From f7708a9068e30dddd3c7219f94c6a47b7feaa18c Mon Sep 17 00:00:00 2001 From: Vincent Boulineau Date: Wed, 4 Nov 2020 17:22:36 +0100 Subject: [PATCH 1/2] Fix scheduling of system-probe related checks in the core agent and missing permissions for network policies --- Makefile | 2 +- config/manager/kustomization.yaml | 2 +- config/rbac/role.yaml | 6 ++++++ controllers/datadogagent/agent_test.go | 19 +++++++++++++++++-- controllers/datadogagent/utils.go | 17 +++++++++++++++++ controllers/datadogagent_controller.go | 1 + 6 files changed, 43 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 09052a303..9ad2c5db8 100644 --- a/Makefile +++ b/Makefile @@ -21,7 +21,7 @@ endif BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL) # Image URL to use all building/pushing image targets -IMG ?= datadog/datadog-operator:latest +IMG ?= datadog/operator:latest # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 41f3a27dd..3785071a4 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -2,7 +2,7 @@ resources: - manager.yaml images: - name: controller - newName: datadog/datadog-operator + newName: datadog/operator newTag: latest apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 3f2f0a70e..897139a09 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -210,6 +210,12 @@ rules: - get - list - watch +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - '*' - apiGroups: - policy resources: diff --git a/controllers/datadogagent/agent_test.go b/controllers/datadogagent/agent_test.go index 70d8e41c1..349d5d2dc 100644 --- a/controllers/datadogagent/agent_test.go +++ b/controllers/datadogagent/agent_test.go @@ -825,6 +825,20 @@ func defaultPodSpec() corev1.PodSpec { } func defaultSystemProbePodSpec() corev1.PodSpec { + agentWithSystemProbeVolumeMounts := []corev1.VolumeMount{} + agentWithSystemProbeVolumeMounts = append(agentWithSystemProbeVolumeMounts, defaultMountVolume()...) + agentWithSystemProbeVolumeMounts = append(agentWithSystemProbeVolumeMounts, []corev1.VolumeMount{ + { + Name: "sysprobe-socket-dir", + ReadOnly: true, + MountPath: "/opt/datadog-agent/run", + }, + { + Name: "system-probe-config", + MountPath: "/etc/datadog-agent/system-probe.yaml", + SubPath: "system-probe.yaml", + }, + }...) return corev1.PodSpec{ ServiceAccountName: "foo-agent", InitContainers: []corev1.Container{ @@ -850,7 +864,7 @@ func defaultSystemProbePodSpec() corev1.PodSpec { Command: []string{"bash", "-c"}, Args: []string{"for script in $(find /etc/cont-init.d/ -type f -name '*.sh' | sort) ; do bash $script ; done"}, Env: defaultEnvVars(), - VolumeMounts: defaultMountVolume(), + VolumeMounts: agentWithSystemProbeVolumeMounts, }, { Name: "seccomp-setup", @@ -888,7 +902,7 @@ func defaultSystemProbePodSpec() corev1.PodSpec { }, }, Env: defaultEnvVars(), - VolumeMounts: defaultMountVolume(), + VolumeMounts: agentWithSystemProbeVolumeMounts, LivenessProbe: defaultLivenessProbe(), ReadinessProbe: defaultReadinessProbe(), }, @@ -1976,6 +1990,7 @@ func Test_newExtendedDaemonSetFromInstance_endpointsChecksConfig(t *testing.T) { test.Run(t) } + func extendedDaemonSetWithSystemProbe(ddaHash string, podSpec corev1.PodSpec) *edsdatadoghqv1alpha1.ExtendedDaemonSet { return &edsdatadoghqv1alpha1.ExtendedDaemonSet{ ObjectMeta: metav1.ObjectMeta{ diff --git a/controllers/datadogagent/utils.go b/controllers/datadogagent/utils.go index e0864298c..946d574f3 100644 --- a/controllers/datadogagent/utils.go +++ b/controllers/datadogagent/utils.go @@ -1153,6 +1153,23 @@ func getVolumeMountsForAgent(spec *datadoghqv1alpha1.DatadogAgentSpec) []corev1. }, }...) } + + // SystemProbe volumes + if datadoghqv1alpha1.BoolValue(spec.Agent.SystemProbe.Enabled) { + volumeMounts = append(volumeMounts, []corev1.VolumeMount{ + { + Name: datadoghqv1alpha1.SystemProbeSocketVolumeName, + MountPath: datadoghqv1alpha1.SystemProbeSocketVolumePath, + ReadOnly: true, + }, + { + Name: datadoghqv1alpha1.SystemProbeConfigVolumeName, + MountPath: datadoghqv1alpha1.SystemProbeConfigVolumePath, + SubPath: datadoghqv1alpha1.SystemProbeConfigVolumeSubPath, + }, + }...) + } + return append(volumeMounts, spec.Agent.Config.VolumeMounts...) } diff --git a/controllers/datadogagent_controller.go b/controllers/datadogagent_controller.go index 04dafef0c..d08e7cf53 100644 --- a/controllers/datadogagent_controller.go +++ b/controllers/datadogagent_controller.go @@ -93,6 +93,7 @@ type DatadogAgentReconciler struct { // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=* // +kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=* // +kubebuilder:rbac:groups=policy,resources=poddisruptionbudgets,verbs=* +// +kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies,verbs=* // Reconcile loop for DatadogAgent func (r *DatadogAgentReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { From 848935a162ba78b1d51fc57297857a60ca5e6e6c Mon Sep 17 00:00:00 2001 From: Vincent Boulineau Date: Wed, 4 Nov 2020 19:36:57 +0100 Subject: [PATCH 2/2] Fix event collection RBAC following introduction of `Spec.ClusterAgent.Config.CollectEvents` --- controllers/datadogagent/clusteragent.go | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/controllers/datadogagent/clusteragent.go b/controllers/datadogagent/clusteragent.go index 59518d807..de0955800 100644 --- a/controllers/datadogagent/clusteragent.go +++ b/controllers/datadogagent/clusteragent.go @@ -938,7 +938,7 @@ func buildAgentClusterRole(dda *datadoghqv1alpha1.DatadogAgent, name, version st // getDefaultClusterAgentPolicyRules returns the default policy rules for the Cluster Agent // Can be used by the Agent if the Cluster Agent is disabled func getDefaultClusterAgentPolicyRules() []rbacv1.PolicyRule { - return []rbacv1.PolicyRule{ + return append([]rbacv1.PolicyRule{ { APIGroups: []string{datadoghqv1alpha1.CoreAPIGroup}, Resources: []string{ @@ -964,7 +964,7 @@ func getDefaultClusterAgentPolicyRules() []rbacv1.PolicyRule { NonResourceURLs: []string{datadoghqv1alpha1.VersionURL, datadoghqv1alpha1.HealthzURL}, Verbs: []string{datadoghqv1alpha1.GetVerb}, }, - } + }, getLeaderElectionPolicyRule()...) } // buildClusterRoleBinding creates a ClusterRoleBinding object @@ -1016,14 +1016,8 @@ func buildClusterAgentClusterRole(dda *datadoghqv1alpha1.DatadogAgent, name, age Verbs: []string{datadoghqv1alpha1.GetVerb}, }) - if dda.Spec.Agent != nil { - if datadoghqv1alpha1.BoolValue(dda.Spec.Agent.Config.CollectEvents) { - rbacRules = append(rbacRules, getEventCollectionPolicyRule()) - } - - if datadoghqv1alpha1.BoolValue(dda.Spec.Agent.Config.LeaderElection) { - rbacRules = append(rbacRules, getLeaderElectionPolicyRule()...) - } + if datadoghqv1alpha1.BoolValue(dda.Spec.ClusterAgent.Config.CollectEvents) { + rbacRules = append(rbacRules, getEventCollectionPolicyRule()) } if dda.Spec.ClusterAgent.Config.ExternalMetrics != nil && dda.Spec.ClusterAgent.Config.ExternalMetrics.Enabled {