Do not enforce dd-agent user (UID 101) for the CLC and DCA (#456)

DataDog · Apr 6, 2022 · dfb7fc1 · dfb7fc1
1 parent c5aa4c7
commit dfb7fc1
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 21 deletions.
diff --git a/controllers/datadogagent/agent_test.go b/controllers/datadogagent/agent_test.go
@@ -1267,13 +1267,17 @@ func defaultSystemProbePodSpec(dda *datadoghqv1alpha1.DatadogAgent) corev1.PodSp
 					Capabilities: &corev1.Capabilities{
 						Add: []corev1.Capability{"SYS_ADMIN", "SYS_RESOURCE", "SYS_PTRACE", "NET_ADMIN", "NET_BROADCAST", "NET_RAW", "IPC_LOCK", "CHOWN"},
 					},
+					RunAsUser: apiutils.NewInt64Pointer(0),
 				},
 				Resources:    corev1.ResourceRequirements{},
 				Env:          defaultSystemProbeEnvVars(),
 				VolumeMounts: defaultSystemProbeMountVolume(),
 			},
 		},
 		Volumes: defaultSystemProbeVolumes(),
+		SecurityContext: &corev1.PodSecurityContext{
+			RunAsUser: apiutils.NewInt64Pointer(0),
+		},
 	}
 }
 
@@ -1375,13 +1379,17 @@ func noSeccompInstallSystemProbeSpec(dda *datadoghqv1alpha1.DatadogAgent) corev1
 					Capabilities: &corev1.Capabilities{
 						Add: []corev1.Capability{"SYS_ADMIN", "SYS_RESOURCE", "SYS_PTRACE", "NET_ADMIN", "NET_BROADCAST", "NET_RAW", "IPC_LOCK", "CHOWN"},
 					},
+					RunAsUser: apiutils.NewInt64Pointer(0),
 				},
 				Resources:    corev1.ResourceRequirements{},
 				Env:          defaultSystemProbeEnvVars(),
 				VolumeMounts: defaultSystemProbeMountVolume(),
 			},
 		},
 		Volumes: volumes,
+		SecurityContext: &corev1.PodSecurityContext{
+			RunAsUser: apiutils.NewInt64Pointer(0),
+		},
 	}
 }
 
@@ -1457,6 +1465,9 @@ func defaultPodSpec(dda *datadoghqv1alpha1.DatadogAgent) corev1.PodSpec {
 			},
 		},
 		Volumes: defaultProcessMount(),
+		SecurityContext: &corev1.PodSecurityContext{
+			RunAsUser: apiutils.NewInt64Pointer(0),
+		},
 	}
 }
 
@@ -1730,6 +1741,7 @@ func runtimeSecurityAgentPodSpec(extraEnv map[string]string, extraDir string) co
 					Capabilities: &corev1.Capabilities{
 						Add: []corev1.Capability{"SYS_ADMIN", "SYS_RESOURCE", "SYS_PTRACE", "NET_ADMIN", "NET_BROADCAST", "NET_RAW", "IPC_LOCK", "CHOWN"},
 					},
+					RunAsUser: apiutils.NewInt64Pointer(0),
 				},
 				Resources: corev1.ResourceRequirements{},
 				Env:       systemProbeEnv,
@@ -1755,13 +1767,17 @@ func runtimeSecurityAgentPodSpec(extraEnv map[string]string, extraDir string) co
 					Capabilities: &corev1.Capabilities{
 						Add: []corev1.Capability{"AUDIT_CONTROL", "AUDIT_READ"},
 					},
+					RunAsUser: apiutils.NewInt64Pointer(0),
 				},
 				Resources:    corev1.ResourceRequirements{},
 				Env:          securityAgentEnvVars(false, true, true, extraEnv),
 				VolumeMounts: runtimeSecurityAgentMountVolume(),
 			},
 		},
 		Volumes: volumesBuilder.Build(),
+		SecurityContext: &corev1.PodSecurityContext{
+			RunAsUser: apiutils.NewInt64Pointer(0),
+		},
 	}
 }
 
@@ -1830,13 +1846,17 @@ func complianceSecurityAgentPodSpec(extraEnv map[string]string) corev1.PodSpec {
 					Capabilities: &corev1.Capabilities{
 						Add: []corev1.Capability{"AUDIT_CONTROL", "AUDIT_READ"},
 					},
+					RunAsUser: apiutils.NewInt64Pointer(0),
 				},
 				Resources:    corev1.ResourceRequirements{},
 				Env:          securityAgentEnvVars(true, false, false, extraEnv),
 				VolumeMounts: complianceSecurityAgentMountVolume(),
 			},
 		},
 		Volumes: complianceSecurityAgentVolumes(),
+		SecurityContext: &corev1.PodSecurityContext{
+			RunAsUser: apiutils.NewInt64Pointer(0),
+		},
 	}
 }
 
@@ -1991,6 +2011,9 @@ func customKubeletConfigPodSpec(kubeletConfig *datadoghqv1alpha1.KubeletConfig)
 			},
 		},
 		Volumes: VolumeBuilder.Build(),
+		SecurityContext: &corev1.PodSecurityContext{
+			RunAsUser: apiutils.NewInt64Pointer(0),
+		},
 	}
 }
 

diff --git a/controllers/datadogagent/clusteragent.go b/controllers/datadogagent/clusteragent.go
@@ -480,11 +480,10 @@ func newClusterAgentPodTemplate(logger logr.Logger, dda *datadoghqv1alpha1.Datad
 		Tolerations:       clusterAgentSpec.Tolerations,
 		PriorityClassName: dda.Spec.ClusterAgent.PriorityClassName,
 		Volumes:           volumes,
-		SecurityContext: &corev1.PodSecurityContext{
-			RunAsNonRoot: apiutils.NewBoolPointer(true),
-			// 101 is the UID of user `dd-agent` in the official datadog cluster agent image
-			RunAsUser: apiutils.NewInt64Pointer(101),
-		},
+		// To be uncommented when the cluster-agent Dockerfile will be updated to use a non-root user by default
+		// SecurityContext: &corev1.PodSecurityContext{
+		// 	RunAsNonRoot: apiutils.NewBoolPointer(true),
+		// },
 	}
 
 	newPodTemplate := corev1.PodTemplateSpec{

diff --git a/controllers/datadogagent/clusteragent_test.go b/controllers/datadogagent/clusteragent_test.go
@@ -101,10 +101,10 @@ func clusterAgentDefaultPodSpec() v1.PodSpec {
 				},
 			},
 		},
-		SecurityContext: &v1.PodSecurityContext{
-			RunAsNonRoot: apiutils.NewBoolPointer(true),
-			RunAsUser:    apiutils.NewInt64Pointer(101),
-		},
+		// To be uncommented when the cluster-agent Dockerfile will be updated to use a non-root user by default
+		// SecurityContext: &v1.PodSecurityContext{
+		// 	RunAsNonRoot: apiutils.NewBoolPointer(true),
+		// },
 	}
 }
 

diff --git a/controllers/datadogagent/clusterchecksrunner.go b/controllers/datadogagent/clusterchecksrunner.go
@@ -302,11 +302,10 @@ func newClusterChecksRunnerPodTemplate(dda *datadoghqv1alpha1.DatadogAgent, labe
 			Affinity:          getPodAffinity(clusterChecksRunnerSpec.Affinity),
 			Tolerations:       clusterChecksRunnerSpec.Tolerations,
 			PriorityClassName: clusterChecksRunnerSpec.PriorityClassName,
-			SecurityContext: &corev1.PodSecurityContext{
-				RunAsNonRoot: apiutils.NewBoolPointer(true),
-				// 101 is the UID of user `dd-agent` in the official datadog agent image
-				RunAsUser: apiutils.NewInt64Pointer(101),
-			},
+			// To be uncommented when the agent Dockerfile will be updated to use a non-root user by default
+			// SecurityContext: &corev1.PodSecurityContext{
+			// 	RunAsNonRoot: apiutils.NewBoolPointer(true),
+			// },
 		},
 	}
 

diff --git a/controllers/datadogagent/clusterchecksrunner_test.go b/controllers/datadogagent/clusterchecksrunner_test.go
@@ -56,10 +56,10 @@ func clusterChecksRunnerDefaultPodSpec() corev1.PodSpec {
 			},
 		},
 		Volumes: clusterChecksRunnerDefaultVolumes(),
-		SecurityContext: &v1.PodSecurityContext{
-			RunAsNonRoot: apiutils.NewBoolPointer(true),
-			RunAsUser:    apiutils.NewInt64Pointer(101),
-		},
+		// To be uncommented when the agent Dockerfile will be updated to use a non-root user by default
+		// SecurityContext: &v1.PodSecurityContext{
+		// 	RunAsNonRoot: apiutils.NewBoolPointer(true),
+		// },
 	}
 }
 

diff --git a/controllers/datadogagent/utils.go b/controllers/datadogagent/utils.go
@@ -132,15 +132,18 @@ func newAgentPodTemplate(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent
 		return nil, err
 	}
 
-	return &corev1.PodTemplateSpec{
+	podTemplate := &corev1.PodTemplateSpec{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: dda.Name,
 			Namespace:    dda.Namespace,
 			Labels:       labels,
 			Annotations:  annotations,
 		},
 		Spec: corev1.PodSpec{
-			SecurityContext:    dda.Spec.Agent.Config.SecurityContext,
+			// Force root user for when the agent Dockerfile will be updated to use a non-root user by default
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsUser: apiutils.NewInt64Pointer(0),
+			},
 			ServiceAccountName: getAgentServiceAccount(dda),
 			InitContainers:     initContainers,
 			Containers:         containers,
@@ -153,7 +156,13 @@ func newAgentPodTemplate(logger logr.Logger, dda *datadoghqv1alpha1.DatadogAgent
 			DNSConfig:          dda.Spec.Agent.DNSConfig,
 			Affinity:           dda.Spec.Agent.Affinity,
 		},
-	}, nil
+	}
+
+	if dda.Spec.Agent.Config.SecurityContext != nil {
+		podTemplate.Spec.SecurityContext = dda.Spec.Agent.Config.SecurityContext
+	}
+
+	return podTemplate, nil
 }
 
 func isClusterChecksEnabled(spec *datadoghqv1alpha1.DatadogAgentSpec) bool {
@@ -409,6 +418,8 @@ func getSystemProbeContainers(dda *datadoghqv1alpha1.DatadogAgent, image string)
 					"CHOWN",
 				},
 			},
+			// Force root user for when the agent Dockerfile will be updated to use a non-root user by default
+			RunAsUser: apiutils.NewInt64Pointer(0),
 		},
 		Env:          systemProbeEnvVars,
 		VolumeMounts: getVolumeMountsForSystemProbe(dda),
@@ -440,6 +451,8 @@ func getSecurityAgentContainer(dda *datadoghqv1alpha1.DatadogAgent, image string
 			Capabilities: &corev1.Capabilities{
 				Add: []corev1.Capability{"AUDIT_CONTROL", "AUDIT_READ"},
 			},
+			// Force root user for when the agent Dockerfile will be updated to use a non-root user by default
+			RunAsUser: apiutils.NewInt64Pointer(0),
 		},
 		Resources:    *agentSpec.Config.Resources,
 		Env:          envVars,