[CWS] add auto suppression parameters (#1232)

* [CWS] add securiy-profile parameters and enable it by default

---------
Co-authored-by: Sylvain Baubeau <lebauce@gmail.com>

charts/datadog/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Datadog changelog
 
+## 3.52.0
+
+* Allow configuring CWS security profile features and enable drift events by default
+
 ## 3.51.2
 
 * Use correct kpi-telemetry-configmap in Cluster Agent and Trace Agent.

charts/datadog/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: datadog
-version: 3.51.2
+version: 3.52.0
 appVersion: "7"
 description: Datadog Agent
 keywords:

charts/datadog/README.md

@@ -1,6 +1,6 @@
 # Datadog
 
-![Version: 3.51.2](https://img.shields.io/badge/Version-3.51.2-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
+![Version: 3.52.0](https://img.shields.io/badge/Version-3.52.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
 
 [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
 
@@ -783,7 +783,8 @@ helm install <RELEASE_NAME> \
 | datadog.securityAgent.runtime.fimEnabled | bool | `false` | Set to true to enable Cloud Workload Security (CWS) File Integrity Monitoring |
 | datadog.securityAgent.runtime.network.enabled | bool | `true` | Set to true to enable the collection of CWS network events |
 | datadog.securityAgent.runtime.policies.configMap | string | `nil` | Contains CWS policies that will be used |
-| datadog.securityAgent.runtime.securityProfile.enabled | bool | `false` | Set to true to enable CWS runtime anomaly detection |
+| datadog.securityAgent.runtime.securityProfile.anomalyDetection.enabled | bool | `true` | Set to true to enable CWS runtime drift events |
+| datadog.securityAgent.runtime.securityProfile.enabled | bool | `true` | Set to true to enable CWS runtime security profiles |
 | datadog.securityAgent.runtime.syscallMonitor.enabled | bool | `false` | Set to true to enable the Syscall monitoring (recommended for troubleshooting only) |
 | datadog.securityContext | object | `{"runAsUser":0}` | Allows you to overwrite the default PodSecurityContext on the Daemonset or Deployment |
 | datadog.serviceMonitoring.enabled | bool | `false` | Enable Universal Service Monitoring |

charts/datadog/ci/system-probe-activity-dump-values.yaml

@@ -7,3 +7,5 @@ datadog:
       enabled: true
       activityDump:
         enabled: true
+      securityProfile:
+        enabled: true

charts/datadog/templates/system-probe-configmap.yaml

@@ -70,6 +70,10 @@ data:
 {{ end }}
       security_profile:
         enabled: {{ $.Values.datadog.securityAgent.runtime.securityProfile.enabled }}
+        anomaly_detection:
+          enabled: {{ $.Values.datadog.securityAgent.runtime.securityProfile.anomalyDetection.enabled }}
+        auto_suppression:
+          enabled: false
 
 {{- if eq .Values.datadog.systemProbe.seccomp "localhost/system-probe" }}
 ---

charts/datadog/values.yaml

@@ -773,8 +773,12 @@ datadog:
           enabled: false
 
       securityProfile:
-        # datadog.securityAgent.runtime.securityProfile.enabled -- Set to true to enable CWS runtime anomaly detection
-        enabled: false
+        # datadog.securityAgent.runtime.securityProfile.enabled -- Set to true to enable CWS runtime security profiles
+        enabled: true
+
+        anomalyDetection:
+          # datadog.securityAgent.runtime.securityProfile.anomalyDetection.enabled -- Set to true to enable CWS runtime drift events
+          enabled: true
 
   ## Manage NetworkPolicy
   networkPolicy: