Fix scheduling of system-probe related checks in the core agent and missing permissions for network policies

Makefile

@@ -21,7 +21,7 @@ endif
 BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)
 
 # Image URL to use all building/pushing image targets
-IMG ?= datadog/datadog-operator:latest
+IMG ?= datadog/operator:latest
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))

config/manager/kustomization.yaml

@@ -2,7 +2,7 @@ resources:
 - manager.yaml
 images:
 - name: controller
-  newName: datadog/datadog-operator
+  newName: datadog/operator
   newTag: latest
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

config/rbac/role.yaml

@@ -210,6 +210,12 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - networkpolicies
+  verbs:
+  - '*'
 - apiGroups:
   - policy
   resources:

controllers/datadogagent/agent_test.go

@@ -825,6 +825,20 @@ func defaultPodSpec() corev1.PodSpec {
 }
 
 func defaultSystemProbePodSpec() corev1.PodSpec {
+	agentWithSystemProbeVolumeMounts := []corev1.VolumeMount{}
+	agentWithSystemProbeVolumeMounts = append(agentWithSystemProbeVolumeMounts, defaultMountVolume()...)
+	agentWithSystemProbeVolumeMounts = append(agentWithSystemProbeVolumeMounts, []corev1.VolumeMount{
+		{
+			Name:      "sysprobe-socket-dir",
+			ReadOnly:  true,
+			MountPath: "/opt/datadog-agent/run",
+		},
+		{
+			Name:      "system-probe-config",
+			MountPath: "/etc/datadog-agent/system-probe.yaml",
+			SubPath:   "system-probe.yaml",
+		},
+	}...)
 	return corev1.PodSpec{
 		ServiceAccountName: "foo-agent",
 		InitContainers: []corev1.Container{
@@ -850,7 +864,7 @@ func defaultSystemProbePodSpec() corev1.PodSpec {
 				Command:         []string{"bash", "-c"},
 				Args:            []string{"for script in $(find /etc/cont-init.d/ -type f -name '*.sh' | sort) ; do bash $script ; done"},
 				Env:             defaultEnvVars(),
-				VolumeMounts:    defaultMountVolume(),
+				VolumeMounts:    agentWithSystemProbeVolumeMounts,
 			},
 			{
 				Name:            "seccomp-setup",
@@ -888,7 +902,7 @@ func defaultSystemProbePodSpec() corev1.PodSpec {
 					},
 				},
 				Env:            defaultEnvVars(),
-				VolumeMounts:   defaultMountVolume(),
+				VolumeMounts:   agentWithSystemProbeVolumeMounts,
 				LivenessProbe:  defaultLivenessProbe(),
 				ReadinessProbe: defaultReadinessProbe(),
 			},
@@ -1976,6 +1990,7 @@ func Test_newExtendedDaemonSetFromInstance_endpointsChecksConfig(t *testing.T) {
 
 	test.Run(t)
 }
+
 func extendedDaemonSetWithSystemProbe(ddaHash string, podSpec corev1.PodSpec) *edsdatadoghqv1alpha1.ExtendedDaemonSet {
 	return &edsdatadoghqv1alpha1.ExtendedDaemonSet{
 		ObjectMeta: metav1.ObjectMeta{

controllers/datadogagent/utils.go

@@ -1153,6 +1153,23 @@ func getVolumeMountsForAgent(spec *datadoghqv1alpha1.DatadogAgentSpec) []corev1.
 			},
 		}...)
 	}
+
+	// SystemProbe volumes
+	if datadoghqv1alpha1.BoolValue(spec.Agent.SystemProbe.Enabled) {
+		volumeMounts = append(volumeMounts, []corev1.VolumeMount{
+			{
+				Name:      datadoghqv1alpha1.SystemProbeSocketVolumeName,
+				MountPath: datadoghqv1alpha1.SystemProbeSocketVolumePath,
+				ReadOnly:  true,
+			},
+			{
+				Name:      datadoghqv1alpha1.SystemProbeConfigVolumeName,
+				MountPath: datadoghqv1alpha1.SystemProbeConfigVolumePath,
+				SubPath:   datadoghqv1alpha1.SystemProbeConfigVolumeSubPath,
+			},
+		}...)
+	}
+
 	return append(volumeMounts, spec.Agent.Config.VolumeMounts...)
 }
 

controllers/datadogagent_controller.go

@@ -93,6 +93,7 @@ type DatadogAgentReconciler struct {
 // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=*
 // +kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=*
 // +kubebuilder:rbac:groups=policy,resources=poddisruptionbudgets,verbs=*
+// +kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies,verbs=*
 
 // Reconcile loop for DatadogAgent
 func (r *DatadogAgentReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {