Skip to content

Fix AppArmor annotations for absent containers in annotation overrides#2897

Merged
tbavelier merged 3 commits intomainfrom
lebauce/apparmor-fixes-v2
Apr 14, 2026
Merged

Fix AppArmor annotations for absent containers in annotation overrides#2897
tbavelier merged 3 commits intomainfrom
lebauce/apparmor-fixes-v2

Conversation

@lebauce
Copy link
Copy Markdown
Contributor

@lebauce lebauce commented Apr 13, 2026

…verrides

The fix in a0dc8c0 added a container existence check to overrideAppArmorProfile(), preventing invalid AppArmor annotations when a container (e.g. security-agent with directSendFromSystemProbe=true) is absent from the pod spec.

However, the same guard was missing from the direct annotation loop in PodTemplateSpec(), which blindly copies spec.override.nodeAgent.annotations to the pod template. Any AppArmor annotation set via that path would bypass the existing fix and still produce an invalid DaemonSet.

Apply the same container existence check when iterating override.Annotations: skip AppArmor annotations (container.apparmor.security.beta.kubernetes.io/) if does not match any container in the pod spec.

What does this PR do?

A brief description of the change being made with this pull request.

Motivation

What inspired you to submit this pull request?

Additional Notes

Anything else we should know when reviewing?

Minimum Agent Versions

Are there minimum versions of the Datadog Agent and/or Cluster Agent required?

  • Agent: vX.Y.Z
  • Cluster Agent: vX.Y.Z

Describe your test plan

Write there any instructions and details you may have to test your PR.

Checklist

  • PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
  • PR has a milestone or the qa/skip-qa label
  • All commits are signed (see: signing commits)

@lebauce lebauce added the bug Something isn't working label Apr 13, 2026
@lebauce lebauce requested a review from a team April 13, 2026 14:08
@lebauce lebauce changed the title Fix AppArmor annotations for absent containers in direct annotation o… Fix AppArmor annotations for absent containers in annotation overrides Apr 13, 2026
@lebauce lebauce added this to the v1.26.0 milestone Apr 13, 2026
…verrides

The fix in a0dc8c0 added a container existence check to
overrideAppArmorProfile(), preventing invalid AppArmor annotations when
a container (e.g. security-agent with directSendFromSystemProbe=true) is
absent from the pod spec.

However, the same guard was missing from the direct annotation loop in
PodTemplateSpec(), which blindly copies spec.override.nodeAgent.annotations
to the pod template. Any AppArmor annotation set via that path would bypass
the existing fix and still produce an invalid DaemonSet.

Apply the same container existence check when iterating override.Annotations:
skip AppArmor annotations (container.apparmor.security.beta.kubernetes.io/<name>)
if <name> does not match any container in the pod spec.
@lebauce lebauce force-pushed the lebauce/apparmor-fixes-v2 branch from a2196a7 to 0f26877 Compare April 13, 2026 14:23
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Apr 13, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.07%. Comparing base (ef88adb) to head (8290902).

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #2897      +/-   ##
==========================================
+ Coverage   40.06%   40.07%   +0.01%     
==========================================
  Files         319      319              
  Lines       28039    28041       +2     
==========================================
+ Hits        11233    11237       +4     
+ Misses      15983    15982       -1     
+ Partials      823      822       -1     
Flag Coverage Δ
unittests 40.07% <100.00%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
...rnal/controller/datadogagent/override/container.go 95.94% <100.00%> (-0.16%) ⬇️
...ontroller/datadogagent/override/podtemplatespec.go 80.12% <100.00%> (+2.42%) ⬆️

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ef88adb...8290902. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@datadog-datadog-prod-us1
Copy link
Copy Markdown

datadog-datadog-prod-us1 Bot commented Apr 13, 2026

✅ Code Coverage

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 40.16% (+0.01%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 8290902 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!

@tbavelier
Copy link
Copy Markdown
Member

Since we're duplicating the logic, should we use a shared helper #2898 ? Also uses the opportunity to use slices.ContainsFunc instead of looping

@lebauce
Copy link
Copy Markdown
Contributor Author

lebauce commented Apr 13, 2026

@tbavelier Thanks. I cherry-pick your commit

@lebauce lebauce force-pushed the lebauce/apparmor-fixes-v2 branch from 6c89448 to 8290902 Compare April 13, 2026 16:29
@tbavelier tbavelier merged commit 9678903 into main Apr 14, 2026
38 checks passed
@tbavelier tbavelier deleted the lebauce/apparmor-fixes-v2 branch April 14, 2026 07:03
dd-octo-sts Bot pushed a commit that referenced this pull request Apr 14, 2026
#2897)

* Fix AppArmor annotations for absent containers in direct annotation overrides

The fix in a0dc8c0 added a container existence check to
overrideAppArmorProfile(), preventing invalid AppArmor annotations when
a container (e.g. security-agent with directSendFromSystemProbe=true) is
absent from the pod spec.

However, the same guard was missing from the direct annotation loop in
PodTemplateSpec(), which blindly copies spec.override.nodeAgent.annotations
to the pod template. Any AppArmor annotation set via that path would bypass
the existing fix and still produce an invalid DaemonSet.

Apply the same container existence check when iterating override.Annotations:
skip AppArmor annotations (container.apparmor.security.beta.kubernetes.io/<name>)
if <name> does not match any container in the pod spec.

* Use slices shared helper instead of duplicating same logic

* Add unit tests

---------

Co-authored-by: Timothée Bavelier <timothee.bavelier@datadoghq.com>
(cherry picked from commit 9678903)
tbavelier added a commit that referenced this pull request Apr 14, 2026
#2897) (#2899)

* Fix AppArmor annotations for absent containers in direct annotation overrides

The fix in a0dc8c0 added a container existence check to
overrideAppArmorProfile(), preventing invalid AppArmor annotations when
a container (e.g. security-agent with directSendFromSystemProbe=true) is
absent from the pod spec.

However, the same guard was missing from the direct annotation loop in
PodTemplateSpec(), which blindly copies spec.override.nodeAgent.annotations
to the pod template. Any AppArmor annotation set via that path would bypass
the existing fix and still produce an invalid DaemonSet.

Apply the same container existence check when iterating override.Annotations:
skip AppArmor annotations (container.apparmor.security.beta.kubernetes.io/<name>)
if <name> does not match any container in the pod spec.

* Use slices shared helper instead of duplicating same logic

* Add unit tests

---------


(cherry picked from commit 9678903)

Co-authored-by: Sylvain Baubeau <sylvain.baubeau@datadoghq.com>
Co-authored-by: Timothée Bavelier <timothee.bavelier@datadoghq.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants