Skip to content

Commit

Permalink
Merge pull request #46 from DataDog/vboulineau/security-context
Browse files Browse the repository at this point in the history 
Change `securityContext` variable name to allow setting the PSP/SCC seLinux `type` or `rule`
  • Loading branch information
@vboulineau
vboulineau authored Sep 24, 2020
2 parents 0bd9b10 + 3d3f725 commit 9491bfd
Show file tree
Hide file tree
Showing 9 changed files with 50 additions and 10 deletions.
4 changes: 4 additions & 0 deletions charts/datadog/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# Datadog changelog

## 2.4.21

* Change `securityContext` variable name to `seLinuxContext` allow setting the PSP/SCC seLinux `type` or `rule`. Backward compatible.

## 2.4.20

* Add NetworkPolicy ingress rules for dogstatsd and APM
Expand Down
2 changes: 1 addition & 1 deletion charts/datadog/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v1
name: datadog
version: 2.4.20
version: 2.4.21
appVersion: "7"
description: Datadog Agent
keywords:
Expand Down
6 changes: 3 additions & 3 deletions charts/datadog/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -364,7 +364,7 @@ helm install --name <RELEASE_NAME> \
| `datadog.systemProbe.enableTCPQueueLength` | Enable the TCP queue length eBPF-based check | `false` |
| `datadog.systemProbe.enableOOMKill` | Enable the OOM kill eBPF-based check | `false` |
| `datadog.orchestratorExplorer.enabled` | Enable the Orchestrator Explorer data collection | `false` |
| `datadog.orchestratorExplorer.container_scrubbing.enabled` | Enable the scrubbing of containers in the kubernetes resource YAML for sensitive information | `true` |
| `datadog.orchestratorExplorer.container_scrubbing.enabled` | Enable the scrubbing of containers in the kubernetes resource YAML for sensitive information | `true` |
| `datadog.securityAgent.compliance.enabled` | Enable compliance checks in the security agent | `false` |
| `datadog.securityAgent.compliance.checkInterval` | Compliance check interval | `20m` |
| `datadog.securityAgent.compliance.configMap` | Optional ConfigMap with compliance checks | `""` |
Expand Down Expand Up @@ -417,7 +417,7 @@ helm install --name <RELEASE_NAME> \
| `agents.podSecurity.podSecurityPolicy.create` | If true, create a PodSecurityPolicy resource for the Agent's Pods. Supported only for Linux agent's daemonset. | `False` |
| `agents.podSecurity.securityContextConstraints.create` | If true, create a SecurityContextConstraints resource for the Agent's Pods. Supported only for Linux agent's daemonset. | `False` |
| `agents.networkPolicy.create` | If true, create a NetworkPolicy for the agents | `false` |
| `datadog.podSecurity.securityContext` | Allows you to overwrite the default securityContext applied to the container | default security context configuration |
| `agents.podSecurity.seLinuxContext` | Allows you to overwrite the seLinux context in PSP/SCC | default security context configuration |
| `agents.podSecurity.privileged` | If true, allowed privileged containers | `False` |
| `agents.podSecurity.capabilites` | list of allowed capabilities | `[SYS_ADMIN, SYS_RESOURCE, SYS_ADMIN, IPC_LOCK]` |
| `agents.podSecurity.volumes` | list of allowed volumes types | `[configMap,downwardAPI,emptyDir,ostPath,secret]` |
Expand All @@ -444,7 +444,7 @@ helm install --name <RELEASE_NAME> \
| `clusterAgent.metricsProvider.wpaController` | Allows metricsProvider to work with WatermarkPodAutoscaler (requires WPA CRD) | `false` |
| `clusterAgent.metricsProvider.useDatadogMetrics` | Enable usage of DatadogMetric CRD to autoscale on arbitrary Datadog queries (requires DatadogMetric CRD) | `false` |
| `clusterAgent.metricsProvider.createReaderRbac` | Create `external-metrics-reader` RBAC automatically (to allow HPA to read data from Cluster Agent) | `true` |
| `clusterAgent.metricsProvider.aggregator` | Define the metric aggregator Cluster Agent will use to integrate with HPA | `avg` |
| `clusterAgent.metricsProvider.aggregator` | Define the metric aggregator Cluster Agent will use to integrate with HPA | `avg` |
| `clusterAgent.env` | Additional Datadog environment variables for the cluster-agent | `nil` |
| `clusterAgent.confd` | Additional check configurations (static and Autodiscovery) | `nil` |
| `clusterAgent.podAnnotations` | Annotations to add to the Cluster Agent Pod(s) | `nil` |
Expand Down
11 changes: 11 additions & 0 deletions charts/datadog/templates/NOTES.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,3 +82,14 @@ This version of the chart does not support deploying Agent 5.x.
If you cannot upgrade to Agent 6.x or later, you can use a previous version
of the chart by calling helm install with `--version 0.18.0`.
{{- end }}

