Merge pull request #83 from icelynjennings/ddcontainersecurity

Add options to set pod and container securityContext
DataDog · Nov 4, 2020 · 67b9149 · 67b9149
2 parents b65e153 + 6c5f204
commit 67b9149
Show file tree

Hide file tree

Showing 8 changed files with 45 additions and 4 deletions.
diff --git a/charts/datadog/Chart.yaml b/charts/datadog/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: datadog
-version: 2.4.34
+version: 2.4.35
 appVersion: "7"
 description: Datadog Agent
 keywords:

diff --git a/charts/datadog/README.md b/charts/datadog/README.md
@@ -1,6 +1,6 @@
 # Datadog
 
-![Version: 2.4.34](https://img.shields.io/badge/Version-2.4.34-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
+![Version: 2.4.35](https://img.shields.io/badge/Version-2.4.35-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
 
 [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/kubernetes/charts/tree/master/stable/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
 
@@ -316,10 +316,12 @@ helm install --name <RELEASE_NAME> \
 | agents.containers.agent.logLevel | string | `nil` | Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off |
 | agents.containers.agent.readinessProbe | object | Every 15s / 6 KO / 1 OK | Override default agent readiness probe settings |
 | agents.containers.agent.resources | object | `{}` | Resource requests and limits for the agent container. |
+| agents.containers.agent.securityContext | object | `{}` | Allows you to overwrite the default container SecurityContext for the agent container. |
 | agents.containers.initContainers.resources | object | `{}` | Resource requests and limits for the init containers |
 | agents.containers.processAgent.env | list | `[]` | Additional environment variables for the process-agent container |
 | agents.containers.processAgent.logLevel | string | `nil` | Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off |
 | agents.containers.processAgent.resources | object | `{}` | Resource requests and limits for the process-agent container |
+| agents.containers.processAgent.securityContext | object | `{}` | Allows you to overwrite the default container SecurityContext for the process-agent container. |
 | agents.containers.securityAgent.env | string | `nil` | Additional environment variables for the security-agent container |
 | agents.containers.securityAgent.logLevel | string | `nil` | Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off |
 | agents.containers.securityAgent.resources | object | `{}` | Resource requests and limits for the security-agent container |
@@ -330,6 +332,7 @@ helm install --name <RELEASE_NAME> \
 | agents.containers.traceAgent.livenessProbe | object | Every 15s | Override default agent liveness probe settings |
 | agents.containers.traceAgent.logLevel | string | `nil` | Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off |
 | agents.containers.traceAgent.resources | object | `{}` | Resource requests and limits for the trace-agent container |
+| agents.containers.traceAgent.securityContext | object | `{}` | Allows you to overwrite the default container SecurityContext for the trace-agent container. |
 | agents.customAgentConfig | object | `{}` | Specify custom contents for the datadog agent config (datadog.yaml) |
 | agents.dnsConfig | object | `{}` | specify dns configuration options for datadog cluster agent containers e.g ndots |
 | agents.enabled | bool | `true` | You should keep Datadog DaemonSet enabled! |
@@ -393,6 +396,7 @@ helm install --name <RELEASE_NAME> \
 | clusterAgent.readinessProbe | object | Every 15s / 6 KO / 1 OK | Override default Cluster Agent readiness probe settings |
 | clusterAgent.replicas | int | `1` | Specify the of cluster agent replicas, if > 1 it allow the cluster agent to work in HA mode. |
 | clusterAgent.resources | object | `{}` | Datadog cluster-agent resource requests and limits. |
+| clusterAgent.securityContext | object | `{}` | Allows you to overwrite the default PodSecurityContext on the cluster-agent pods. |
 | clusterAgent.strategy | object | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}` | Allow the Cluster Agent deployment to perform a rolling update on helm update |
 | clusterAgent.token | string | `""` | Cluster Agent token is a preshared key between node agents and cluster agent (autogenerated if empty, needs to be at least 32 characters a-zA-z) |
 | clusterAgent.tokenExistingSecret | string | `""` | Existing secret name to use for Cluster Agent token |
@@ -420,6 +424,7 @@ helm install --name <RELEASE_NAME> \
 | clusterChecksRunner.readinessProbe | object | Every 15s / 6 KO / 1 OK | Override default agent readiness probe settings |
 | clusterChecksRunner.replicas | int | `2` | Number of Cluster Checks Runner instances |
 | clusterChecksRunner.resources | object | `{}` | Datadog clusterchecks-agent resource requests and limits. |
+| clusterChecksRunner.securityContext | object | `{}` | Allows you to overwrite the default PodSecurityContext on the clusterchecks pods. |
 | clusterChecksRunner.strategy | object | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}` | Allow the ClusterChecks deployment to perform a rolling update on helm update |
 | clusterChecksRunner.tolerations | list | `[]` | Tolerations for pod assignment |
 | clusterChecksRunner.volumeMounts | list | `[]` | Specify additional volumes to mount in the cluster checks container |
@@ -475,7 +480,7 @@ helm install --name <RELEASE_NAME> \
 | datadog.securityAgent.runtime.enabled | bool | `false` | Set to true to enable the Security Runtime Module |
 | datadog.securityAgent.runtime.policies.configMap | string | `nil` | Contains policies that will be used |
 | datadog.securityAgent.runtime.syscallMonitor.enabled | bool | `false` | Set to true to enable the Syscall monitoring. |
-| datadog.securityContext | object | `{}` | Allows you to overwrite the default securityContext applied to the container |
+| datadog.securityContext | object | `{}` | Allows you to overwrite the default PodSecurityContext on the Daemonset or Deployment |
 | datadog.site | string | `nil` | The site of the Datadog intake to send Agent data to |
 | datadog.systemProbe.apparmor | string | `"unconfined"` | Specify a apparmor profile for system-probe |
 | datadog.systemProbe.bpfDebug | bool | `false` | Enable logging for kernel debug |

diff --git a/charts/datadog/templates/agent-clusterchecks-deployment.yaml b/charts/datadog/templates/agent-clusterchecks-deployment.yaml
@@ -45,6 +45,10 @@ spec:
       dnsConfig:
 {{ toYaml .Values.clusterChecksRunner.dnsConfig | indent 8 }}
       {{- end }}
+      {{- if .Values.clusterChecksRunner.securityContext }}
+      securityContext:
+        {{ toYaml .Values.clusterChecksRunner.securityContext | nindent 8 }}
+      {{- end }}
       initContainers:
       - name: init-volume
         image: "{{ .Values.agents.image.repository }}:{{ .Values.agents.image.tag }}"

diff --git a/charts/datadog/templates/cluster-agent-deployment.yaml b/charts/datadog/templates/cluster-agent-deployment.yaml
@@ -83,6 +83,10 @@ spec:
       dnsConfig:
 {{ toYaml .Values.clusterAgent.dnsConfig | indent 8 }}
       {{- end }}
+      {{- if .Values.clusterAgent.securityContext }}
+      securityContext:
+        {{ toYaml .Values.clusterAgent.securityContext | nindent 8 }}
+      {{- end }}
       containers:
       - name: cluster-agent
         image: "{{ .Values.clusterAgent.image.repository }}:{{ .Values.clusterAgent.image.tag }}"

diff --git a/charts/datadog/templates/container-agent.yaml b/charts/datadog/templates/container-agent.yaml
@@ -3,6 +3,10 @@
   image: "{{ .Values.agents.image.repository }}:{{ .Values.agents.image.tag }}"
   imagePullPolicy: {{ .Values.agents.image.pullPolicy }}
   command: ["agent", "run"]
+  {{- if .Values.agents.containers.agent.securityContext }}
+  securityContext:
+    {{ toYaml .Values.agents.containers.agent.securityContext | nindent 4 }}
+  {{- end }}
   resources:
 {{ toYaml .Values.agents.containers.agent.resources | indent 4 }}
   ports:

diff --git a/charts/datadog/templates/container-process-agent.yaml b/charts/datadog/templates/container-process-agent.yaml
@@ -8,6 +8,10 @@
   {{- if eq .Values.targetSystem "windows" }}
   command: ["process-agent", "-foreground", "-config={{ template "datadog.confPath" . }}/datadog.yaml"]
   {{- end }}
+  {{- if .Values.agents.containers.processAgent.securityContext }}
+  securityContext:
+    {{ toYaml .Values.agents.containers.processAgent.securityContext | nindent 4 }}
+  {{- end }}
   resources:
 {{ toYaml .Values.agents.containers.processAgent.resources | indent 4 }}
 {{- if .Values.datadog.envFrom }}

diff --git a/charts/datadog/templates/container-trace-agent.yaml b/charts/datadog/templates/container-trace-agent.yaml
@@ -8,6 +8,10 @@
   {{- if eq .Values.targetSystem "windows" }}
   command: ["trace-agent", "-foreground", "-config={{ template "datadog.confPath" . }}/datadog.yaml"]
   {{- end }}
+  {{- if .Values.agents.containers.traceAgent.securityContext }}
+  securityContext:
+    {{ toYaml .Values.agents.containers.traceAgent.securityContext | nindent 4 }}
+  {{- end }}
   resources:
 {{ toYaml .Values.agents.containers.traceAgent.resources | indent 4 }}
   ports:

diff --git a/charts/datadog/values.yaml b/charts/datadog/values.yaml
@@ -29,7 +29,7 @@ datadog:
   ## If set, this parameter takes precedence over "appKey".
   appKeyExistingSecret:  # <DATADOG_APP_KEY_SECRET>
 
-  # datadog.securityContext -- Allows you to overwrite the default securityContext applied to the container
+  # datadog.securityContext -- Allows you to overwrite the default PodSecurityContext on the Daemonset or Deployment
   securityContext: {}
   #  seLinuxOptions:
   #    user: "system_u"
@@ -343,6 +343,9 @@ clusterAgent:
     pullSecrets: []
     #   - name: "<REG_SECRET>"
 
+  # clusterAgent.securityContext -- Allows you to overwrite the default PodSecurityContext on the cluster-agent pods.
+  securityContext: {}
+
   # clusterAgent.command -- Command to run in the Cluster Agent container as entrypoint
   command: []
 
@@ -651,6 +654,9 @@ agents:
         successThreshold: 1
         failureThreshold: 6
 
+      # agents.containers.agent.securityContext -- Allows you to overwrite the default container SecurityContext for the agent container.
+      securityContext: {}
+
     processAgent:
       # agents.containers.processAgent.env -- Additional environment variables for the process-agent container
       env: []
@@ -667,6 +673,10 @@ agents:
       #  limits:
       #    cpu: 100m
       #    memory: 200Mi
+
+      # agents.containers.processAgent.securityContext -- Allows you to overwrite the default container SecurityContext for the process-agent container.
+      securityContext: {}
+
     traceAgent:
       # agents.containers.traceAgent.env -- Additional environment variables for the trace-agent container
       env:
@@ -690,6 +700,9 @@ agents:
         periodSeconds: 15
         timeoutSeconds: 5
 
+      # agents.containers.traceAgent.securityContext -- Allows you to overwrite the default container SecurityContext for the trace-agent container.
+      securityContext: {}
+
     systemProbe:
       # agents.containers.systemProbe.env -- Additional environment variables for the system-probe container
       env: []
@@ -976,6 +989,9 @@ clusterChecksRunner:
   additionalLabels: {}
     # key: "value"
 
+  # clusterChecksRunner.securityContext -- Allows you to overwrite the default PodSecurityContext on the clusterchecks pods.
+  securityContext: {}
+
 kube-state-metrics:
   rbac:
     # kube-state-metrics.rbac.create -- If true, create & use RBAC resources