Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix runtime security config mount #342

Merged
merged 1 commit into from
Jul 29, 2021
Merged

Fix runtime security config mount #342

merged 1 commit into from
Jul 29, 2021

Conversation

clamoriniere
Copy link
Collaborator

@clamoriniere clamoriniere commented Jul 28, 2021
edited

What does this PR do?

Fix issue with "security-runtime" policyDir configuration. which was removing the default configuration. Now the configuration provided by policyDir are added to the /etc/datadog-agent/runtime-security.d folder.

Motivation

give more flexibility to the runtime policies configuration.

Additional Notes

N/A

Describe your test plan

try to deploy the datadogagent with runtime-security enable. with 2 different configs

  1. no custom config => the default.policy configuration should be present in /etc/datadog-agent/runtime-security.d
    security:

      runtime:
        enabled: true
  1. provide a configMapName + items. => default.policy configuration and the custom.policy files should be present
    security:
      runtime:
        enabled: true
        policiesDir:
          configMapName: "runtime-config"

you can use the following configmap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: runtime-config
data:
  custom.policy: |
    version: 1.0.0
    macros:
    rules:

@clamoriniere clamoriniere requested a review from a team as a code owner July 28, 2021 10:55
github-actions[bot]
github-actions bot requested changes Jul 28, 2021
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pull request does not contain a valid label. Please add one of the following labels: bug, enhancement, documentation

@codecov-commenter
Copy link

codecov-commenter commented Jul 28, 2021
edited

Codecov Report

Merging #342 (ac8b660) into main (17569f7) will increase coverage by 25.88%.
The diff coverage is 90.00%.

Impacted file tree graph

@@             Coverage Diff             @@
##             main     #342       +/-   ##
===========================================
+ Coverage   38.09%   63.98%   +25.88%     
===========================================
  Files          63       61        -2     
  Lines       11248     6694     -4554     
===========================================
- Hits         4285     4283        -2     
+ Misses       6656     2104     -4552     
  Partials      307      307
Flag Coverage Δ
unittests 63.98% <90.00%> (+25.88%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
controllers/datadogagent/utils.go 84.11% <90.00%> (+0.51%) ⬆️
api/v1alpha1/zz_generated.deepcopy.go
api/v1alpha1/zz_generated.openapi.go

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 17569f7...ac8b660. Read the comment docs.

@clamoriniere clamoriniere added this to the v0.7 milestone Jul 28, 2021
@clamoriniere clamoriniere added the bug Something isn't working label Jul 28, 2021
@clamoriniere clamoriniere force-pushed the clamoriniere/fix-runtime-security-conf branch from 32b230a to e0b8ea2 Compare July 28, 2021 11:29
@clamoriniere clamoriniere force-pushed the clamoriniere/fix-runtime-security-conf branch from e0b8ea2 to ac8b660 Compare July 28, 2021 20:53
lebauce
lebauce reviewed Jul 29, 2021
View reviewed changes
controllers/datadogagent/utils.go
@@ -1761,6 +1745,14 @@ func getVolumeMountsForSecurityAgent(dda *datadoghqv1alpha1.DatadogAgent) []core
}...)
}

if runtimeEnabled {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/etc/datadog-agent/runtime-security.d is not used by security-agent, only by system-probe

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have added here, if later on it is the case.

@clamoriniere clamoriniere merged commit ddbd7b5 into main Jul 29, 2021
@clamoriniere clamoriniere deleted the clamoriniere/fix-runtime-security-conf branch July 29, 2021 16:06
@clamoriniere clamoriniere mentioned this pull request Aug 23, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lebauce lebauce lebauce approved these changes

@CharlyF CharlyF CharlyF approved these changes

@github-actions github-actions[bot] github-actions approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
v0.7
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@clamoriniere @codecov-commenter @lebauce @CharlyF