Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User-Specific Security Context in kubernetes Test Cases on Datadog-Agent and Cluster-Agent Pods #29286

Open
LQss11 opened this issue Sep 12, 2024 · 0 comments
Open

User-Specific Security Context in kubernetes Test Cases on Datadog-Agent and Cluster-Agent Pods #29286

LQss11 opened this issue Sep 12, 2024 · 0 comments

Comments

@LQss11
Copy link

LQss11 commented Sep 12, 2024

Description:
I'm facing frequent permission denied issues on Datadog-Agent and Datadog-Cluster-Agent pods since version 7.57.0. These errors occur when creating and managing APM and DogStatsD sockets, as well as when handling remote config services. Example error:

2024-09-10 08:26:32 UTC | CORE | ERROR | (comp/remote-config/rcservice/rcserviceimpl/rcservice.go:59 in newRemoteConfigServiceOptional) | remote config service not initialized or started: unable to create remote config service: could not remove existing rc db (/opt/datadog-agent/run/remote-config.db): remove /opt/datadog-agent/run/remote-config.db: permission denied

Request:
I kindly request the inclusion of specific user security contexts in test cases before releasing new versions, particularly for Datadog-Agent and Cluster-Agent pods. Here is the Helm chart configuration that I'm using:

providers:
  aks:
    enabled: true

clusterAgent:
  env:
    - name: DD_ADMISSION_CONTROLLER_AUTO_INSTRUMENTATION_INIT_SECURITY_CONTEXT
      value: '{"capabilities":{"drop":["ALL"]},"runAsNonRoot":true,"runAsUser":10000,"readOnlyRootFilesystem":true,"allowPrivilegeEscalation":false,"seccompProfile":{"type":"RuntimeDefault"}}'

  containers:
    clusterAgent:
      securityContext:
        runAsUser: 100
        runAsNonRoot: true
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
    initContainers:
      securityContext:
        runAsUser: 100
        runAsNonRoot: true
        allowPrivilegeEscalation: false

agents:
  containers:
    agent:
      securityContext:
        runAsUser: 100
        runAsNonRoot: true
        readOnlyRootFilesystem: true
        allowPrivilegeEscalation: false
    initContainers:
      securityContext:
        runAsUser: 100
        runAsNonRoot: true
        allowPrivilegeEscalation: false
    processAgent:
      securityContext:
        runAsUser: 100
        runAsNonRoot: true
        readOnlyRootFilesystem: true
        allowPrivilegeEscalation: false
    traceAgent:
      securityContext:
        runAsUser: 100
        runAsNonRoot: true
        readOnlyRootFilesystem: true
        allowPrivilegeEscalation: false

Please ensure these specific user contexts (runAsUser: 100 for agent and cluster agent and runAsUser: 10000 for injected libraries when DD_APM_INSTRUMENTATION_VERSION v1) are covered in your tests to prevent permission-related issues in future releases.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@LQss11