Fix management of seccomp ConfigMap when not used (#311)

LICENSE-3rdparty.csv

@@ -59,6 +59,7 @@ core,"github.com/golang/protobuf/ptypes/timestamp",NewBSD
 core,"github.com/golang/snappy",NewBSD
 core,"github.com/google/btree",Apache-2.0
 core,"github.com/google/go-cmp/cmp",NewBSD
+core,"github.com/google/go-cmp/cmp/cmpopts",NewBSD
 core,"github.com/google/go-cmp/cmp/internal/diff",NewBSD
 core,"github.com/google/go-cmp/cmp/internal/flags",NewBSD
 core,"github.com/google/go-cmp/cmp/internal/function",NewBSD

api/v1alpha1/datadogagent_types.go

@@ -528,6 +528,7 @@ type SystemProbeSpec struct {
 	SecCompRootPath string `json:"secCompRootPath,omitempty"`
 
 	// SecCompCustomProfileConfigMap specify a pre-existing ConfigMap containing a custom SecComp profile.
+	// This ConfigMap must contain a file named system-probe-seccomp.json.
 	// +optional
 	SecCompCustomProfileConfigMap string `json:"secCompCustomProfileConfigMap,omitempty"`
 

config/crd/bases/v1/datadoghq.com_datadogagents.yaml

@@ -3630,7 +3630,8 @@ spec:
                         type: object
                       secCompCustomProfileConfigMap:
                         description: SecCompCustomProfileConfigMap specify a pre-existing
-                          ConfigMap containing a custom SecComp profile.
+                          ConfigMap containing a custom SecComp profile. This ConfigMap
+                          must contain a file named system-probe-seccomp.json.
                         type: string
                       secCompProfileName:
                         description: SecCompProfileName specify a seccomp profile.

config/crd/bases/v1beta1/datadoghq.com_datadogagents.yaml

@@ -3492,7 +3492,8 @@ spec:
                       type: object
                     secCompCustomProfileConfigMap:
                       description: SecCompCustomProfileConfigMap specify a pre-existing
-                        ConfigMap containing a custom SecComp profile.
+                        ConfigMap containing a custom SecComp profile. This ConfigMap
+                        must contain a file named system-probe-seccomp.json.
                       type: string
                     secCompProfileName:
                       description: SecCompProfileName specify a seccomp profile.

controllers/datadogagent/agent_test.go

@@ -15,11 +15,10 @@ import (
 	datadoghqv1alpha1 "github.com/DataDog/datadog-operator/api/v1alpha1"
 	test "github.com/DataDog/datadog-operator/api/v1alpha1/test"
 	"github.com/DataDog/datadog-operator/controllers/datadogagent/orchestrator"
+	"github.com/DataDog/datadog-operator/pkg/testutils"
 	edsdatadoghqv1alpha1 "github.com/DataDog/extendeddaemonset/api/v1alpha1"
-	"github.com/google/go-cmp/cmp"
 	assert "github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
-	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
@@ -1140,6 +1139,103 @@ func defaultSystemProbePodSpec(dda *datadoghqv1alpha1.DatadogAgent) corev1.PodSp
 	}
 }
 
+func noSeccompInstallSystemProbeSpec(dda *datadoghqv1alpha1.DatadogAgent) corev1.PodSpec {
+	agentWithSystemProbeVolumeMounts := []corev1.VolumeMount{}
+	agentWithSystemProbeVolumeMounts = append(agentWithSystemProbeVolumeMounts, defaultMountVolume()...)
+	agentWithSystemProbeVolumeMounts = append(agentWithSystemProbeVolumeMounts, []corev1.VolumeMount{
+		{
+			Name:      "sysprobe-socket-dir",
+			ReadOnly:  true,
+			MountPath: "/var/run/sysprobe",
+		},
+		{
+			Name:      "system-probe-config",
+			MountPath: "/etc/datadog-agent/system-probe.yaml",
+			SubPath:   "system-probe.yaml",
+		},
+	}...)
+
+	// Remove volumes for seccomp profile install
+	var volumes []corev1.Volume
+	for _, vol := range defaultSystemProbeVolumes() {
+		if vol.Name == datadoghqv1alpha1.SystemProbeSecCompRootVolumeName || vol.Name == datadoghqv1alpha1.SystemProbeAgentSecurityVolumeName {
+			continue
+		}
+		volumes = append(volumes, vol)
+	}
+
+	return corev1.PodSpec{
+		ServiceAccountName: "foo-agent",
+		InitContainers: []corev1.Container{
+			{
+				Name:            "init-volume",
+				Image:           "gcr.io/datadoghq/agent:latest",
+				ImagePullPolicy: corev1.PullIfNotPresent,
+				Resources:       corev1.ResourceRequirements{},
+				Command:         []string{"bash", "-c"},
+				Args:            []string{"cp -r /etc/datadog-agent /opt"},
+				VolumeMounts: []corev1.VolumeMount{
+					{
+						Name:      datadoghqv1alpha1.ConfigVolumeName,
+						MountPath: "/opt/datadog-agent",
+					},
+				},
+			},
+			{
+				Name:            "init-config",
+				Image:           "gcr.io/datadoghq/agent:latest",
+				ImagePullPolicy: corev1.PullIfNotPresent,
+				Resources:       corev1.ResourceRequirements{},
+				Command:         []string{"bash", "-c"},
+				Args:            []string{"for script in $(find /etc/cont-init.d/ -type f -name '*.sh' | sort) ; do bash $script ; done"},
+				Env:             defaultEnvVars(nil),
+				VolumeMounts:    agentWithSystemProbeVolumeMounts,
+			},
+		},
+		Containers: []corev1.Container{
+			{
+				Name:            "agent",
+				Image:           "gcr.io/datadoghq/agent:latest",
+				ImagePullPolicy: corev1.PullIfNotPresent,
+				Command: []string{
+					"agent",
+					"run",
+				},
+				Resources: corev1.ResourceRequirements{},
+				Ports: []corev1.ContainerPort{
+					{
+						ContainerPort: 8125,
+						Name:          "dogstatsdport",
+						Protocol:      "UDP",
+					},
+				},
+				Env:            defaultEnvVars(nil),
+				VolumeMounts:   agentWithSystemProbeVolumeMounts,
+				LivenessProbe:  defaultLivenessProbe(),
+				ReadinessProbe: defaultReadinessProbe(),
+			},
+			{
+				Name:            "system-probe",
+				Image:           "gcr.io/datadoghq/agent:latest",
+				ImagePullPolicy: corev1.PullIfNotPresent,
+				Command: []string{
+					"system-probe",
+					"--config=/etc/datadog-agent/system-probe.yaml",
+				},
+				SecurityContext: &corev1.SecurityContext{
+					Capabilities: &corev1.Capabilities{
+						Add: []corev1.Capability{"SYS_ADMIN", "SYS_RESOURCE", "SYS_PTRACE", "NET_ADMIN", "NET_BROADCAST", "NET_RAW", "IPC_LOCK"},
+					},
+				},
+				Resources:    corev1.ResourceRequirements{},
+				Env:          defaultSystemProbeEnvVars(),
+				VolumeMounts: defaultSystemProbeMountVolume(),
+			},
+		},
+		Volumes: volumes,
+	}
+}
+
 func defaultPodSpec(dda *datadoghqv1alpha1.DatadogAgent) corev1.PodSpec {
 	return corev1.PodSpec{
 		ServiceAccountName: "foo-agent",
@@ -1790,8 +1886,8 @@ func (test extendedDaemonSetFromInstanceTest) Run(t *testing.T) {
 	// Remove the generated hash before comparison because it is not easy generate it in the test definition.
 	delete(got.Annotations, datadoghqv1alpha1.MD5AgentDeploymentAnnotationKey)
 
-	assert.True(t, apiequality.Semantic.DeepEqual(got, test.want), "newExtendedDaemonSetFromInstance() = %#v\n\nwant %#v\ndiff: %s",
-		got, test.want, cmp.Diff(got, test.want))
+	diff := testutils.CompareKubeResource(got, test.want)
+	assert.True(t, len(diff) == 0, diff)
 }
 
 type extendedDaemonSetFromInstanceTestSuite []extendedDaemonSetFromInstanceTest
@@ -2507,6 +2603,7 @@ func Test_newExtendedDaemonSetFromInstance_CustomVolumes(t *testing.T) {
 							"app.kubernetes.io/part-of":     "foo",
 							"app.kubernetes.io/version":     "",
 						},
+						Annotations: map[string]string{},
 					},
 					Spec: userMountsPodSpec,
 				},
@@ -2569,6 +2666,7 @@ func Test_newExtendedDaemonSetFromInstance_DaemonSetNameAndSelector(t *testing.T
 							"app.kubernetes.io/version":     "",
 							"app":                           "datadog-monitoring",
 						},
+						Annotations: map[string]string{},
 					},
 					Spec: defaultPodSpec(daemonsetNameAgentDeployment),
 				},
@@ -2943,6 +3041,16 @@ func Test_newExtendedDaemonSetFromInstance_SystemProbe(t *testing.T) {
 		OrchestratorExplorerDisabled:     true,
 	})
 
