Add SecCompCustomProfileConfigMap for system-probe (#73)

DataDog · Apr 17, 2020 · 17f2aec · 17f2aec
1 parent 500f53d
commit 17f2aec
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 23 deletions.
diff --git a/deploy/crds/datadoghq.com_datadogagents_crd.yaml b/deploy/crds/datadoghq.com_datadogagents_crd.yaml
@@ -2408,6 +2408,10 @@ spec:
                             https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
                           type: object
                       type: object
+                    secCompCustomProfileConfigMap:
+                      description: SecCompCustomProfileConfigMap specify a pre-existing
+                        ConfigMap containing a custom SecComp profile
+                      type: string
                     secCompProfileName:
                       description: SecCompProfileName specify a seccomp profile
                       type: string

diff --git a/pkg/apis/datadoghq/v1alpha1/datadogagent_types.go b/pkg/apis/datadoghq/v1alpha1/datadogagent_types.go
@@ -311,6 +311,10 @@ type SystemProbeSpec struct {
 	// +optional
 	SecCompRootPath string `json:"secCompRootPath,omitempty"`
 
+	// SecCompCustomProfileConfigMap specify a pre-existing ConfigMap containing a custom SecComp profile
+	// +optional
+	SecCompCustomProfileConfigMap string `json:"secCompCustomProfileConfigMap,omitempty"`
+
 	// SecCompProfileName specify a seccomp profile
 	// +optional
 	SecCompProfileName string `json:"secCompProfileName,omitempty"`

diff --git a/pkg/apis/datadoghq/v1alpha1/zz_generated.openapi.go b/pkg/apis/datadoghq/v1alpha1/zz_generated.openapi.go
diff --git a/pkg/controller/datadogagent/systemprobe.go b/pkg/controller/datadogagent/systemprobe.go
@@ -29,9 +29,11 @@ func (r *ReconcileDatadogAgent) manageSystemProbeDependencies(logger logr.Logger
 		return result, err
 	}
 
-	result, err = r.manageConfigMap(logger, dda, getSecCompConfigMapName(dda.Name), buildSystemProbeSecCompConfigMap)
-	if shouldReturn(result, err) {
-		return result, err
+	if getSeccompProfileName(&dda.Spec.Agent.SystemProbe) == datadoghqv1alpha1.DefaultSeccompProfileName && dda.Spec.Agent.SystemProbe.SecCompCustomProfileConfigMap == "" {
+		result, err = r.manageConfigMap(logger, dda, getSecCompConfigMapName(dda.Name), buildSystemProbeSecCompConfigMap)
+		if shouldReturn(result, err) {
+			return result, err
+		}
 	}
 
 	return reconcile.Result{}, nil

diff --git a/pkg/controller/datadogagent/utils.go b/pkg/controller/datadogagent/utils.go
@@ -313,28 +313,30 @@ func getInitContainers(dda *datadoghqv1alpha1.DatadogAgent) ([]corev1.Container,
 		},
 	}
 	if isSystemProbeEnabled(dda) {
-		systemProbeInit := corev1.Container{
-			Name:            "seccomp-setup",
-			Image:           spec.Agent.Image.Name,
-			ImagePullPolicy: *spec.Agent.Image.PullPolicy,
-			Resources:       *spec.Agent.Config.Resources,
-			Command: []string{
-				"cp",
-				fmt.Sprintf("%s/system-probe-seccomp.json", datadoghqv1alpha1.SystemProbeAgentSecurityVolumePath),
-				fmt.Sprintf("%s/system-probe", datadoghqv1alpha1.SystemProbeSecCompRootVolumePath),
-			},
-			VolumeMounts: []corev1.VolumeMount{
-				{
-					Name:      datadoghqv1alpha1.SystemProbeAgentSecurityVolumeName,
-					MountPath: datadoghqv1alpha1.SystemProbeAgentSecurityVolumePath,
+		if getSeccompProfileName(&dda.Spec.Agent.SystemProbe) == datadoghqv1alpha1.DefaultSeccompProfileName || dda.Spec.Agent.SystemProbe.SecCompCustomProfileConfigMap != "" {
+			systemProbeInit := corev1.Container{
+				Name:            "seccomp-setup",
+				Image:           spec.Agent.Image.Name,
+				ImagePullPolicy: *spec.Agent.Image.PullPolicy,
+				Resources:       *spec.Agent.Config.Resources,
+				Command: []string{
+					"cp",
+					fmt.Sprintf("%s/system-probe-seccomp.json", datadoghqv1alpha1.SystemProbeAgentSecurityVolumePath),
+					fmt.Sprintf("%s/system-probe", datadoghqv1alpha1.SystemProbeSecCompRootVolumePath),
 				},
-				{
-					Name:      datadoghqv1alpha1.SystemProbeSecCompRootVolumeName,
-					MountPath: datadoghqv1alpha1.SystemProbeSecCompRootVolumePath,
+				VolumeMounts: []corev1.VolumeMount{
+					{
+						Name:      datadoghqv1alpha1.SystemProbeAgentSecurityVolumeName,
+						MountPath: datadoghqv1alpha1.SystemProbeAgentSecurityVolumePath,
+					},
+					{
+						Name:      datadoghqv1alpha1.SystemProbeSecCompRootVolumeName,
+						MountPath: datadoghqv1alpha1.SystemProbeSecCompRootVolumePath,
+					},
 				},
-			},
+			}
+			containers = append(containers, systemProbeInit)
 		}
-		containers = append(containers, systemProbeInit)
 	}
 
 	return containers, nil
@@ -655,13 +657,17 @@ func getVolumesForAgent(dda *datadoghqv1alpha1.DatadogAgent) []corev1.Volume {
 		volumes = append(volumes, passwdVolume)
 	}
 	if datadoghqv1alpha1.BoolValue(dda.Spec.Agent.SystemProbe.Enabled) {
+		seccompConfigMapName := getSecCompConfigMapName(dda.Name)
+		if dda.Spec.Agent.SystemProbe.SecCompCustomProfileConfigMap != "" {
+			seccompConfigMapName = dda.Spec.Agent.SystemProbe.SecCompCustomProfileConfigMap
+		}
 		systemProbeVolumes := []corev1.Volume{
 			{
 				Name: datadoghqv1alpha1.SystemProbeAgentSecurityVolumeName,
 				VolumeSource: corev1.VolumeSource{
 					ConfigMap: &corev1.ConfigMapVolumeSource{
 						LocalObjectReference: corev1.LocalObjectReference{
-							Name: getSecCompConfigMapName(dda.Name),
+							Name: seccompConfigMapName,
 						},
 					},
 				},