Set runtime security custom policy using config map (#315)

DataDog · Jun 3, 2021 · 959b205 · 959b205
1 parent fdbdd7f
commit 959b205
Show file tree

Hide file tree

Showing 7 changed files with 74 additions and 54 deletions.
diff --git a/api/v1alpha1/const.go b/api/v1alpha1/const.go
@@ -190,10 +190,11 @@ const (
 
 	HostCriSocketPathPrefix = "/host"
 
-	SecurityAgentRuntimePoliciesDirVolumeName  = "runtimepoliciesdir"
-	SecurityAgentRuntimePoliciesDirVolumePath  = "/etc/datadog-agent/runtime-security.d"
-	SecurityAgentComplianceConfigDirVolumeName = "compliancedir"
-	SecurityAgentComplianceConfigDirVolumePath = "/etc/datadog-agent/compliance.d"
+	SecurityAgentRuntimeCustomPoliciesVolumeName = "customruntimepolicies"
+	SecurityAgentRuntimePoliciesDirVolumeName    = "runtimepoliciesdir"
+	SecurityAgentRuntimePoliciesDirVolumePath    = "/etc/datadog-agent/runtime-security.d"
+	SecurityAgentComplianceConfigDirVolumeName   = "compliancedir"
+	SecurityAgentComplianceConfigDirVolumePath   = "/etc/datadog-agent/compliance.d"
 
 	ClusterAgentCustomConfigVolumeName    = "custom-datadog-yaml"
 	ClusterAgentCustomConfigVolumePath    = "/etc/datadog-agent/datadog-cluster.yaml"

diff --git a/controllers/datadogagent/agent_test.go b/controllers/datadogagent/agent_test.go
@@ -1069,7 +1069,7 @@ func defaultSystemProbePodSpec(dda *datadoghqv1alpha1.DatadogAgent) corev1.PodSp
 				ImagePullPolicy: corev1.PullIfNotPresent,
 				Resources:       corev1.ResourceRequirements{},
 				Command:         []string{"bash", "-c"},
-				Args:            []string{"cp -r /etc/datadog-agent /opt"},
+				Args:            []string{"cp -vnr /etc/datadog-agent /opt;cp -v /etc/datadog-agent-runtime-policies/* /opt/datadog-agent/runtime-security.d/"},
 				VolumeMounts: []corev1.VolumeMount{
 					{
 						Name:      datadoghqv1alpha1.ConfigVolumeName,
@@ -1184,7 +1184,7 @@ func noSeccompInstallSystemProbeSpec(dda *datadoghqv1alpha1.DatadogAgent) corev1
 				ImagePullPolicy: corev1.PullIfNotPresent,
 				Resources:       corev1.ResourceRequirements{},
 				Command:         []string{"bash", "-c"},
-				Args:            []string{"cp -r /etc/datadog-agent /opt"},
+				Args:            []string{"cp -vnr /etc/datadog-agent /opt;cp -v /etc/datadog-agent-runtime-policies/* /opt/datadog-agent/runtime-security.d/"},
 				VolumeMounts: []corev1.VolumeMount{
 					{
 						Name:      datadoghqv1alpha1.ConfigVolumeName,
@@ -1257,7 +1257,7 @@ func defaultPodSpec(dda *datadoghqv1alpha1.DatadogAgent) corev1.PodSpec {
 				ImagePullPolicy: corev1.PullIfNotPresent,
 				Resources:       corev1.ResourceRequirements{},
 				Command:         []string{"bash", "-c"},
-				Args:            []string{"cp -r /etc/datadog-agent /opt"},
+				Args:            []string{"cp -vnr /etc/datadog-agent /opt;cp -v /etc/datadog-agent-runtime-policies/* /opt/datadog-agent/runtime-security.d/"},
 				VolumeMounts: []corev1.VolumeMount{
 					{
 						Name:      datadoghqv1alpha1.ConfigVolumeName,
@@ -1470,7 +1470,7 @@ func runtimeSecurityAgentPodSpec(extraEnv map[string]string) corev1.PodSpec {
 				ImagePullPolicy: corev1.PullIfNotPresent,
 				Resources:       corev1.ResourceRequirements{},
 				Command:         []string{"bash", "-c"},
-				Args:            []string{"cp -r /etc/datadog-agent /opt"},
+				Args:            []string{"cp -vnr /etc/datadog-agent /opt;cp -v /etc/datadog-agent-runtime-policies/* /opt/datadog-agent/runtime-security.d/"},
 				VolumeMounts: []corev1.VolumeMount{
 					{
 						Name:      datadoghqv1alpha1.ConfigVolumeName,
@@ -1579,7 +1579,7 @@ func complianceSecurityAgentPodSpec(extraEnv map[string]string) corev1.PodSpec {
 				ImagePullPolicy: corev1.PullIfNotPresent,
 				Resources:       corev1.ResourceRequirements{},
 				Command:         []string{"bash", "-c"},
-				Args:            []string{"cp -r /etc/datadog-agent /opt"},
+				Args:            []string{"cp -vnr /etc/datadog-agent /opt;cp -v /etc/datadog-agent-runtime-policies/* /opt/datadog-agent/runtime-security.d/"},
 				VolumeMounts: []corev1.VolumeMount{
 					{
 						Name:      datadoghqv1alpha1.ConfigVolumeName,
@@ -1771,7 +1771,7 @@ func customKubeletConfigPodSpec(kubeletConfig *datadoghqv1alpha1.KubeletConfig)
 				ImagePullPolicy: corev1.PullIfNotPresent,
 				Resources:       corev1.ResourceRequirements{},
 				Command:         []string{"bash", "-c"},
-				Args:            []string{"cp -r /etc/datadog-agent /opt"},
+				Args:            []string{"cp -vnr /etc/datadog-agent /opt;cp -v /etc/datadog-agent-runtime-policies/* /opt/datadog-agent/runtime-security.d/"},
 				VolumeMounts: []corev1.VolumeMount{
 					{
 						Name:      datadoghqv1alpha1.ConfigVolumeName,