+	ddaSeccomp := test.NewDefaultedDatadogAgent("bar", "foo", &test.NewDatadogAgentOptions{
+		UseEDS:                        true,
+		ClusterAgentEnabled:           true,
+		SystemProbeEnabled:            true,
+		OrchestratorExplorerDisabled:  true,
+		SystemProbeSeccompProfileName: "host-profile",
+	})
+	edsSeccomp := extendedDaemonSetWithSystemProbe(noSeccompInstallSystemProbeSpec(ddaSeccomp))
+	edsSeccomp.Spec.Template.Annotations["container.seccomp.security.alpha.kubernetes.io/system-probe"] = "host-profile"
+
 	tests := []extendedDaemonSetFromInstanceTest{
 		{
 			name:            "with default settings",
@@ -2962,6 +3070,12 @@ func Test_newExtendedDaemonSetFromInstance_SystemProbe(t *testing.T) {
 			wantErr:         false,
 			want:            extendedDaemonSetWithSystemProbe(*systemProbeExtraMountsSpec),
 		},
+		{
+			name:            "with on-host seccomp profile",
+			agentdeployment: ddaSeccomp,
+			wantErr:         false,
+			want:            edsSeccomp,
+		},
 	}
 
 	for _, test := range tests {

controllers/datadogagent/clusteragent_test.go

@@ -9,14 +9,13 @@ import (
 	"github.com/DataDog/datadog-operator/api/v1alpha1/test"
 	"github.com/DataDog/datadog-operator/controllers/datadogagent/orchestrator"
 	"github.com/DataDog/datadog-operator/pkg/controller/utils/comparison"
+	"github.com/DataDog/datadog-operator/pkg/testutils"
 
 	"github.com/go-logr/logr"
-	"github.com/google/go-cmp/cmp"
 	assert "github.com/stretchr/testify/require"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/core/v1"
-	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/kubernetes/scheme"
@@ -200,7 +199,9 @@ func (test clusterAgentDeploymentFromInstanceTest) Run(t *testing.T) {
 		}
 		test.want.Annotations["agent.datadoghq.com/agentspechash"] = deploymentSpecHash
 	}
-	assert.True(t, apiequality.Semantic.DeepEqual(got, test.want), "newClusterAgentDeploymentFromInstance()\ndiff = %s", cmp.Diff(got, test.want))
+
+	diff := testutils.CompareKubeResource(got, test.want)
+	assert.True(t, len(diff) == 0, diff)
 }
 
 type clusterAgentDeploymentFromInstanceTestSuite []clusterAgentDeploymentFromInstanceTest
@@ -1041,7 +1042,8 @@ func Test_newClusterAgentDeploymentFromInstance_AdmissionController(t *testing.T
 				Spec: appsv1.DeploymentSpec{
 					Template: corev1.PodTemplateSpec{
 						ObjectMeta: metav1.ObjectMeta{
-							Labels: commonLabels,
+							Labels:      commonLabels,
+							Annotations: map[string]string{},
 						},
 						Spec: admissionControllerPodSpec,
 					},
@@ -1073,7 +1075,8 @@ func Test_newClusterAgentDeploymentFromInstance_AdmissionController(t *testing.T
 				Spec: appsv1.DeploymentSpec{
 					Template: corev1.PodTemplateSpec{
 						ObjectMeta: metav1.ObjectMeta{
-							Labels: commonLabels,
+							Labels:      commonLabels,
+							Annotations: map[string]string{},
 						},
 						Spec: admissionControllerPodSpecCustom,
 					},

controllers/datadogagent/clusterchecksrunner_test.go

@@ -8,12 +8,11 @@ import (
 	datadoghqv1alpha1 "github.com/DataDog/datadog-operator/api/v1alpha1"
 	test "github.com/DataDog/datadog-operator/api/v1alpha1/test"
 	"github.com/DataDog/datadog-operator/pkg/controller/utils/comparison"
+	"github.com/DataDog/datadog-operator/pkg/testutils"
 
-	"github.com/google/go-cmp/cmp"
 	assert "github.com/stretchr/testify/require"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
@@ -216,8 +215,9 @@ func (test clusterChecksRunnerDeploymentFromInstanceTest) Run(t *testing.T) {
 	} else {
 		assert.NoError(t, err, "newClusterChecksRunnerDeploymentFromInstance() unexpected error: %v", err)
 	}
-	assert.True(t, apiequality.Semantic.DeepEqual(got, test.want), "newClusterChecksRunnerDeploymentFromInstance() = %#v, want %#v\ndiff = %s", got, test.want,
-		cmp.Diff(got, test.want))
+
+	diff := testutils.CompareKubeResource(got, test.want)
+	assert.True(t, len(diff) == 0, diff)
 }
 
 func Test_newClusterChecksRunnerDeploymentFromInstance_UserVolumes(t *testing.T) {