Skip to content

Commit

Permalink
[security-agent] Configuration settings for security agent (#143)
Browse files Browse the repository at this point in the history 
* [security-agent] Add configuration settings for security agent

- Adds settings for compliance and runtime security settings in the operator for Agent 7.22.

* Bump Agent versions to 7.21=>7.22 and DCA to 1.8.0

* Use DeploymentSpec in the agent.datadoghq.com/agentspechash annotation

- Addresses the issue when Cluster Agent deployment is not updated with compliance settings changes.
  • Loading branch information
@xornivore
xornivore committed Sep 1, 2020
1 parent c762e52 commit 81620bc
Show file tree
Hide file tree
Showing 16 changed files with 2,072 additions and 190 deletions.
183 changes: 183 additions & 0 deletions deploy/crds/datadoghq.com_datadogagents_crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2413,6 +2413,189 @@ spec:
Ignored if the field Create is true
type: string
type: object
security:
description: Security Agent configuration
properties:
compliance:
description: Compliance configuration
properties:
checkInterval:
description: Check interval
format: int64
type: integer
configDir:
description: Config dir containing compliance benchmarks
properties:
configMapName:
description: ConfigMapName name of a ConfigMap used
to mount a directory
type: string
type: object
enabled:
description: Enables continuous compliance monitoring
type: boolean
type: object
env:
description: 'The Datadog Security Agent supports many environment
variables Ref: https://docs.datadoghq.com/agent/docker/?tab=standard#environment-variables'
items:
description: EnvVar represents an environment variable present
in a Container.
properties:
name:
description: Name of the environment variable. Must be
a C_IDENTIFIER.
type: string
value:
description: 'Variable references $(VAR_NAME) are expanded
using the previous defined environment variables in
the container and any service environment variables.
If a variable cannot be resolved, the reference in the
input string will be unchanged. The $(VAR_NAME) syntax
can be escaped with a double $$, ie: $$(VAR_NAME). Escaped
references will never be expanded, regardless of whether
the variable exists or not. Defaults to "".'
type: string
valueFrom:
description: Source for the environment variable's value.
Cannot be used if value is not empty.
properties:
configMapKeyRef:
description: Selects a key of a ConfigMap.
properties:
key:
description: The key to select.
type: string
name:
description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind,
uid?'
type: string
optional:
description: Specify whether the ConfigMap or
its key must be defined
type: boolean
required:
- key
type: object
fieldRef:
description: 'Selects a field of the pod: supports
metadata.name, metadata.namespace, metadata.labels,
metadata.annotations, spec.nodeName, spec.serviceAccountName,
status.hostIP, status.podIP, status.podIPs.'
properties:
apiVersion:
description: Version of the schema the FieldPath
is written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in the
specified API version.
type: string
required:
- fieldPath
type: object
resourceFieldRef:
description: 'Selects a resource of the container:
only resources limits and requests (limits.cpu,
limits.memory, limits.ephemeral-storage, requests.cpu,
requests.memory and requests.ephemeral-storage)
are currently supported.'
properties:
containerName:
description: 'Container name: required for volumes,
optional for env vars'
type: string
divisor:
anyOf:
- type: integer
- type: string
description: Specifies the output format of the
exposed resources, defaults to "1"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
resource:
description: 'Required: resource to select'
type: string
required:
- resource
type: object
secretKeyRef:
description: Selects a key of a secret in the pod's
namespace
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: 'Name of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind,
uid?'
type: string
optional:
description: Specify whether the Secret or its
key must be defined
type: boolean
required:
- key
type: object
type: object
required:
- name
type: object
type: array
resources:
description: 'Datadog Security Agent resource requests and limits
Make sure to keep requests and limits equal to keep the pods
in the Guaranteed QoS class Ref: http://kubernetes.io/docs/user-guide/compute-resources/'
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
description: 'Limits describes the maximum amount of compute
resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
description: 'Requests describes the minimum amount of compute
resources required. If Requests is omitted for a container,
it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value. More info:
https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
type: object
runtime:
description: Runtime security configuration
properties:
enabled:
description: Enables runtime security features
type: boolean
policiesDir:
description: ConfigDir containing security policies
properties:
configMapName:
description: ConfigMapName name of a ConfigMap used
to mount a directory
type: string
type: object
syscallMonitor:
description: Syscall monitor configuration
properties:
enabled:
description: Enabled enables syscall monitor
type: boolean
type: object
type: object
type: object
systemProbe:
description: SystemProbe configuration
properties:
Expand Down

0 comments on commit 81620bc

Please sign in to comment.