diff --git a/controllers/datadogagent/clusterchecksrunner_test.go b/controllers/datadogagent/clusterchecksrunner_test.go
@@ -31,7 +31,7 @@ func clusterChecksRunnerDefaultPodSpec() corev1.PodSpec {
 				ImagePullPolicy: corev1.PullIfNotPresent,
 				Resources:       corev1.ResourceRequirements{},
 				Command:         []string{"bash", "-c"},
-				Args:            []string{"cp -r /etc/datadog-agent /opt"},
+				Args:            []string{"cp -vnr /etc/datadog-agent /opt;cp -v /etc/datadog-agent-runtime-policies/* /opt/datadog-agent/runtime-security.d/"},
 				VolumeMounts: []corev1.VolumeMount{
 					{
 						Name:      datadoghqv1alpha1.ConfigVolumeName,

diff --git a/controllers/datadogagent/controller_test.go b/controllers/datadogagent/controller_test.go
@@ -758,7 +758,7 @@ func TestReconcileDatadogAgent_Reconcile(t *testing.T) {
 					dda := test.NewDefaultedDatadogAgent(resourcesNamespace, resourcesName, &test.NewDatadogAgentOptions{ProcessEnabled: true, SystemProbeEnabled: true, ClusterAgentEnabled: false, UseEDS: false, Labels: map[string]string{"label-foo-key": "label-bar-value"}})
 					_ = c.Create(context.TODO(), dda)
 					createAgentDependencies(c, dda)
-					configCM, _ := buildSystemProbeConfigConfiMap(dda)
+					configCM, _ := buildSystemProbeConfigConfigMap(dda)
 					_ = c.Create(context.TODO(), configCM)
 				},
 			},
@@ -2480,7 +2480,7 @@ func hasAllNodeLevelRbacResources(policyRules []rbacv1.PolicyRule) bool {
 }
 
 func createSystemProbeDependencies(c client.Client, dda *datadoghqv1alpha1.DatadogAgent) {
-	configCM, _ := buildSystemProbeConfigConfiMap(dda)
+	configCM, _ := buildSystemProbeConfigConfigMap(dda)
 	securityCM, _ := buildSystemProbeSecCompConfigMap(dda)
 	_ = c.Create(context.TODO(), configCM)
 	_ = c.Create(context.TODO(), securityCM)

