Allow the system-probe to be run without network performance monitori…

…ng being enabled (#71) * Allow the system-probe to be run without network performance monitoring being enabled To preserve backwards compatibility, there is some special behavior when systemProbe.enabled=true. Please see the following truth table for what behaviors should be available when different values are set: ``` systemProbe.enabled runtimeSecurity.enabled networkConfig.enabled agent features no no no nothing enabled no no yes system probe enabled, network config enabled no yes no system probe enabled, network config disabled no yes yes system probe enabled, network config enabled yes no no system probe enabled, network config enabled yes no yes system probe enabled, networkConfig enabled yes yes no system probe enabled, network config disabled yes yes yes system probe enabled, network config enabled ``` This PR does a few things to make this work correctly: * add a new networkConfig block that can be used to disable/enable network performance monitoring * set systemProbe.enabled=true based on networkConfig * use networkConfig.enabled when deciding whether or not to render system-probe-manifests Additionally, this exposed a bug in agent 7.23.0 where DD_SYSTEM_PROBE_ENABLED must be set to true for the connection check to run, which is fixed as part of this PR. This was an impossible situation before this PR, but now might happen if the system probe is enabled without network performance monitoring.
DataDog · Nov 3, 2020 · b65e153 · b65e153
1 parent f37c209
commit b65e153
Show file tree

Hide file tree

Showing 10 changed files with 38 additions and 11 deletions.
diff --git a/charts/datadog/CHANGELOG.md b/charts/datadog/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Datadog changelog
 
+## 2.4.34
+
+* Add `datadog.networkMonitoring` section to allow the system-probe to be run without network performance monitoring. Deprecates `systemProbe.enabled`.
+
 ## 2.4.33
 
 * Introduce overall cluster-name limit of 80

diff --git a/charts/datadog/Chart.yaml b/charts/datadog/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: datadog
-version: 2.4.33
+version: 2.4.34
 appVersion: "7"
 description: Datadog Agent
 keywords:

diff --git a/charts/datadog/README.md b/charts/datadog/README.md
@@ -1,6 +1,6 @@
 # Datadog
 
-![Version: 2.4.33](https://img.shields.io/badge/Version-2.4.33-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
+![Version: 2.4.34](https://img.shields.io/badge/Version-2.4.34-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
 
 [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/kubernetes/charts/tree/master/stable/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
 
@@ -461,6 +461,7 @@ helm install --name <RELEASE_NAME> \
 | datadog.logs.containerCollectAll | bool | `false` | Enable this to allow log collection for all containers |
 | datadog.logs.containerCollectUsingFiles | bool | `true` | Collect logs from files in /var/log/pods instead of using container runtime API |
 | datadog.logs.enabled | bool | `false` | Enables this to activate Datadog Agent log collection |
+| datadog.networkMonitoring.enabled | bool | `false` | Enable network performance monitoring |
 | datadog.nodeLabelsAsTags | object | `{}` | Provide a mapping of Kubernetes Node Labels to Datadog Tags |
 | datadog.orchestratorExplorer.container_scrubbing | object | `{"enabled":true}` | Enable the scrubbing of containers in the kubernetes resource YAML for sensitive information |
 | datadog.orchestratorExplorer.enabled | bool | `false` | Set this to true to enable the orchestrator explorer |

diff --git a/charts/datadog/templates/_helpers.tpl b/charts/datadog/templates/_helpers.tpl
@@ -187,3 +187,13 @@ Accepts a map with `port` (default port) and `settings` (probe settings).
 {{- end -}}
 {{- end -}}
 
+{{/*
+Return true if the system-probe container should be created.
+*/}}
+{{- define "should-enable-system-probe" -}}
+{{- if (or .Values.datadog.systemProbe.enabled .Values.datadog.securityAgent.runtime.enabled $.Values.datadog.networkMonitoring.enabled)  -}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end -}}
diff --git a/charts/datadog/templates/container-process-agent.yaml b/charts/datadog/templates/container-process-agent.yaml
@@ -22,9 +22,13 @@
     {{- end }}
     - name: DD_LOG_LEVEL
       value: {{ .Values.agents.containers.processAgent.logLevel | default .Values.datadog.logLevel | quote }}
-    {{- if .Values.datadog.systemProbe.enabled }}
+    {{- if or .Values.datadog.systemProbe.enabled .Values.datadog.networkMonitoring.enabled }}
     - name: DD_SYSTEM_PROBE_ENABLED
-      value: {{ .Values.datadog.systemProbe.enabled | quote }}
+      value: {{ true | quote }}
+    {{- end }}
+    {{- if .Values.datadog.networkMonitoring.enabled }}
+    - name: DD_SYSTEM_PROBE_NETWORK_ENABLED
+      value: {{ .Values.datadog.networkMonitoring.enabled | quote }}
     {{- end }}
     - name: DD_ORCHESTRATOR_EXPLORER_ENABLED
       value: {{ .Values.datadog.orchestratorExplorer.enabled | quote }}

