[controllers/datadogagent] Mount tmp volume in DCA and CLC (#461)

DataDog · Apr 5, 2022 · 4456b47 · 4456b47
1 parent b1dc945
commit 4456b47
Show file tree

Hide file tree

Showing 6 changed files with 57 additions and 0 deletions.
diff --git a/apis/datadoghq/v1alpha1/const.go b/apis/datadoghq/v1alpha1/const.go
@@ -132,6 +132,8 @@ const (
 
 	LogDatadogVolumeName                 = "logdatadog"
 	LogDatadogVolumePath                 = "/var/log/datadog"
+	TmpVolumeName                        = "tmp"
+	TmpVolumePath                        = "/tmp"
 	APMSocketVolumeName                  = "apmsocket"
 	APMSocketVolumePath                  = "/var/run/datadog/apm"
 	InstallInfoVolumeName                = "installinfo"

diff --git a/controllers/datadogagent/clusteragent.go b/controllers/datadogagent/clusteragent.go
@@ -354,6 +354,15 @@ func newClusterAgentPodTemplate(logger logr.Logger, dda *datadoghqv1alpha1.Datad
 			VolumeSource: confdVolumeSource,
 		},
 		getVolumeForLogs(),
+
+		// /tmp is needed because some versions of the DCA (at least until
+		// 1.19.0) write to it.
+		// In some code paths, the klog lib writes to /tmp instead of using the
+		// standard datadog logs path.
+		// In some envs like Openshift, when running as non-root, the pod will
+		// not have permissions to write on /tmp, that's why we need to mount
+		// it with write perms.
+		getVolumeForTmp(),
 	}
 	volumeMounts := []corev1.VolumeMount{
 		{
@@ -368,6 +377,7 @@ func newClusterAgentPodTemplate(logger logr.Logger, dda *datadoghqv1alpha1.Datad
 			ReadOnly:  true,
 		},
 		getVolumeMountForLogs(),
+		getVolumeMountForTmp(),
 	}
 
 	if dda.Spec.ClusterAgent.CustomConfig != nil {

diff --git a/controllers/datadogagent/clusteragent_test.go b/controllers/datadogagent/clusteragent_test.go
@@ -53,6 +53,7 @@ func clusterAgentDefaultPodSpec() v1.PodSpec {
 					{Name: "confd", ReadOnly: true, MountPath: "/conf.d"},
 					{Name: "orchestrator-explorer-config", ReadOnly: true, MountPath: "/etc/datadog-agent/conf.d/orchestrator.d"},
 					{Name: "logdatadog", ReadOnly: false, MountPath: "/var/log/datadog"},
+					{Name: "tmp", ReadOnly: false, MountPath: "/tmp"},
 				},
 				LivenessProbe:  defaultLivenessProbe(),
 				ReadinessProbe: defaultReadinessProbe(),
@@ -93,6 +94,12 @@ func clusterAgentDefaultPodSpec() v1.PodSpec {
 					EmptyDir: &corev1.EmptyDirVolumeSource{},
 				},
 			},
+			{
+				Name: "tmp",
+				VolumeSource: corev1.VolumeSource{
+					EmptyDir: &corev1.EmptyDirVolumeSource{},
+				},
+			},
 		},
 		SecurityContext: &v1.PodSecurityContext{
 			RunAsNonRoot: apiutils.NewBoolPointer(true),

diff --git a/controllers/datadogagent/clusterchecksrunner.go b/controllers/datadogagent/clusterchecksrunner.go
@@ -476,6 +476,15 @@ func getVolumesForClusterChecksRunner(dda *datadoghqv1alpha1.DatadogAgent) []cor
 		getVolumeForChecksd(dda),
 		getVolumeForConfig(),
 		getVolumeForLogs(),
+
+		// /tmp is needed because some versions of the DCA (at least until
+		// 1.19.0) write to it.
+		// In some code paths, the klog lib writes to /tmp instead of using the
+		// standard datadog logs path.
+		// In some envs like Openshift, when running as non-root, the pod will
+		// not have permissions to write on /tmp, that's why we need to mount
+		// it with write perms.
+		getVolumeForTmp(),
 		{
 			Name: datadoghqv1alpha1.InstallInfoVolumeName,
 			VolumeSource: corev1.VolumeSource{
@@ -506,6 +515,7 @@ func getVolumeMountsForClusterChecksRunner(dda *datadoghqv1alpha1.DatadogAgent)
 	volumeMounts := []corev1.VolumeMount{
 		getVolumeMountForChecksd(),
 		getVolumeMountForLogs(),
+		getVolumeMountForTmp(),
 		{
 			Name:      datadoghqv1alpha1.InstallInfoVolumeName,
 			SubPath:   datadoghqv1alpha1.InstallInfoVolumeSubPath,

diff --git a/controllers/datadogagent/clusterchecksrunner_test.go b/controllers/datadogagent/clusterchecksrunner_test.go
@@ -75,6 +75,11 @@ func clusterChecksRunnerDefaultVolumeMounts() []corev1.VolumeMount {
 			MountPath: datadoghqv1alpha1.LogDatadogVolumePath,
 			ReadOnly:  false,
 		},
+		{
+			Name:      datadoghqv1alpha1.TmpVolumeName,
+			MountPath: datadoghqv1alpha1.TmpVolumePath,
+			ReadOnly:  false,
+		},
 		{
 			Name:      "installinfo",
 			SubPath:   "install_info",
@@ -112,6 +117,12 @@ func clusterChecksRunnerDefaultVolumes() []corev1.Volume {
 				EmptyDir: &corev1.EmptyDirVolumeSource{},
 			},
 		},
+		{
+			Name: datadoghqv1alpha1.TmpVolumeName,
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		},
 		{
 			Name: "installinfo",
 			VolumeSource: corev1.VolumeSource{

diff --git a/controllers/datadogagent/utils.go b/controllers/datadogagent/utils.go
@@ -1387,6 +1387,23 @@ func getVolumeMountForLogs() corev1.VolumeMount {
 	}
 }
 
+func getVolumeForTmp() corev1.Volume {
+	return corev1.Volume{
+		Name: datadoghqv1alpha1.TmpVolumeName,
+		VolumeSource: corev1.VolumeSource{
+			EmptyDir: &corev1.EmptyDirVolumeSource{},
+		},
+	}
+}
+
+func getVolumeMountForTmp() corev1.VolumeMount {
+	return corev1.VolumeMount{
+		Name:      datadoghqv1alpha1.TmpVolumeName,
+		MountPath: datadoghqv1alpha1.TmpVolumePath,
+		ReadOnly:  false,
+	}
+}
+
 func getSecCompRootPath(spec *datadoghqv1alpha1.SystemProbeSpec) string {
 	return spec.SecCompRootPath
 }