diff --git a/controllers/datadogagent/systemprobe.go b/controllers/datadogagent/systemprobe.go
@@ -24,7 +24,7 @@ const (
 )
 
 func (r *Reconciler) manageSystemProbeDependencies(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent) (reconcile.Result, error) {
-	result, err := r.manageConfigMap(logger, dda, getSystemProbeConfigConfigMapName(dda), buildSystemProbeConfigConfiMap)
+	result, err := r.manageConfigMap(logger, dda, getSystemProbeConfigConfigMapName(dda), buildSystemProbeConfigConfigMap)
 	if shouldReturn(result, err) {
 		return result, err
 	}
@@ -64,7 +64,7 @@ func getSystemProbeConfigFileName(dda *datadoghqv1alpha1.DatadogAgent) string {
 	return datadoghqv1alpha1.SystemProbeConfigVolumeSubPath
 }
 
-func buildSystemProbeConfigConfiMap(dda *datadoghqv1alpha1.DatadogAgent) (*corev1.ConfigMap, error) {
+func buildSystemProbeConfigConfigMap(dda *datadoghqv1alpha1.DatadogAgent) (*corev1.ConfigMap, error) {
 	if !shouldCreateSystemProbeConfigConfigMap(dda) {
 		return nil, nil
 	}

diff --git a/controllers/datadogagent/utils.go b/controllers/datadogagent/utils.go
@@ -434,34 +434,54 @@ func getInitContainers(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent)
 	return containers, nil
 }
 
+func getInitContainer(spec *datadoghqv1alpha1.DatadogAgentSpec, name string, commands []string, volumeMounts []corev1.VolumeMount, envVars []corev1.EnvVar) corev1.Container {
+	return corev1.Container{
+		Name:            name,
+		Image:           spec.Agent.Image.Name,
+		ImagePullPolicy: *spec.Agent.Image.PullPolicy,
+		Resources:       *spec.Agent.Config.Resources,
+		Command:         []string{"bash", "-c"},
+		Args:            []string{strings.Join(commands, ";")},
+		VolumeMounts:    volumeMounts,
+		Env:             envVars,
+	}
+}
+
 // getConfigInitContainers returns the init containers necessary to set up the
 // agent's configuration volume.
 func getConfigInitContainers(spec *datadoghqv1alpha1.DatadogAgentSpec, volumeMounts []corev1.VolumeMount, envVars []corev1.EnvVar) []corev1.Container {
-	return []corev1.Container{
-		{
-			Name:            "init-volume",
-			Image:           spec.Agent.Image.Name,
-			ImagePullPolicy: *spec.Agent.Image.PullPolicy,
-			Resources:       *spec.Agent.Config.Resources,
-			Command:         []string{"bash", "-c"},
-			Args:            []string{"cp -r /etc/datadog-agent /opt"},
-			VolumeMounts: []corev1.VolumeMount{
-				{
-					Name:      datadoghqv1alpha1.ConfigVolumeName,
-					MountPath: "/opt/datadog-agent",
-				},
+	configVolumeMounts := []corev1.VolumeMount{{
+		Name:      datadoghqv1alpha1.ConfigVolumeName,
+		MountPath: "/opt/datadog-agent",
+	}}
+
+	if isRuntimeSecurityEnabled(spec) && spec.Agent.Security.Runtime.PoliciesDir != nil {
+		configVolumeMounts = append(
+			configVolumeMounts,
+			corev1.VolumeMount{
+				Name:      datadoghqv1alpha1.SecurityAgentRuntimeCustomPoliciesVolumeName,
+				MountPath: "/etc/datadog-agent-runtime-policies",
 			},
-		},
-		{
-			Name:            "init-config",
-			Image:           spec.Agent.Image.Name,
-			ImagePullPolicy: *spec.Agent.Image.PullPolicy,
-			Resources:       *spec.Agent.Config.Resources,
-			Command:         []string{"bash", "-c"},
-			Args:            []string{"for script in $(find /etc/cont-init.d/ -type f -name '*.sh' | sort) ; do bash $script ; done"},
-			Env:             envVars,
-			VolumeMounts:    volumeMounts,
-		},
+			corev1.VolumeMount{
+				Name:      datadoghqv1alpha1.SecurityAgentRuntimePoliciesDirVolumeName,
+				MountPath: "/opt/datadog-agent/runtime-security.d",
+			},
+		)
+	}
+
+	return []corev1.Container{
+		getInitContainer(
+			spec, "init-volume",
+			[]string{
+				"cp -vnr /etc/datadog-agent /opt",
+				"cp -v /etc/datadog-agent-runtime-policies/* /opt/datadog-agent/runtime-security.d/",
+			}, configVolumeMounts, nil,
+		),
+		getInitContainer(
+			spec, "init-config",
+			[]string{"for script in $(find /etc/cont-init.d/ -type f -name '*.sh' | sort) ; do bash $script ; done"},
+			volumeMounts, envVars,
+		),
 	}
 }
 
