift/api/security/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -788,6 +789,10 @@ type DatadogAgentComponentOverride struct {
 	// +listMapKey=name
 	Volumes []corev1.Volume `json:"volumes,omitempty"`
 
+	// Configure the SecurityContextConstraints for each component.
+	// +optional
+	SecurityContextConstraints *SecurityContextConstraintsConfig `json:"securityContextConstraints,omitempty"`
+
 	// Pod-level SecurityContext.
 	// +optional
 	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
@@ -844,6 +849,19 @@ type DatadogAgentComponentOverride struct {
 	Disabled *bool `json:"disabled,omitempty"`
 }
 
+// SecurityContextConstraintsConfig provides SecurityContextConstraints configurations for the components.
+// +k8s:openapi-gen=true
+type SecurityContextConstraintsConfig struct {
+	// Create defines whether to create a SecurityContextConstraints for the current component.
+	// If CustomConfiguration is not set, setting Create to `true` will create a default SCC.
+	// +optional
+	Create *bool `json:"create,omitempty"`
+
+	// CustomConfiguration defines a custom SCC configuration to use if Create is `true`.
+	// +optional
+	CustomConfiguration *securityv1.SecurityContextConstraints `json:"customConfiguration,omitempty"`
+}
+
 // DatadogAgentGenericContainer is the generic structure describing any container's common configuration.
 // +k8s:openapi-gen=true
 type DatadogAgentGenericContainer struct {

diff --git a/apis/datadoghq/v2alpha1/utils.go b/apis/datadoghq/v2alpha1/utils.go
@@ -105,3 +105,11 @@ func IsNetworkPolicyEnabled(dda *DatadogAgent) (bool, NetworkPolicyFlavor) {
 	}
 	return false, ""
 }
+
+// ShouldCreateSCC returns whether a scc should be created for a component
+func ShouldCreateSCC(dda *DatadogAgent, componentName ComponentName) bool {
+	if dda.Spec.Override[componentName] != nil && dda.Spec.Override[componentName].SecurityContextConstraints != nil {
+		return apiutils.BoolValue(dda.Spec.Override[componentName].SecurityContextConstraints.Create)
+	}
+	return false
+}
diff --git a/apis/datadoghq/v2alpha1/zz_generated.deepcopy.go b/apis/datadoghq/v2alpha1/zz_generated.deepcopy.go
diff --git a/apis/datadoghq/v2alpha1/zz_generated.openapi.go b/apis/datadoghq/v2alpha1/zz_generated.openapi.go