Fix runtime security volumes creation (#362)

DataDog · Aug 25, 2021 · aa76649 · aa76649
1 parent 084c010
commit aa76649
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 5 deletions.
diff --git a/api/v1alpha1/datadogagent_default.go b/api/v1alpha1/datadogagent_default.go
@@ -622,12 +622,18 @@ func DefaultDatadogAgentSpecAgentApmUDS(apm *APMSpec) *APMUnixDomainSocketSpec {
 // DefaultDatadogAgentSpecAgentSystemProbe defaults the System Probe
 // This method can be re-run as part of the FeatureOverride
 func DefaultDatadogAgentSpecAgentSystemProbe(agent *DatadogAgentSpecAgentSpec) *SystemProbeSpec {
+	sysOverride := &SystemProbeSpec{}
+
 	if agent.SystemProbe == nil {
 		agent.SystemProbe = &SystemProbeSpec{Enabled: NewBoolPointer(defaultSystemProbeEnabled)}
-		return agent.SystemProbe
+		sysOverride = agent.SystemProbe
+	}
+
+	if agent.Security != nil && BoolValue(agent.Security.Runtime.Enabled) {
+		agent.SystemProbe.Enabled = agent.Security.Runtime.Enabled
+		sysOverride = agent.SystemProbe
 	}
 
-	sysOverride := &SystemProbeSpec{}
 	if agent.SystemProbe.Enabled == nil {
 		agent.SystemProbe.Enabled = NewBoolPointer(defaultSystemProbeEnabled)
 		sysOverride.Enabled = agent.SystemProbe.Enabled

diff --git a/controllers/datadogagent/utils.go b/controllers/datadogagent/utils.go
@@ -1237,15 +1237,20 @@ func getVolumesForAgent(dda *datadoghqv1alpha1.DatadogAgent) []corev1.Volume {
 		}
 	}
 
-	if isRuntimeSecurityEnabled(&dda.Spec) && dda.Spec.Agent.Security.Runtime.PoliciesDir != nil {
+	if isRuntimeSecurityEnabled(&dda.Spec) {
 		volumes = append(volumes,
-			getVolumeFromConfigDirSpec(datadoghqv1alpha1.SecurityAgentRuntimeCustomPoliciesVolumeName, dda.Spec.Agent.Security.Runtime.PoliciesDir),
 			corev1.Volume{
 				Name: datadoghqv1alpha1.SecurityAgentRuntimePoliciesDirVolumeName,
 				VolumeSource: corev1.VolumeSource{
 					EmptyDir: &corev1.EmptyDirVolumeSource{},
 				},
 			})
+
+		if dda.Spec.Agent.Security.Runtime.PoliciesDir != nil {
+			volumes = append(volumes,
+				getVolumeFromConfigDirSpec(datadoghqv1alpha1.SecurityAgentRuntimeCustomPoliciesVolumeName, dda.Spec.Agent.Security.Runtime.PoliciesDir),
+			)
+		}
 	}
 
 	volumes = append(volumes, dda.Spec.Agent.Config.Volumes...)
@@ -1768,7 +1773,7 @@ func getVolumeMountsForSecurityAgent(dda *datadoghqv1alpha1.DatadogAgent) []core
 		})
 	}
 
-	if runtimeEnabled {
+	if runtimeEnabled && isSystemProbeEnabled(&dda.Spec) {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
 			Name:      datadoghqv1alpha1.SystemProbeSocketVolumeName,
 			MountPath: datadoghqv1alpha1.SystemProbeSocketVolumePath,

diff --git a/controllers/testutils/new.go b/controllers/testutils/new.go
@@ -153,6 +153,8 @@ func NewDatadogAgent(ns, name, image string, options *NewDatadogAgentOptions) *d
 
 			ad.Spec.Features.OrchestratorExplorer.Enabled = datadoghqv1alpha1.NewBoolPointer(false)
 		}
+		// options can have an impact on the defaulting
+		_ = datadoghqv1alpha1.DefaultDatadogAgent(ad)
 	}
 
 	return ad