@@ -1160,16 +1180,23 @@ func getVolumesForAgent(dda *datadoghqv1alpha1.DatadogAgent) []corev1.Volume {
 	}
 
 	if isRuntimeSecurityEnabled(&dda.Spec) && dda.Spec.Agent.Security.Runtime.PoliciesDir != nil {
-		volumes = append(volumes, corev1.Volume{
-			Name: datadoghqv1alpha1.SecurityAgentRuntimePoliciesDirVolumeName,
-			VolumeSource: corev1.VolumeSource{
-				ConfigMap: &corev1.ConfigMapVolumeSource{
-					LocalObjectReference: corev1.LocalObjectReference{
-						Name: dda.Spec.Agent.Security.Runtime.PoliciesDir.ConfigMapName,
+		volumes = append(volumes,
+			corev1.Volume{
+				Name: datadoghqv1alpha1.SecurityAgentRuntimeCustomPoliciesVolumeName,
+				VolumeSource: corev1.VolumeSource{
+					ConfigMap: &corev1.ConfigMapVolumeSource{
+						LocalObjectReference: corev1.LocalObjectReference{
+							Name: dda.Spec.Agent.Security.Runtime.PoliciesDir.ConfigMapName,
+						},
 					},
 				},
 			},
-		})
+			corev1.Volume{
+				Name: datadoghqv1alpha1.SecurityAgentRuntimePoliciesDirVolumeName,
+				VolumeSource: corev1.VolumeSource{
+					EmptyDir: &corev1.EmptyDirVolumeSource{},
+				},
+			})
 	}
 
 	volumes = append(volumes, dda.Spec.Agent.Config.Volumes...)
@@ -1688,13 +1715,6 @@ func getVolumeMountsForSecurityAgent(dda *datadoghqv1alpha1.DatadogAgent) []core
 			ReadOnly:  true,
 		})
 	}
-	if runtimeEnabled && dda.Spec.Agent.Security.Runtime.PoliciesDir != nil {
-		volumeMounts = append(volumeMounts, corev1.VolumeMount{
-			Name:      datadoghqv1alpha1.SecurityAgentRuntimePoliciesDirVolumeName,
-			MountPath: datadoghqv1alpha1.SecurityAgentRuntimePoliciesDirVolumePath,
-			ReadOnly:  true,
-		})
-	}
 
 	return volumeMounts
 }

diff --git a/controllers/datadogagent/utils_test.go b/controllers/datadogagent/utils_test.go
@@ -196,7 +196,6 @@ func Test_getVolumeMountsForSecurityAgent(t *testing.T) {
 				v1.VolumeMount{Name: "hostroot", ReadOnly: true, MountPath: "/host/root"},
 				v1.VolumeMount{Name: "runtimesocketdir", ReadOnly: true, MountPath: "/host/var/run/containerd"},
 				v1.VolumeMount{Name: "sysprobe-socket-dir", ReadOnly: true, MountPath: "/var/run/sysprobe"},
-				v1.VolumeMount{Name: "runtimepoliciesdir", ReadOnly: true, MountPath: "/etc/datadog-agent/runtime-security.d"},
 			},
 		},
 	}