Skip to content

Commit

Permalink
Merge pull request #44 from DataDog/lenaic/network_policy
Browse files Browse the repository at this point in the history 
Add NetworkPolicy
  • Loading branch information
@L3n41c
L3n41c authored Sep 21, 2020
2 parents 3ca0702 + 2cec74a commit 953b7d3
Show file tree
Hide file tree
Showing 8 changed files with 173 additions and 1 deletion.
13 changes: 13 additions & 0 deletions charts/datadog/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,18 @@
# Datadog changelog

## 2.4.19

* Add NetworkPolicy
Add the following parameters to control the creation of NetworkPolicy:
* `agents.networkPolicy.create`
* `clusterAgent.networkPolicy.create`
* `clusterChecksRunner.networkPolicy.create`
The NetworkPolicy managed by the Helm chart are designed to work out-of-the-box on most setups.
In particular, the agents need to connect to the datadog intakes. NetworkPolicy can be restricted
by IP but the datadog intake IP cannot be guaranteed to be stable.
The agents are also susceptible to connect to any pod, on any port, depending on the "auto-discovery" annotations
that can be dynamically added to them.

## 2.4.18

* Fix `config` volume not being mounted in clusterChecksRunner pods.
Expand Down
2 changes: 1 addition & 1 deletion charts/datadog/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v1
name: datadog
version: 2.4.18
version: 2.4.19
appVersion: "7"
description: Datadog Agent
keywords:
Expand Down
3 changes: 3 additions & 0 deletions charts/datadog/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -416,6 +416,7 @@ helm install --name <RELEASE_NAME> \
| `agents.volumeMounts` | Additional volumeMounts for the daemonset or deployment | `nil` |
| `agents.podSecurity.podSecurityPolicy.create` | If true, create a PodSecurityPolicy resource for the Agent's Pods. Supported only for Linux agent's daemonset. | `False` |
| `agents.podSecurity.securityContextConstraints.create` | If true, create a SecurityContextConstraints resource for the Agent's Pods. Supported only for Linux agent's daemonset. | `False` |
| `agents.networkPolicy.create` | If true, create a NetworkPolicy for the agents | `false` |
| `datadog.podSecurity.securityContext` | Allows you to overwrite the default securityContext applied to the container | default security context configuration |
| `agents.podSecurity.privileged` | If true, allowed privileged containers | `False` |
| `agents.podSecurity.capabilites` | list of allowed capabilities | `[SYS_ADMIN, SYS_RESOURCE, SYS_ADMIN, IPC_LOCK]` |
Expand Down Expand Up @@ -465,6 +466,7 @@ helm install --name <RELEASE_NAME> \
| `clusterAgent.dnsConfig` | If set, configure dnsConfig options in datadog cluster agent containers | `nil` |
| `clusterAgent.volumes` | Additional volumes for the cluster-agent deployment | `nil` |
| `clusterAgent.volumeMounts` | Additional volumeMounts for the cluster-agent deployment | `nil` |
| `clusterAgent.networkPolicy.create` | If true, create a NetworkPolicy for the cluster agent | `false` |
| `clusterChecksRunner.enabled` | Enable Datadog agent deployment dedicated for running Cluster Checks. It allows having different resources (Request/Limit) for Cluster Checks agent pods. | `false` |
| `clusterChecksRunner.env` | Additional Datadog environment variables for Cluster Checks Deployment | `nil` |
| `clusterChecksRunner.createPodDisruptionBudget` | Enable a pod disruption budget to apply to the Cluster Checks pods | `false` |
Expand All @@ -485,6 +487,7 @@ helm install --name <RELEASE_NAME> \
| `clusterChecksRunner.volumes` | Additional volumes for the Cluster Checks deployment | `nil` |
| `clusterChecksRunner.volumeMounts` | Additional volumeMounts for the Cluster Checks deployment | `nil` |
| `clusterChecksRunner.dnsConfig` | If set, configure dnsConfig options in datadog cluster agent clusterChecks containers | `nil` |
| `clusterChecksRunner.networkPolicy.create` | If true, create a NetworkPolicy for the cluster check runners | `false` |
| `kube-state-metrics.rbac.create` | If true, create & use RBAC resources for kube-state-metrics | `true` |
| `kube-state-metrics.serviceAccount.create` | If true, create & use serviceAccount | `true` |
| `kube-state-metrics.serviceAccount.name` | If not set & create is true, use template fullname | |
Expand Down
17 changes: 17 additions & 0 deletions charts/datadog/ci/network-policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
datadog:
apiKey: "00000000000000000000000000000000"
appKey: "0000000000000000000000000000000000000000"
agents:
enabled: true
networkPolicy:
create: true
clusterAgent:
enabled: true
metricsProvider:
enabled: true
networkPolicy:
create: true
clusterChecksRunner:
enabled: true
networkPolicy:
create: true
43 changes: 43 additions & 0 deletions charts/datadog/templates/agent-clusterchecks-network-policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
{{- if $.Values.clusterChecksRunner.networkPolicy.create -}}
apiVersion: "networking.k8s.io/v1"
kind: NetworkPolicy
metadata:
name: {{ template "datadog.fullname" . }}-clusterchecks
labels:
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
app.kubernetes.io/name: "{{ template "datadog.fullname" . }}"
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
spec:
podSelector:
matchLabels:
app: {{ template "datadog.fullname" . }}-clusterchecks
policyTypes:
- Ingress
- Egress
egress:
- # Egress to
# * Datadog intake
# * Kube API server
ports:
- port: 443
{{- if .Values.clusterAgent.enabled }}
- # Egress to cluster agent
ports:
- port: 5005
to:
- podSelector:
matchLabels:
app: {{ template "datadog.fullname" . }}-cluster-agent
{{- end }}
# The cluster check runners are susceptible to connect to any service
# that would be annotated with auto-discovery annotations.
#
# When a user wants to add a check on one of its service, he needs to
# * annotate its service
# * add an ingress policy from the CLC on its own pod
# In order to not ask end-users to inject NetworkPolicy on the agent in
# the agent namespace, the agent must be allowed to probe any service.
- {} # Egress to anything for service checks
{{- end }}
34 changes: 34 additions & 0 deletions charts/datadog/templates/agent-network-policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
{{- if $.Values.agents.networkPolicy.create -}}
apiVersion: "networking.k8s.io/v1"
kind: NetworkPolicy
metadata:
name: {{ template "datadog.fullname" . }}
labels:
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
app.kubernetes.io/name: "{{ template "datadog.fullname" . }}"
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
spec:
podSelector:
matchLabels:
app: {{ template "datadog.fullname" . }}
policyTypes:
- Ingress
- Egress
egress:
- # Egress to
# * Datadog intake
# * Kube API server
ports:
- port: 443
# The agents are susceptible to connect to any pod
# that would be annotated with auto-discovery annotations.
#
# When a user wants to add a check on one of its pod, he needs to
# * annotate its pod
# * add an ingress policy from the agent on its own pod
# In order to not ask end-users to inject NetworkPolicy on the agent in
# the agent namespace, the agent must be allowed to probe any pod.
- {} # Egress to anything for checks
{{- end }}
40 changes: 40 additions & 0 deletions charts/datadog/templates/cluster-agent-network-policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
{{- if $.Values.clusterAgent.networkPolicy.create -}}
apiVersion: "networking.k8s.io/v1"
kind: NetworkPolicy
metadata:
name: {{ template "datadog.fullname" . }}-cluster-agent
labels:
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
app.kubernetes.io/name: "{{ template "datadog.fullname" . }}"
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
spec:
podSelector:
matchLabels:
app: {{ template "datadog.fullname" . }}-cluster-agent
policyTypes:
- Ingress
- Egress
ingress:
{{- if $.Values.clusterChecksRunner.enabled }}
- # Ingress from cluster checks runner
ports:
- port: 5005
from:
- podSelector:
matchLabels:
app: {{ template "datadog.fullname" . }}-clusterchecks
{{- end }}
{{- if .Values.clusterAgent.metricsProvider.enabled }}
- # Ingress from API server for external metrics
ports:
- port: {{ template "clusterAgent.metricsProvider.port" . }}
{{- end }}
egress:
- # Egress to
# * Datadog intake
# * Kube API server
ports:
- port: 443
{{- end}}
22 changes: 22 additions & 0 deletions charts/datadog/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -711,6 +711,13 @@ clusterAgent:
#
createPodDisruptionBudget: false