diff --git a/charts/datadog/templates/containers-init-linux.yaml b/charts/datadog/templates/containers-init-linux.yaml
@@ -37,7 +37,7 @@
       mountPath: {{ print "/host/" (dir (include "datadog.dockerOrCriSocketPath" .)) | clean }}
       mountPropagation: {{ .Values.datadog.hostVolumeMountPropagation }}
       readOnly: true
-    {{- if or .Values.datadog.systemProbe.enabled .Values.datadog.securityAgent.runtime.enabled }}
+    {{- if eq (include "should-enable-system-probe" .) "true" }}
     - name: sysprobe-config
       mountPath: /etc/datadog-agent/system-probe.yaml
       subPath: system-probe.yaml

diff --git a/charts/datadog/templates/daemonset-volumes-linux.yaml b/charts/datadog/templates/daemonset-volumes-linux.yaml
@@ -24,7 +24,7 @@
   configMap:
     name: {{ template "datadog.fullname" . }}-confd
 {{- end }}
-{{- if or .Values.datadog.systemProbe.enabled .Values.datadog.securityAgent.runtime.enabled}}
+{{- if eq (include "should-enable-system-probe" .) "true" }}
 - name: sysprobe-config
   configMap:
     name: {{ template "datadog.fullname" . }}-system-probe-config

diff --git a/charts/datadog/templates/daemonset.yaml b/charts/datadog/templates/daemonset.yaml
@@ -41,7 +41,7 @@ spec:
         {{- if .Values.agents.customAgentConfig }}
         checksum/agent-config: {{ tpl (toYaml .Values.agents.customAgentConfig) . | sha256sum }}
         {{- end }}
-        {{- if or .Values.datadog.systemProbe.enabled .Values.datadog.securityAgent.runtime.enabled}}
+        {{- if eq  (include "should-enable-system-probe" .) "true" }}
         {{- if .Values.agents.podSecurity.apparmor.enabled }}
         container.apparmor.security.beta.kubernetes.io/system-probe: {{ .Values.datadog.systemProbe.apparmor }}
         {{- end }}
@@ -99,7 +99,7 @@ spec:
         {{- if .Values.datadog.processAgent.enabled }}
           {{- include "container-process-agent" . | nindent 6 }}
         {{- end }}
-        {{- if or .Values.datadog.systemProbe.enabled .Values.datadog.securityAgent.runtime.enabled }}
+        {{- if eq (include "should-enable-system-probe" .) "true" }}
           {{- include "container-system-probe" . | nindent 6 }}
         {{- end }}
         {{- if or .Values.datadog.securityAgent.compliance.enabled .Values.datadog.securityAgent.runtime.enabled}}
@@ -112,7 +112,7 @@ spec:
         {{- if eq .Values.targetSystem "linux" }}
           {{ include "containers-init-linux" . | nindent 6 }}
         {{- end }}
-        {{- if and (or .Values.datadog.systemProbe.enabled .Values.datadog.securityAgent.runtime.enabled)  (eq .Values.datadog.systemProbe.seccomp "localhost/system-probe") }}
+        {{- if and (eq (include "should-enable-system-probe" .) "true")  (eq .Values.datadog.systemProbe.seccomp "localhost/system-probe") }}
           {{ include "system-probe-init" . | nindent 6 }}
         {{- end }}
       volumes:

diff --git a/charts/datadog/templates/system-probe-configmap.yaml b/charts/datadog/templates/system-probe-configmap.yaml
@@ -1,4 +1,4 @@
-{{- if or .Values.datadog.systemProbe.enabled .Values.datadog.securityAgent.runtime.enabled}}
+{{- if eq (include "should-enable-system-probe" .) "true" }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -13,14 +13,18 @@ metadata:
 data:
   system-probe.yaml: |
     system_probe_config:
-      enabled: {{ or $.Values.datadog.systemProbe.enabled $.Values.datadog.securityAgent.runtime.enabled }}
+      enabled: true
       debug_port:  {{ $.Values.datadog.systemProbe.debugPort }}
       sysprobe_socket: /var/run/sysprobe/sysprobe.sock
       enable_conntrack: {{ $.Values.datadog.systemProbe.enableConntrack }}
       bpf_debug: {{ $.Values.datadog.systemProbe.bpfDebug }}
       enable_tcp_queue_length: {{ $.Values.datadog.systemProbe.enableTCPQueueLength }}
       enable_oom_kill: {{ $.Values.datadog.systemProbe.enableOOMKill }}
       collect_dns_stats: {{ $.Values.datadog.systemProbe.collectDNSStats }}
+    {{- if $.Values.datadog.networkMonitoring.enabled }}
+    network_config:
+      enabled: true
+    {{- end }}
     runtime_security_config:
       enabled: {{ $.Values.datadog.securityAgent.runtime.enabled }}
       debug: false

diff --git a/charts/datadog/values.yaml b/charts/datadog/values.yaml
@@ -291,6 +291,10 @@ datadog:
     container_scrubbing:
       enabled: true
 
+  networkMonitoring:
+    # datadog.networkMonitoring.enabled -- Enable network performance monitoring
+    enabled: false
+
   ## Enable security agent and provide custom configs
   securityAgent:
     compliance: