Add SecCompProfileName for system-probe (#60)

deploy/crds/datadoghq.com_datadogagents_crd.yaml

@@ -2408,6 +2408,9 @@ spec:
                             https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
                           type: object
                       type: object
+                    secCompProfileName:
+                      description: SecCompProfileName specify a seccomp profile
+                      type: string
                     secCompRootPath:
                       description: SecCompRootPath specify the seccomp profile root
                         directory

pkg/apis/datadoghq/v1alpha1/const.go

@@ -122,7 +122,9 @@ const (
 
 	DefaultSystemProbeSecCompRootPath = "/var/lib/kubelet/seccomp"
 	DefaultAppArmorProfileName        = "unconfined"
-
+	DefaultSeccompProfileName         = "localhost/system-probe"
+	SysteProbeAppArmorAnnotationKey   = "container.apparmor.security.beta.kubernetes.io/system-probe"
+	SysteProbeSeccompAnnotationKey    = "container.seccomp.security.alpha.kubernetes.io/system-probe"
 	// Extra config provider names
 
 	KubeServicesConfigProvider    = "kube_services"

pkg/apis/datadoghq/v1alpha1/datadogagent_types.go

@@ -311,6 +311,10 @@ type SystemProbeSpec struct {
 	// +optional
 	SecCompRootPath string `json:"secCompRootPath,omitempty"`
 
+	// SecCompProfileName specify a seccomp profile
+	// +optional
+	SecCompProfileName string `json:"secCompProfileName,omitempty"`
+
 	// AppArmorProfileName specify a apparmor profile
 	// +optional
 	AppArmorProfileName string `json:"appArmorProfileName,omitempty"`

pkg/apis/datadoghq/v1alpha1/test/new.go

@@ -38,6 +38,8 @@ type NewDatadogAgentOptions struct {
 	APMEnabled                      bool
 	ProcessEnabled                  bool
 	SystemProbeEnabled              bool
+	SystemProbeSeccompProfileName   string
+	SystemProbeAppArmorProfileName  string
 	Creds                           *datadoghqv1alpha1.AgentCredentials
 	ClusterName                     *string
 	Confd                           *datadoghqv1alpha1.ConfigDirSpec
@@ -173,6 +175,12 @@ func NewDefaultedDatadogAgent(ns, name string, options *NewDatadogAgentOptions)
 
 		if options.SystemProbeEnabled {
 			ad.Spec.Agent.SystemProbe.Enabled = datadoghqv1alpha1.NewBoolPointer(true)
+			if options.SystemProbeAppArmorProfileName != "" {
+				ad.Spec.Agent.SystemProbe.AppArmorProfileName = options.SystemProbeAppArmorProfileName
+			}
+			if options.SystemProbeSeccompProfileName != "" {
+				ad.Spec.Agent.SystemProbe.SecCompProfileName = options.SystemProbeSeccompProfileName
+			}
 		}
 
 		if options.Creds != nil {

pkg/controller/datadogagent/datadogagent_controller_test.go

@@ -709,7 +709,16 @@ func TestReconcileDatadogAgent_Reconcile(t *testing.T) {
 			args: args{
 				request: newRequest(resourcesNamespace, resourcesName),
 				loadFunc: func(c client.Client) {
-					dda := test.NewDefaultedDatadogAgent(resourcesNamespace, resourcesName, &test.NewDatadogAgentOptions{ProcessEnabled: true, SystemProbeEnabled: true, ClusterAgentEnabled: false, UseEDS: false, Labels: map[string]string{"label-foo-key": "label-bar-value"}})
+					options := &test.NewDatadogAgentOptions{
+						ProcessEnabled:                 true,
+						SystemProbeEnabled:             true,
+						SystemProbeAppArmorProfileName: "AppArmorFoo",
+						SystemProbeSeccompProfileName:  "runtime/default",
+						ClusterAgentEnabled:            false,
+						UseEDS:                         false,
+						Labels:                         map[string]string{"label-foo-key": "label-bar-value"},
+					}
+					dda := test.NewDefaultedDatadogAgent(resourcesNamespace, resourcesName, options)
 					_ = c.Create(context.TODO(), dda)
 					createAgentDependencies(c, dda)
 					createSystemProbeDependencies(c, dda)
@@ -739,6 +748,14 @@ func TestReconcileDatadogAgent_Reconcile(t *testing.T) {
 					return fmt.Errorf("system-probe container not found")
 				}
 
+				if val, ok := ds.Spec.Template.Annotations[datadoghqv1alpha1.SysteProbeAppArmorAnnotationKey]; !ok && val != "AppArmorFoo" {
+					return fmt.Errorf("AppArmor annotation is wrong, got: %s, want: AppArmorFoo", val)
+				}
+
+				if val, ok := ds.Spec.Template.Annotations[datadoghqv1alpha1.SysteProbeSeccompAnnotationKey]; !ok && val != "runtime/default" {
+					return fmt.Errorf("Seccomp annotation is wrong, got: %s, want: runtime/default", val)
+				}
+
 				return nil
 			},
 		},

pkg/controller/datadogagent/utils.go

@@ -56,8 +56,8 @@ func newAgentPodTemplate(agentdeployment *datadoghqv1alpha1.DatadogAgent, select
 
 	annotations := getDefaultAnnotations(agentdeployment)
 	if isSystemProbeEnabled(agentdeployment) {
-		annotations["container.apparmor.security.beta.kubernetes.io/system-probe"] = getAppArmorProfileName(&agentdeployment.Spec.Agent.SystemProbe)
-		annotations["container.seccomp.security.alpha.kubernetes.io/system-probe"] = "localhost/system-probe"
+		annotations[datadoghqv1alpha1.SysteProbeAppArmorAnnotationKey] = getAppArmorProfileName(&agentdeployment.Spec.Agent.SystemProbe)
+		annotations[datadoghqv1alpha1.SysteProbeSeccompAnnotationKey] = getSeccompProfileName(&agentdeployment.Spec.Agent.SystemProbe)
 	}
 
 	for key, val := range agentdeployment.Spec.Agent.AdditionalAnnotations {
@@ -742,6 +742,13 @@ func getAppArmorProfileName(spec *datadoghqv1alpha1.SystemProbeSpec) string {
 	return datadoghqv1alpha1.DefaultAppArmorProfileName
 }
 
+func getSeccompProfileName(spec *datadoghqv1alpha1.SystemProbeSpec) string {
+	if spec.SecCompProfileName != "" {
+		return spec.SecCompProfileName
+	}
+	return datadoghqv1alpha1.DefaultSeccompProfileName
+}
+
 func getVolumeFromCustomConfigSpec(cfcm *datadoghqv1alpha1.CustomConfigSpec, defaultConfigMapName, volumeName string) corev1.Volume {
 	configMapName := defaultConfigMapName
 	if cfcm.ConfigMap != nil {