From 4711bd185152231f4c5320b510056ac901c21e83 Mon Sep 17 00:00:00 2001 From: Icelyn Jennings Date: Wed, 4 Nov 2020 12:41:20 +0000 Subject: [PATCH 1/2] Bump chart version Signed-off-by: Icelyn Jennings --- charts/datadog/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/datadog/Chart.yaml b/charts/datadog/Chart.yaml index 23c5ac805..cdde80b84 100644 --- a/charts/datadog/Chart.yaml +++ b/charts/datadog/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: datadog -version: 2.4.34 +version: 2.4.35 appVersion: "7" description: Datadog Agent keywords: From 6c5f204b5558f40fc15b465307d3049c2c143ada Mon Sep 17 00:00:00 2001 From: Icelyn Jennings Date: Wed, 4 Nov 2020 12:42:56 +0000 Subject: [PATCH 2/2] Add options to set pod and container securityContext Signed-off-by: Icelyn Jennings --- charts/datadog/README.md | 9 +++++++-- .../agent-clusterchecks-deployment.yaml | 4 ++++ .../templates/cluster-agent-deployment.yaml | 4 ++++ charts/datadog/templates/container-agent.yaml | 4 ++++ .../templates/container-process-agent.yaml | 4 ++++ .../templates/container-trace-agent.yaml | 4 ++++ charts/datadog/values.yaml | 18 +++++++++++++++++- 7 files changed, 44 insertions(+), 3 deletions(-) diff --git a/charts/datadog/README.md b/charts/datadog/README.md index 4224fd2e5..b7498193e 100644 --- a/charts/datadog/README.md +++ b/charts/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 2.4.34](https://img.shields.io/badge/Version-2.4.34-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 2.4.35](https://img.shields.io/badge/Version-2.4.35-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/kubernetes/charts/tree/master/stable/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). @@ -316,10 +316,12 @@ helm install --name \ | agents.containers.agent.logLevel | string | `nil` | Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off | | agents.containers.agent.readinessProbe | object | Every 15s / 6 KO / 1 OK | Override default agent readiness probe settings | | agents.containers.agent.resources | object | `{}` | Resource requests and limits for the agent container. | +| agents.containers.agent.securityContext | object | `{}` | Allows you to overwrite the default container SecurityContext for the agent container. | | agents.containers.initContainers.resources | object | `{}` | Resource requests and limits for the init containers | | agents.containers.processAgent.env | list | `[]` | Additional environment variables for the process-agent container | | agents.containers.processAgent.logLevel | string | `nil` | Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off | | agents.containers.processAgent.resources | object | `{}` | Resource requests and limits for the process-agent container | +| agents.containers.processAgent.securityContext | object | `{}` | Allows you to overwrite the default container SecurityContext for the process-agent container. | | agents.containers.securityAgent.env | string | `nil` | Additional environment variables for the security-agent container | | agents.containers.securityAgent.logLevel | string | `nil` | Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off | | agents.containers.securityAgent.resources | object | `{}` | Resource requests and limits for the security-agent container | @@ -330,6 +332,7 @@ helm install --name \ | agents.containers.traceAgent.livenessProbe | object | Every 15s | Override default agent liveness probe settings | | agents.containers.traceAgent.logLevel | string | `nil` | Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off | | agents.containers.traceAgent.resources | object | `{}` | Resource requests and limits for the trace-agent container | +| agents.containers.traceAgent.securityContext | object | `{}` | Allows you to overwrite the default container SecurityContext for the trace-agent container. | | agents.customAgentConfig | object | `{}` | Specify custom contents for the datadog agent config (datadog.yaml) | | agents.dnsConfig | object | `{}` | specify dns configuration options for datadog cluster agent containers e.g ndots | | agents.enabled | bool | `true` | You should keep Datadog DaemonSet enabled! | @@ -393,6 +396,7 @@ helm install --name \ | clusterAgent.readinessProbe | object | Every 15s / 6 KO / 1 OK | Override default Cluster Agent readiness probe settings | | clusterAgent.replicas | int | `1` | Specify the of cluster agent replicas, if > 1 it allow the cluster agent to work in HA mode. | | clusterAgent.resources | object | `{}` | Datadog cluster-agent resource requests and limits. | +| clusterAgent.securityContext | object | `{}` | Allows you to overwrite the default PodSecurityContext on the cluster-agent pods. | | clusterAgent.strategy | object | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}` | Allow the Cluster Agent deployment to perform a rolling update on helm update | | clusterAgent.token | string | `""` | Cluster Agent token is a preshared key between node agents and cluster agent (autogenerated if empty, needs to be at least 32 characters a-zA-z) | | clusterAgent.tokenExistingSecret | string | `""` | Existing secret name to use for Cluster Agent token | @@ -420,6 +424,7 @@ helm install --name \ | clusterChecksRunner.readinessProbe | object | Every 15s / 6 KO / 1 OK | Override default agent readiness probe settings | | clusterChecksRunner.replicas | int | `2` | Number of Cluster Checks Runner instances | | clusterChecksRunner.resources | object | `{}` | Datadog clusterchecks-agent resource requests and limits. | +| clusterChecksRunner.securityContext | object | `{}` | Allows you to overwrite the default PodSecurityContext on the clusterchecks pods. | | clusterChecksRunner.strategy | object | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}` | Allow the ClusterChecks deployment to perform a rolling update on helm update | | clusterChecksRunner.tolerations | list | `[]` | Tolerations for pod assignment | | clusterChecksRunner.volumeMounts | list | `[]` | Specify additional volumes to mount in the cluster checks container | @@ -475,7 +480,7 @@ helm install --name \ | datadog.securityAgent.runtime.enabled | bool | `false` | Set to true to enable the Security Runtime Module | | datadog.securityAgent.runtime.policies.configMap | string | `nil` | Contains policies that will be used | | datadog.securityAgent.runtime.syscallMonitor.enabled | bool | `false` | Set to true to enable the Syscall monitoring. | -| datadog.securityContext | object | `{}` | Allows you to overwrite the default securityContext applied to the container | +| datadog.securityContext | object | `{}` | Allows you to overwrite the default PodSecurityContext on the Daemonset or Deployment | | datadog.site | string | `nil` | The site of the Datadog intake to send Agent data to | | datadog.systemProbe.apparmor | string | `"unconfined"` | Specify a apparmor profile for system-probe | | datadog.systemProbe.bpfDebug | bool | `false` | Enable logging for kernel debug | diff --git a/charts/datadog/templates/agent-clusterchecks-deployment.yaml b/charts/datadog/templates/agent-clusterchecks-deployment.yaml index 56b70490c..c63509f88 100644 --- a/charts/datadog/templates/agent-clusterchecks-deployment.yaml +++ b/charts/datadog/templates/agent-clusterchecks-deployment.yaml @@ -45,6 +45,10 @@ spec: dnsConfig: {{ toYaml .Values.clusterChecksRunner.dnsConfig | indent 8 }} {{- end }} + {{- if .Values.clusterChecksRunner.securityContext }} + securityContext: + {{ toYaml .Values.clusterChecksRunner.securityContext | nindent 8 }} + {{- end }} initContainers: - name: init-volume image: "{{ .Values.agents.image.repository }}:{{ .Values.agents.image.tag }}" diff --git a/charts/datadog/templates/cluster-agent-deployment.yaml b/charts/datadog/templates/cluster-agent-deployment.yaml index c439b017a..69a22cefb 100644 --- a/charts/datadog/templates/cluster-agent-deployment.yaml +++ b/charts/datadog/templates/cluster-agent-deployment.yaml @@ -83,6 +83,10 @@ spec: dnsConfig: {{ toYaml .Values.clusterAgent.dnsConfig | indent 8 }} {{- end }} + {{- if .Values.clusterAgent.securityContext }} + securityContext: + {{ toYaml .Values.clusterAgent.securityContext | nindent 8 }} + {{- end }} containers: - name: cluster-agent image: "{{ .Values.clusterAgent.image.repository }}:{{ .Values.clusterAgent.image.tag }}" diff --git a/charts/datadog/templates/container-agent.yaml b/charts/datadog/templates/container-agent.yaml index 524feebd5..0733d7b93 100644 --- a/charts/datadog/templates/container-agent.yaml +++ b/charts/datadog/templates/container-agent.yaml @@ -3,6 +3,10 @@ image: "{{ .Values.agents.image.repository }}:{{ .Values.agents.image.tag }}" imagePullPolicy: {{ .Values.agents.image.pullPolicy }} command: ["agent", "run"] + {{- if .Values.agents.containers.agent.securityContext }} + securityContext: + {{ toYaml .Values.agents.containers.agent.securityContext | nindent 4 }} + {{- end }} resources: {{ toYaml .Values.agents.containers.agent.resources | indent 4 }} ports: diff --git a/charts/datadog/templates/container-process-agent.yaml b/charts/datadog/templates/container-process-agent.yaml index d271d4f9b..85df69dfe 100644 --- a/charts/datadog/templates/container-process-agent.yaml +++ b/charts/datadog/templates/container-process-agent.yaml @@ -8,6 +8,10 @@ {{- if eq .Values.targetSystem "windows" }} command: ["process-agent", "-foreground", "-config={{ template "datadog.confPath" . }}/datadog.yaml"] {{- end }} + {{- if .Values.agents.containers.processAgent.securityContext }} + securityContext: + {{ toYaml .Values.agents.containers.processAgent.securityContext | nindent 4 }} + {{- end }} resources: {{ toYaml .Values.agents.containers.processAgent.resources | indent 4 }} {{- if .Values.datadog.envFrom }} diff --git a/charts/datadog/templates/container-trace-agent.yaml b/charts/datadog/templates/container-trace-agent.yaml index b11f687cb..02b170b80 100644 --- a/charts/datadog/templates/container-trace-agent.yaml +++ b/charts/datadog/templates/container-trace-agent.yaml @@ -8,6 +8,10 @@ {{- if eq .Values.targetSystem "windows" }} command: ["trace-agent", "-foreground", "-config={{ template "datadog.confPath" . }}/datadog.yaml"] {{- end }} + {{- if .Values.agents.containers.traceAgent.securityContext }} + securityContext: + {{ toYaml .Values.agents.containers.traceAgent.securityContext | nindent 4 }} + {{- end }} resources: {{ toYaml .Values.agents.containers.traceAgent.resources | indent 4 }} ports: diff --git a/charts/datadog/values.yaml b/charts/datadog/values.yaml index 4040652ea..5a42fd5ea 100644 --- a/charts/datadog/values.yaml +++ b/charts/datadog/values.yaml @@ -29,7 +29,7 @@ datadog: ## If set, this parameter takes precedence over "appKey". appKeyExistingSecret: # - # datadog.securityContext -- Allows you to overwrite the default securityContext applied to the container + # datadog.securityContext -- Allows you to overwrite the default PodSecurityContext on the Daemonset or Deployment securityContext: {} # seLinuxOptions: # user: "system_u" @@ -343,6 +343,9 @@ clusterAgent: pullSecrets: [] # - name: "" + # clusterAgent.securityContext -- Allows you to overwrite the default PodSecurityContext on the cluster-agent pods. + securityContext: {} + # clusterAgent.command -- Command to run in the Cluster Agent container as entrypoint command: [] @@ -651,6 +654,9 @@ agents: successThreshold: 1 failureThreshold: 6 + # agents.containers.agent.securityContext -- Allows you to overwrite the default container SecurityContext for the agent container. + securityContext: {} + processAgent: # agents.containers.processAgent.env -- Additional environment variables for the process-agent container env: [] @@ -667,6 +673,10 @@ agents: # limits: # cpu: 100m # memory: 200Mi + + # agents.containers.processAgent.securityContext -- Allows you to overwrite the default container SecurityContext for the process-agent container. + securityContext: {} + traceAgent: # agents.containers.traceAgent.env -- Additional environment variables for the trace-agent container env: @@ -690,6 +700,9 @@ agents: periodSeconds: 15 timeoutSeconds: 5 + # agents.containers.traceAgent.securityContext -- Allows you to overwrite the default container SecurityContext for the trace-agent container. + securityContext: {} + systemProbe: # agents.containers.systemProbe.env -- Additional environment variables for the system-probe container env: [] @@ -976,6 +989,9 @@ clusterChecksRunner: additionalLabels: {} # key: "value" + # clusterChecksRunner.securityContext -- Allows you to overwrite the default PodSecurityContext on the clusterchecks pods. + securityContext: {} + kube-state-metrics: rbac: # kube-state-metrics.rbac.create -- If true, create & use RBAC resources