## @param networkPolicy - string - required
## Provide Cluster Agent Network Policy configuration
networkPolicy:
## @param create - boolean - required
## If true, create a NetworkPolicy for the cluster agent
create: false

agents:
## @param enabled - boolean - required
## You should keep Datadog DaemonSet enabled!
Expand Down Expand Up @@ -1140,6 +1147,14 @@ agents:
#
# # agent version >= 6.15
# # jmx_use_container_support: true

## @param networkPolicy - string - required
## Provide Agent Network Policy configuration
networkPolicy:
## @param create - boolean - required
## If true, create a NetworkPolicy for the agents
create: false

clusterChecksRunner:
## @param enabled - boolean - required
## If true, deploys agent dedicated for running the Cluster Checks instead of running in the Daemonset's agents.
Expand Down Expand Up @@ -1319,6 +1334,13 @@ clusterChecksRunner:
# mountPath: <CONTAINER_PATH>
# readOnly: true

## @param networkPolicy - string - required
## Provide Cluster Checks Runners Network Policy configuration
networkPolicy:
## @param create - boolean - required
## If true, create a NetworkPolicy for the cluster checks runners
create: false

kube-state-metrics:
rbac:
## @param created - boolean - required
Expand Down

0 comments on commit 953b7d3

Please sign in to comment.