Skip to content
This repository has been archived by the owner on Feb 22, 2022. It is now read-only.

Commit

Permalink
[stable/datadog] Add podSecurity.securityContext (#23233)
Browse files Browse the repository at this point in the history 
Signed-off-by: cedric lamoriniere <cedric.lamoriniere@datadoghq.com>
  • Loading branch information
@clamoriniere
clamoriniere authored Jul 17, 2020
1 parent f019fd5 commit ae5f7d1
Show file tree
Hide file tree
Showing 7 changed files with 34 additions and 14 deletions.
4 changes: 4 additions & 0 deletions stable/datadog/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# Datadog changelog

## 2.3.33

* Create new `datadog.podSecurity.securityContext` field to fix windows agent daemonset config.

## 2.3.32

* Always add os in nodeSelector based on `targetSystem`
Expand Down
2 changes: 1 addition & 1 deletion stable/datadog/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v1
name: datadog
version: 2.3.32
version: 2.3.33
appVersion: "7"
description: Datadog Agent
keywords:
Expand Down
5 changes: 3 additions & 2 deletions stable/datadog/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -372,8 +372,9 @@ helm install --name <RELEASE_NAME> \
| `agents.updateStrategy` | Which update strategy to deploy the daemonset | RollingUpdate with 10% maxUnavailable |
| `agents.volumes` | Additional volumes for the daemonset or deployment | `nil` |
| `agents.volumeMounts` | Additional volumeMounts for the daemonset or deployment | `nil` |
| `agents.podSecurity.podSecurityPolicy.create` | If true, create a PodSecurityPolicy resource for the Agent's Pods | `False` |
| `agents.podSecurity.securityContextConstraints.create` | If true, create a SecurityContextConstraints resource for the Agent's Pods | `False` |
| `agents.podSecurity.podSecurityPolicy.create` | If true, create a PodSecurityPolicy resource for the Agent's Pods. Supported only for Linux agent's daemonset. | `False` |
| `agents.podSecurity.securityContextConstraints.create` | If true, create a SecurityContextConstraints resource for the Agent's Pods. Supported only for Linux agent's daemonset. | `False` |
| `datadog.podSecurity.securityContext` | Allows you to overwrite the default securityContext applied to the container | default security context configuration |
| `agents.podSecurity.privileged` | If true, allowed privileged containers | `False` |
| `agents.podSecurity.capabilites` | list of allowed capabilities | `[SYS_ADMIN, SYS_RESOURCE, SYS_ADMIN, IPC_LOCK]`|
| `agents.podSecurity.volumes` | list of allowed volumes types | `[configMap,downwardAPI,emptyDir,ostPath,secret]`|
Expand Down
2 changes: 1 addition & 1 deletion stable/datadog/templates/agent-psp.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ spec:
runAsUser:
rule: RunAsAny
seLinux:
{{ toYaml .Values.datadog.securityContext | indent 4 }}
{{ toYaml .Values.agents.podSecurity.securityContext | indent 4 }}
supplementalGroups:
rule: RunAsAny
{{- end }}
2 changes: 1 addition & 1 deletion stable/datadog/templates/agent-scc.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ volumes:
# Use the `spc_t` selinux type to access the
# docker/cri socket + proc and cgroup stats
seLinuxContext:
{{ toYaml .Values.datadog.securityContext | indent 2 }}
{{ toYaml .Values.agents.podSecurity.securityContext | indent 2 }}
# system-probe requires some specific seccomp and capabilities
seccompProfiles:
{{ toYaml .Values.agents.podSecurity.seccompProfiles | indent 2 }}
Expand Down
9 changes: 7 additions & 2 deletions stable/datadog/templates/daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,15 @@ spec:
{{ toYaml .Values.agents.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- if and (.Values.datadog.securityContext) .Values.datadog.securityContext.seLinuxOptions }}
{{- if .Values.datadog.securityContext }}
securityContext:
{{ toYaml .Values.datadog.securityContext| indent 8 }}
{{- else if or .Values.agents.podSecurity.podSecurityPolicy.create .Values.agents.podSecurity.securityContextConstraints.create -}}
{{- if and (.Values.agents.podSecurity.securityContext) .Values.agents.podSecurity.securityContext.seLinuxOptions }}
securityContext:
seLinuxOptions:
{{ toYaml .Values.datadog.securityContext.seLinuxOptions | indent 10 }}
{{ toYaml .Values.agents.podSecurity.securityContext.seLinuxOptions | indent 10 }}
{{- end }}
{{- end }}
{{- if .Values.agents.useHostNetwork }}
hostNetwork: {{ .Values.agents.useHostNetwork }}
Expand Down
24 changes: 17 additions & 7 deletions stable/datadog/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,13 +47,12 @@ datadog:
## You can modify the security context used to run the containers by
## modifying the label type below:
#
securityContext:
rule: MustRunAs
seLinuxOptions:
user: "system_u"
role: "system_r"
type: "spc_t"
level: "s0"
securityContext: {}
# seLinuxOptions:
# user: "system_u"
# role: "system_r"
# type: "spc_t"
# level: "s0"

## @param clusterName - string - optional
## Set a unique cluster name to allow scoping hosts and Cluster Checks easily
Expand Down Expand Up @@ -708,6 +707,17 @@ agents:
#
create: false

## @param securityContext - object - required
## Provide securityContext configuration
#
securityContext:
rule: MustRunAs
seLinuxOptions:
user: system_u
role: system_r
type: spc_t
level: s0

## @param privileged - boolean - optional
## If true, Allow to run privileged containers
#
Expand Down

0 comments on commit ae5f7d1

Please sign in to comment.