Add the option to create NetworkPolicy for the Agents

DataDog · Oct 16, 2020 · 8a2ccc3 · 8a2ccc3
1 parent 812a3c4
commit 8a2ccc3
Show file tree

Hide file tree

Showing 19 changed files with 874 additions and 13 deletions.
diff --git a/api/v1alpha1/datadogagent_default.go b/api/v1alpha1/datadogagent_default.go
@@ -11,7 +11,6 @@ import (
 	edsdatadoghqv1alpha1 "github.com/DataDog/extendeddaemonset/api/v1alpha1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 )
@@ -53,7 +52,7 @@ const (
 	DefaultAdmissionServiceName                          = "datadog-admission-controller"
 )
 
-var defaultImagePullPolicy = v1.PullIfNotPresent
+var defaultImagePullPolicy = corev1.PullIfNotPresent
 
 // IsDefaultedDatadogAgent used to check if an DatadogAgent was already defaulted
 // returns true if yes, else false
@@ -89,6 +88,10 @@ func IsDefaultedDatadogAgent(ad *DatadogAgent) bool {
 		if !IsDefaultedDatadogAgentSpecProcess(&ad.Spec.Agent.Process) {
 			return false
 		}
+
+		if !IsDefaultedNetworkPolicy(&ad.Spec.Agent.NetworkPolicy) {
+			return false
+		}
 	}
 
 	if ad.Spec.ClusterAgent != nil {
@@ -104,6 +107,10 @@ func IsDefaultedDatadogAgent(ad *DatadogAgent) bool {
 			return false
 		}
 
+		if !IsDefaultedNetworkPolicy(&ad.Spec.ClusterAgent.NetworkPolicy) {
+			return false
+		}
+
 		if ad.Spec.ClusterAgent.Replicas == nil {
 			return false
 		}
@@ -118,6 +125,10 @@ func IsDefaultedDatadogAgent(ad *DatadogAgent) bool {
 			return false
 		}
 
+		if !IsDefaultedNetworkPolicy(&ad.Spec.ClusterChecksRunner.NetworkPolicy) {
+			return false
+		}
+
 		if ad.Spec.ClusterChecksRunner.Replicas == nil {
 			return false
 		}
@@ -317,6 +328,20 @@ func IsDefaultedDatadogAgentSpecProcess(process *ProcessSpec) bool {
 	return true
 }
 
+// IsDefaultedNetworkPolicy used to check if a NetworkPolicySpec was already
+// defaulted. Returns true if yes, or false otherwise
+func IsDefaultedNetworkPolicy(policy *NetworkPolicySpec) bool {
+	if policy == nil {
+		return false
+	}
+
+	if policy.Create == nil {
+		return false
+	}
+
+	return true
+}
+
 // IsDefaultedDatadogAgentSpecClusterAgentConfig used to check if
 // a ClusterAgentConfig was already defaulted
 // returns true if yes, else false
@@ -366,6 +391,7 @@ func DefaultDatadogAgentSpecAgent(agent *DatadogAgentSpecAgentSpec) *DatadogAgen
 	DefaultDatadogAgentSpecAgentApm(&agent.Apm)
 	DefaultDatadogAgentSpecAgentLog(&agent.Log)
 	DefaultDatadogAgentSpecAgentProcess(&agent.Process)
+	DefaultNetworkPolicy(&agent.NetworkPolicy)
 	return agent
 }
 
@@ -600,6 +626,7 @@ func DefaultDatadogAgentSpecClusterAgent(clusterAgent *DatadogAgentSpecClusterAg
 	DefaultDatadogAgentSpecClusterAgentImage(&clusterAgent.Image)
 	DefaultDatadogAgentSpecClusterAgentConfig(&clusterAgent.Config)
 	DefaultDatadogAgentSpecRbacConfig(&clusterAgent.Rbac)
+	DefaultNetworkPolicy(&clusterAgent.NetworkPolicy)
 	if clusterAgent.Replicas == nil {
 		clusterAgent.Replicas = NewInt32Pointer(defaultClusterAgentReplicas)
 	}
@@ -667,6 +694,7 @@ func DefaultDatadogAgentSpecClusterChecksRunner(clusterChecksRunner *DatadogAgen
 	DefaultDatadogAgentSpecClusterChecksRunnerImage(&clusterChecksRunner.Image)
 	DefaultDatadogAgentSpecClusterChecksRunnerConfig(&clusterChecksRunner.Config)
 	DefaultDatadogAgentSpecRbacConfig(&clusterChecksRunner.Rbac)
+	DefaultNetworkPolicy(&clusterChecksRunner.NetworkPolicy)
 	if clusterChecksRunner.Replicas == nil {
 		clusterChecksRunner.Replicas = NewInt32Pointer(defaultClusterChecksRunnerReplicas)
 	}
@@ -704,3 +732,17 @@ func DefaultDatadogAgentSpecClusterChecksRunnerImage(image *ImageConfig) *ImageC
 
 	return image
 }
+
+// DefaultNetworkPolicy is used to default NetworkPolicy. Returns the defaulted
+// ImageConfig
+func DefaultNetworkPolicy(policy *NetworkPolicySpec) *NetworkPolicySpec {
+	if policy == nil {
+		policy = &NetworkPolicySpec{}
+	}
+
+	if policy.Create == nil {
+		policy.Create = NewBoolPointer(false)
+	}
+
+	return policy
+}
diff --git a/api/v1alpha1/datadogagent_types.go b/api/v1alpha1/datadogagent_types.go
@@ -195,6 +195,10 @@ type DatadogAgentSpecAgentSpec struct {
 	// See https://docs.datadoghq.com/agent/guide/agent-configuration-files/?tab=agentv6 for more details.
 	// +optional
 	CustomConfig *CustomConfigSpec `json:"customConfig,omitempty"`
+
+	// Provide Agent Network Policy configuration
+	// +optional
+	NetworkPolicy NetworkPolicySpec `json:"networkPolicy,omitempty"`
 }
 