{{- if .Values.agents.podSecurity.securityContext }}

#################################################################
#### WARNING: Deprecation notice ####
#################################################################

You are using the datadog.podSecurity.securityContext parameter, which has been renamed datadog.podSecurity.seLinuxContext.
This version still supports datadog.podSecurity.securityContext, but it will be removed in the next major version of our Helm chart.
More information about this change: https://github.com/DataDog/helm-charts/pull/46
{{- end }}
4 changes: 4 additions & 0 deletions charts/datadog/templates/agent-psp.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,12 @@ spec:
runAsUser:
rule: RunAsAny
seLinux:
{{- if .Values.agents.podSecurity.securityContext }}
rule: MustRunAs
{{ toYaml .Values.agents.podSecurity.securityContext | indent 4 }}
{{- else if .Values.agents.podSecurity.seLinuxContext }}
{{ toYaml .Values.agents.podSecurity.seLinuxContext | indent 4 }}
{{- end }}
supplementalGroups:
rule: RunAsAny
{{- end }}
6 changes: 5 additions & 1 deletion charts/datadog/templates/agent-scc.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,12 @@ volumes:
# Use the `spc_t` selinux type to access the
# docker/cri socket + proc and cgroup stats
seLinuxContext:
type: MustRunAs
{{- if .Values.agents.podSecurity.securityContext }}
rule: MustRunAs
{{ toYaml .Values.agents.podSecurity.securityContext | indent 2 }}
{{- else if .Values.agents.podSecurity.seLinuxContext }}
{{ toYaml .Values.agents.podSecurity.seLinuxContext | replace "rule:" "type:" | indent 2 }}
{{- end }}
# system-probe requires some specific seccomp and capabilities
seccompProfiles:
{{ toYaml .Values.agents.podSecurity.seccompProfiles | indent 2 }}
Expand Down
10 changes: 9 additions & 1 deletion charts/datadog/templates/daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,10 +48,18 @@ spec:
securityContext:
{{ toYaml .Values.datadog.securityContext| indent 8 }}
{{- else if or .Values.agents.podSecurity.podSecurityPolicy.create .Values.agents.podSecurity.securityContextConstraints.create -}}
{{- if and (.Values.agents.podSecurity.securityContext) .Values.agents.podSecurity.securityContext.seLinuxOptions }}
{{- if .Values.agents.podSecurity.securityContext }}
{{- if .Values.agents.podSecurity.securityContext.seLinuxOptions }}
securityContext:
seLinuxOptions:
{{ toYaml .Values.agents.podSecurity.securityContext.seLinuxOptions | indent 10 }}
{{- end }}
{{- else if .Values.agents.podSecurity.seLinuxContext }}
{{- if .Values.agents.podSecurity.seLinuxContext.seLinuxOptions }}
securityContext:
seLinuxOptions:
{{ toYaml .Values.agents.podSecurity.seLinuxContext.seLinuxOptions | indent 10 }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.agents.useHostNetwork }}
Expand Down
8 changes: 8 additions & 0 deletions charts/datadog/templates/rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,14 @@ rules:
- use
resourceNames:
- {{ template "datadog.fullname" . }}
- apiGroups:
- "security.openshift.io"
resources:
- securitycontextconstraints
verbs:
- use
resourceNames:
- {{ template "datadog.fullname" . }}
---
apiVersion: {{ template "rbac.apiVersion" . }}
kind: ClusterRoleBinding
Expand Down
9 changes: 5 additions & 4 deletions charts/datadog/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -782,7 +782,7 @@ agents:
serviceAccountName: default

## @param podSecurity - object - optional
## Provide Daemonset PodSecurityPolicy configuration
## Provide Daemonset security configuration through PSP / SCC
podSecurity:

## @param podSecurityPolicy - object - required
Expand All @@ -803,10 +803,11 @@ agents:
#
create: false

## @param securityContext - object - required
## Provide securityContext configuration
## @param seLinuxContext - object - required
## Provide seLinuxContext configuration for PSP/SCC
#
securityContext:
seLinuxContext:
rule: MustRunAs
seLinuxOptions:
user: system_u
role: system_r
Expand Down

0 comments on commit 9491bfd

Please sign in to comment.