 // RbacConfig contains RBAC configuration
@@ -683,6 +687,10 @@ type DatadogAgentSpecClusterAgentSpec struct {
 	// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
 	// +optional
 	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
+
+	// Provide Cluster Agent Network Policy configuration
+	// +optional
+	NetworkPolicy NetworkPolicySpec `json:"networkPolicy,omitempty"`
 }
 
 // ClusterAgentConfig contains the configuration of the Cluster Agent
@@ -860,6 +868,10 @@ type DatadogAgentSpecClusterChecksRunnerSpec struct {
 	// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
 	// +optional
 	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
+
+	// Provide Cluster Checks Runner Network Policy configuration
+	// +optional
+	NetworkPolicy NetworkPolicySpec `json:"networkPolicy,omitempty"`
 }
 
 // ImageConfig Datadog agent container image config
@@ -881,6 +893,14 @@ type ImageConfig struct {
 	PullSecrets *[]corev1.LocalObjectReference `json:"pullSecrets,omitempty"`
 }
 
+// NetworkPolicySpec provides Network Policy configuration for the agents
+// +k8s:openapi-gen=true
+type NetworkPolicySpec struct {
+	// If true, create a NetworkPolicy for the current agent
+	// +optional
+	Create *bool `json:"create,omitempty"`
+}
+
 // DatadogAgentState type representing the deployment state of the different Agent components
 type DatadogAgentState string
 

diff --git a/api/v1alpha1/test/new.go b/api/v1alpha1/test/new.go
@@ -77,6 +77,7 @@ type NewDatadogAgentOptions struct {
 	RuntimeSyscallMonitorEnabled     bool
 	RuntimePoliciesDir               *datadoghqv1alpha1.ConfigDirSpec
 	SecurityContext                  *corev1.PodSecurityContext
+	CreateNetworkPolicy              bool
 }
 
 // NewDefaultedDatadogAgent returns an initialized and defaulted DatadogAgent for testing purpose
@@ -125,6 +126,9 @@ func NewDefaultedDatadogAgent(ns, name string, options *NewDatadogAgentOptions)
 
 		ad.Spec.Agent.DaemonsetName = options.AgentDaemonsetName
 		ad.Spec.Site = options.Site
+		ad.Spec.Agent.NetworkPolicy = datadoghqv1alpha1.NetworkPolicySpec{
+			Create: &options.CreateNetworkPolicy,
+		}
 
 		if options.HostPort != 0 {
 			ad.Spec.Agent.Config.HostPort = &options.HostPort
@@ -147,6 +151,9 @@ func NewDefaultedDatadogAgent(ns, name string, options *NewDatadogAgentOptions)
 					Create: datadoghqv1alpha1.NewBoolPointer(true),
 				},
 				DeploymentName: options.ClusterAgentDeploymentName,
+				NetworkPolicy: datadoghqv1alpha1.NetworkPolicySpec{
+					Create: &options.CreateNetworkPolicy,
+				},
 			}
 
 			if options.MetricsServerEnabled {
@@ -194,6 +201,9 @@ func NewDefaultedDatadogAgent(ns, name string, options *NewDatadogAgentOptions)
 				Rbac: datadoghqv1alpha1.RbacConfig{
 					Create: datadoghqv1alpha1.NewBoolPointer(true),
 				},
+				NetworkPolicy: datadoghqv1alpha1.NetworkPolicySpec{
+					Create: &options.CreateNetworkPolicy,
+				},
 			}
 			if len(options.ClusterChecksRunnerEnvVars) != 0 {
 				ad.Spec.ClusterChecksRunner.Config.Env = options.ClusterChecksRunnerEnvVars

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/api/v1alpha1/zz_generated.openapi.go b/api/v1alpha1/zz_generated.openapi.go
diff --git a/config/crd/bases/v1/datadoghq.com_datadogagents.yaml b/config/crd/bases/v1/datadoghq.com_datadogagents.yaml
@@ -2381,6 +2381,14 @@ spec:
                           tailing the log files from the right offset Default to `/var/lib/datadog-agent/logs`
                         type: string
                     type: object
+                  networkPolicy:
+                    description: Provide Agent Network Policy configuration
+                    properties:
+                      create:
+                        description: If true, create a NetworkPolicy for the current
+                          agent
+                        type: boolean
+                    type: object
                   priorityClassName:
                     description: If specified, indicates the pod's priority. "system-node-critical"
                       and "system-cluster-critical" are two special keywords which
@@ -5327,6 +5335,14 @@ spec:
                     required:
                     - name
                     type: object
+                  networkPolicy:
+                    description: Provide Cluster Agent Network Policy configuration
+                    properties:
+                      create:
+                        description: If true, create a NetworkPolicy for the current
+                          agent
+                        type: boolean
+                    type: object
                   nodeSelector:
                     additionalProperties:
                       type: string
@@ -7602,6 +7618,14 @@ spec:
                     required:
                     - name
                     type: object
+                  networkPolicy:
+                    description: Provide Cluster Checks Runner Network Policy configuration
+                    properties:
+                      create:
+                        description: If true, create a NetworkPolicy for the current
+                          agent
+                        type: boolean
+                    type: object
                   nodeSelector:
                     additionalProperties:
                       type: string