diff --git a/LICENSE-3rdparty.csv b/LICENSE-3rdparty.csv index 6f5718dba..074a30538 100644 --- a/LICENSE-3rdparty.csv +++ b/LICENSE-3rdparty.csv @@ -40,7 +40,6 @@ core,github.com/mailru/easyjson,MIT core,github.com/matttproud/golang_protobuf_extensions/pbutil,Apache-2.0 core,github.com/modern-go/concurrent,Apache-2.0 core,github.com/modern-go/reflect2,Apache-2.0 -core,github.com/openshift/api/security/v1,Apache-2.0 core,github.com/pkg/errors,BSD-2-Clause core,github.com/pmezard/go-difflib/difflib,BSD-3-Clause core,github.com/prometheus/client_golang/prometheus,Apache-2.0 diff --git a/apis/datadoghq/v2alpha1/datadogagent_types.go b/apis/datadoghq/v2alpha1/datadogagent_types.go index b379159a7..4efbdde37 100644 --- a/apis/datadoghq/v2alpha1/datadogagent_types.go +++ b/apis/datadoghq/v2alpha1/datadogagent_types.go @@ -6,7 +6,6 @@ package v2alpha1 import ( - securityv1 "github.com/openshift/api/security/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -944,10 +943,6 @@ type DatadogAgentComponentOverride struct { // +listMapKey=name Volumes []corev1.Volume `json:"volumes,omitempty"` - // Configure the SecurityContextConstraints for each component. - // +optional - SecurityContextConstraints *SecurityContextConstraintsConfig `json:"securityContextConstraints,omitempty"` - // Pod-level SecurityContext. // +optional SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"` @@ -992,19 +987,6 @@ type DatadogAgentComponentOverride struct { Disabled *bool `json:"disabled,omitempty"` } -// SecurityContextConstraintsConfig provides SecurityContextConstraints configurations for the components. -// +k8s:openapi-gen=true -type SecurityContextConstraintsConfig struct { - // Create defines whether to create a SecurityContextConstraints for the current component. - // If CustomConfiguration is not set, setting Create to `true` creates a default SCC. - // +optional - Create *bool `json:"create,omitempty"` - - // CustomConfiguration defines a custom SCC configuration to use if Create is `true`. - // +optional - CustomConfiguration *securityv1.SecurityContextConstraints `json:"customConfiguration,omitempty"` -} - // DatadogAgentGenericContainer is the generic structure describing any container's common configuration. // +k8s:openapi-gen=true type DatadogAgentGenericContainer struct { diff --git a/apis/datadoghq/v2alpha1/utils.go b/apis/datadoghq/v2alpha1/utils.go index 84f75a4ff..0759b5512 100644 --- a/apis/datadoghq/v2alpha1/utils.go +++ b/apis/datadoghq/v2alpha1/utils.go @@ -107,11 +107,3 @@ func IsNetworkPolicyEnabled(dda *DatadogAgent) (bool, NetworkPolicyFlavor) { } return false, "" } - -// ShouldCreateSCC returns whether a scc should be created for a component -func ShouldCreateSCC(dda *DatadogAgent, componentName ComponentName) bool { - if dda.Spec.Override[componentName] != nil && dda.Spec.Override[componentName].SecurityContextConstraints != nil { - return apiutils.BoolValue(dda.Spec.Override[componentName].SecurityContextConstraints.Create) - } - return false -} diff --git a/apis/datadoghq/v2alpha1/zz_generated.deepcopy.go b/apis/datadoghq/v2alpha1/zz_generated.deepcopy.go index 0052477ff..4e45602e5 100644 --- a/apis/datadoghq/v2alpha1/zz_generated.deepcopy.go +++ b/apis/datadoghq/v2alpha1/zz_generated.deepcopy.go @@ -12,7 +12,6 @@ package v2alpha1 import ( commonv1 "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1" - securityv1 "github.com/openshift/api/security/v1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" @@ -404,11 +403,6 @@ func (in *DatadogAgentComponentOverride) DeepCopyInto(out *DatadogAgentComponent (*in)[i].DeepCopyInto(&(*out)[i]) } } - if in.SecurityContextConstraints != nil { - in, out := &in.SecurityContextConstraints, &out.SecurityContextConstraints - *out = new(SecurityContextConstraintsConfig) - (*in).DeepCopyInto(*out) - } if in.SecurityContext != nil { in, out := &in.SecurityContext, &out.SecurityContext *out = new(corev1.PodSecurityContext) @@ -1716,31 +1710,6 @@ func (in *SecretBackendConfig) DeepCopy() *SecretBackendConfig { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *SecurityContextConstraintsConfig) DeepCopyInto(out *SecurityContextConstraintsConfig) { - *out = *in - if in.Create != nil { - in, out := &in.Create, &out.Create - *out = new(bool) - **out = **in - } - if in.CustomConfiguration != nil { - in, out := &in.CustomConfiguration, &out.CustomConfiguration - *out = new(securityv1.SecurityContextConstraints) - (*in).DeepCopyInto(*out) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityContextConstraintsConfig. -func (in *SecurityContextConstraintsConfig) DeepCopy() *SecurityContextConstraintsConfig { - if in == nil { - return nil - } - out := new(SecurityContextConstraintsConfig) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TCPQueueLengthFeatureConfig) DeepCopyInto(out *TCPQueueLengthFeatureConfig) { *out = *in diff --git a/apis/datadoghq/v2alpha1/zz_generated.openapi.go b/apis/datadoghq/v2alpha1/zz_generated.openapi.go index 6f9581363..92a02c967 100644 --- a/apis/datadoghq/v2alpha1/zz_generated.openapi.go +++ b/apis/datadoghq/v2alpha1/zz_generated.openapi.go @@ -40,7 +40,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "./apis/datadoghq/v2alpha1.OrchestratorExplorerFeatureConfig": schema__apis_datadoghq_v2alpha1_OrchestratorExplorerFeatureConfig(ref), "./apis/datadoghq/v2alpha1.PrometheusScrapeFeatureConfig": schema__apis_datadoghq_v2alpha1_PrometheusScrapeFeatureConfig(ref), "./apis/datadoghq/v2alpha1.SeccompConfig": schema__apis_datadoghq_v2alpha1_SeccompConfig(ref), - "./apis/datadoghq/v2alpha1.SecurityContextConstraintsConfig": schema__apis_datadoghq_v2alpha1_SecurityContextConstraintsConfig(ref), "./apis/datadoghq/v2alpha1.UnixDomainSocketConfig": schema__apis_datadoghq_v2alpha1_UnixDomainSocketConfig(ref), } } @@ -1030,34 +1029,6 @@ func schema__apis_datadoghq_v2alpha1_SeccompConfig(ref common.ReferenceCallback) } } -func schema__apis_datadoghq_v2alpha1_SecurityContextConstraintsConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "SecurityContextConstraintsConfig provides SecurityContextConstraints configurations for the components.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "create": { - SchemaProps: spec.SchemaProps{ - Description: "Create defines whether to create a SecurityContextConstraints for the current component. If CustomConfiguration is not set, setting Create to `true` creates a default SCC.", - Type: []string{"boolean"}, - Format: "", - }, - }, - "customConfiguration": { - SchemaProps: spec.SchemaProps{ - Description: "CustomConfiguration defines a custom SCC configuration to use if Create is `true`.", - Ref: ref("github.com/openshift/api/security/v1.SecurityContextConstraints"), - }, - }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/security/v1.SecurityContextConstraints"}, - } -} - func schema__apis_datadoghq_v2alpha1_UnixDomainSocketConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/config/crd/bases/v1/datadoghq.com_datadogagents.yaml b/config/crd/bases/v1/datadoghq.com_datadogagents.yaml index bc5233324..d8b0ffb3a 100644 --- a/config/crd/bases/v1/datadoghq.com_datadogagents.yaml +++ b/config/crd/bases/v1/datadoghq.com_datadogagents.yaml @@ -9998,200 +9998,6 @@ spec: type: string type: object type: object - securityContextConstraints: - description: Configure the SecurityContextConstraints for each component. - properties: - create: - description: Create defines whether to create a SecurityContextConstraints for the current component. If CustomConfiguration is not set, setting Create to `true` creates a default SCC. - type: boolean - customConfiguration: - description: CustomConfiguration defines a custom SCC configuration to use if Create is `true`. - properties: - allowHostDirVolumePlugin: - description: AllowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin - type: boolean - allowHostIPC: - description: AllowHostIPC determines if the policy allows host ipc in the containers. - type: boolean - allowHostNetwork: - description: AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec. - type: boolean - allowHostPID: - description: AllowHostPID determines if the policy allows host pid in the containers. - type: boolean - allowHostPorts: - description: AllowHostPorts determines if the policy allows host ports in the containers. - type: boolean - allowPrivilegedContainer: - description: AllowPrivilegedContainer determines if a container can request to be run as privileged. - type: boolean - allowedCapabilities: - description: AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field maybe added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. To allow all capabilities you may use '*'. - items: - description: Capability represent POSIX capabilities type - type: string - type: array - allowedFlexVolumes: - description: AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "Volumes" field. - items: - description: AllowedFlexVolume represents a single Flexvolume that is allowed to be used. - properties: - driver: - description: Driver is the name of the Flexvolume driver. - type: string - type: object - type: array - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - defaultAddCapabilities: - description: DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities. - items: - description: Capability represent POSIX capabilities type - type: string - type: array - fsGroup: - description: FSGroup is the strategy that will dictate what fs group is used by the SecurityContext. - properties: - ranges: - description: Ranges are the allowed ranges of fs groups. If you would like to force a single fs group then supply a single range with the same start and end. - items: - description: 'IDRange provides a min/max of an allowed range of IDs. TODO: this could be reused for UIDs.' - properties: - max: - description: Max is the end of the range, inclusive. - format: int64 - type: integer - min: - description: Min is the start of the range, inclusive. - format: int64 - type: integer - type: object - type: array - type: - description: Type is the strategy that will dictate what FSGroup is used in the SecurityContext. - type: string - type: object - groups: - description: The groups that have permission to use this security context constraints - items: - type: string - type: array - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - description: 'Standard object''s metadata. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata' - type: object - priority: - description: Priority influences the sort order of SCCs when evaluating which SCCs to try first for a given pod request based on access in the Users and Groups fields. The higher the int, the higher priority. An unset value is considered a 0 priority. If scores for multiple SCCs are equal they will be sorted from most restrictive to least restrictive. If both priorities and restrictions are equal the SCCs will be sorted by name. - format: int32 - type: integer - readOnlyRootFilesystem: - description: ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the SCC should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to. - type: boolean - requiredDropCapabilities: - description: RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added. - items: - description: Capability represent POSIX capabilities type - type: string - type: array - runAsUser: - description: RunAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext. - properties: - type: - description: Type is the strategy that will dictate what RunAsUser is used in the SecurityContext. - type: string - uid: - description: UID is the user id that containers must run as. Required for the MustRunAs strategy if not using namespace/service account allocated uids. - format: int64 - type: integer - uidRangeMax: - description: UIDRangeMax defines the max value for a strategy that allocates by range. - format: int64 - type: integer - uidRangeMin: - description: UIDRangeMin defines the min value for a strategy that allocates by range. - format: int64 - type: integer - type: object - seLinuxContext: - description: SELinuxContext is the strategy that will dictate what labels will be set in the SecurityContext. - properties: - seLinuxOptions: - description: seLinuxOptions required to run as; required for MustRunAs - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - type: - description: Type is the strategy that will dictate what SELinux context is used in the SecurityContext. - type: string - type: object - seccompProfiles: - description: "SeccompProfiles lists the allowed profiles that may be set for the pod or container's seccomp annotations. An unset (nil) or empty value means that no profiles may be specifid by the pod or container.\tThe wildcard '*' may be used to allow all profiles. When used to generate a value for a pod the first non-wildcard profile will be used as the default." - items: - type: string - type: array - supplementalGroups: - description: SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. - properties: - ranges: - description: Ranges are the allowed ranges of supplemental groups. If you would like to force a single supplemental group then supply a single range with the same start and end. - items: - description: 'IDRange provides a min/max of an allowed range of IDs. TODO: this could be reused for UIDs.' - properties: - max: - description: Max is the end of the range, inclusive. - format: int64 - type: integer - min: - description: Min is the start of the range, inclusive. - format: int64 - type: integer - type: object - type: array - type: - description: Type is the strategy that will dictate what supplemental groups is used in the SecurityContext. - type: string - type: object - users: - description: The users who have permissions to use this security context constraints - items: - type: string - type: array - volumes: - description: Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". To allow no volumes, set to ["none"]. - items: - description: FS Type gives strong typing to different file systems that are used by volumes. - type: string - type: array - required: - - allowHostDirVolumePlugin - - allowHostIPC - - allowHostNetwork - - allowHostPID - - allowHostPorts - - allowPrivilegedContainer - - allowedCapabilities - - allowedFlexVolumes - - defaultAddCapabilities - - priority - - readOnlyRootFilesystem - - requiredDropCapabilities - - volumes - type: object - type: object serviceAccountName: description: Sets the ServiceAccount used by this component. Ignored if the field CreateRbac is true. type: string diff --git a/config/crd/bases/v1beta1/datadoghq.com_datadogagents.yaml b/config/crd/bases/v1beta1/datadoghq.com_datadogagents.yaml index ac96dac55..ff434cff7 100644 --- a/config/crd/bases/v1beta1/datadoghq.com_datadogagents.yaml +++ b/config/crd/bases/v1beta1/datadoghq.com_datadogagents.yaml @@ -17548,200 +17548,6 @@ spec: type: string type: object type: object - securityContextConstraints: - description: Configure the SecurityContextConstraints for each component. - properties: - create: - description: Create defines whether to create a SecurityContextConstraints for the current component. If CustomConfiguration is not set, setting Create to `true` creates a default SCC. - type: boolean - customConfiguration: - description: CustomConfiguration defines a custom SCC configuration to use if Create is `true`. - properties: - allowHostDirVolumePlugin: - description: AllowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin - type: boolean - allowHostIPC: - description: AllowHostIPC determines if the policy allows host ipc in the containers. - type: boolean - allowHostNetwork: - description: AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec. - type: boolean - allowHostPID: - description: AllowHostPID determines if the policy allows host pid in the containers. - type: boolean - allowHostPorts: - description: AllowHostPorts determines if the policy allows host ports in the containers. - type: boolean - allowPrivilegedContainer: - description: AllowPrivilegedContainer determines if a container can request to be run as privileged. - type: boolean - allowedCapabilities: - description: AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field maybe added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. To allow all capabilities you may use '*'. - items: - description: Capability represent POSIX capabilities type - type: string - type: array - allowedFlexVolumes: - description: AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "Volumes" field. - items: - description: AllowedFlexVolume represents a single Flexvolume that is allowed to be used. - properties: - driver: - description: Driver is the name of the Flexvolume driver. - type: string - type: object - type: array - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - defaultAddCapabilities: - description: DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities. - items: - description: Capability represent POSIX capabilities type - type: string - type: array - fsGroup: - description: FSGroup is the strategy that will dictate what fs group is used by the SecurityContext. - properties: - ranges: - description: Ranges are the allowed ranges of fs groups. If you would like to force a single fs group then supply a single range with the same start and end. - items: - description: 'IDRange provides a min/max of an allowed range of IDs. TODO: this could be reused for UIDs.' - properties: - max: - description: Max is the end of the range, inclusive. - format: int64 - type: integer - min: - description: Min is the start of the range, inclusive. - format: int64 - type: integer - type: object - type: array - type: - description: Type is the strategy that will dictate what FSGroup is used in the SecurityContext. - type: string - type: object - groups: - description: The groups that have permission to use this security context constraints - items: - type: string - type: array - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - description: 'Standard object''s metadata. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata' - type: object - priority: - description: Priority influences the sort order of SCCs when evaluating which SCCs to try first for a given pod request based on access in the Users and Groups fields. The higher the int, the higher priority. An unset value is considered a 0 priority. If scores for multiple SCCs are equal they will be sorted from most restrictive to least restrictive. If both priorities and restrictions are equal the SCCs will be sorted by name. - format: int32 - type: integer - readOnlyRootFilesystem: - description: ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the SCC should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to. - type: boolean - requiredDropCapabilities: - description: RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added. - items: - description: Capability represent POSIX capabilities type - type: string - type: array - runAsUser: - description: RunAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext. - properties: - type: - description: Type is the strategy that will dictate what RunAsUser is used in the SecurityContext. - type: string - uid: - description: UID is the user id that containers must run as. Required for the MustRunAs strategy if not using namespace/service account allocated uids. - format: int64 - type: integer - uidRangeMax: - description: UIDRangeMax defines the max value for a strategy that allocates by range. - format: int64 - type: integer - uidRangeMin: - description: UIDRangeMin defines the min value for a strategy that allocates by range. - format: int64 - type: integer - type: object - seLinuxContext: - description: SELinuxContext is the strategy that will dictate what labels will be set in the SecurityContext. - properties: - seLinuxOptions: - description: seLinuxOptions required to run as; required for MustRunAs - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - type: - description: Type is the strategy that will dictate what SELinux context is used in the SecurityContext. - type: string - type: object - seccompProfiles: - description: "SeccompProfiles lists the allowed profiles that may be set for the pod or container's seccomp annotations. An unset (nil) or empty value means that no profiles may be specifid by the pod or container.\tThe wildcard '*' may be used to allow all profiles. When used to generate a value for a pod the first non-wildcard profile will be used as the default." - items: - type: string - type: array - supplementalGroups: - description: SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. - properties: - ranges: - description: Ranges are the allowed ranges of supplemental groups. If you would like to force a single supplemental group then supply a single range with the same start and end. - items: - description: 'IDRange provides a min/max of an allowed range of IDs. TODO: this could be reused for UIDs.' - properties: - max: - description: Max is the end of the range, inclusive. - format: int64 - type: integer - min: - description: Min is the start of the range, inclusive. - format: int64 - type: integer - type: object - type: array - type: - description: Type is the strategy that will dictate what supplemental groups is used in the SecurityContext. - type: string - type: object - users: - description: The users who have permissions to use this security context constraints - items: - type: string - type: array - volumes: - description: Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". To allow no volumes, set to ["none"]. - items: - description: FS Type gives strong typing to different file systems that are used by volumes. - type: string - type: array - required: - - allowHostDirVolumePlugin - - allowHostIPC - - allowHostNetwork - - allowHostPID - - allowHostPorts - - allowPrivilegedContainer - - allowedCapabilities - - allowedFlexVolumes - - defaultAddCapabilities - - priority - - readOnlyRootFilesystem - - requiredDropCapabilities - - volumes - type: object - type: object serviceAccountName: description: Sets the ServiceAccount used by this component. Ignored if the field CreateRbac is true. type: string diff --git a/controllers/datadogagent/component/agent/default.go b/controllers/datadogagent/component/agent/default.go index 0f29e0a43..171cc8081 100644 --- a/controllers/datadogagent/component/agent/default.go +++ b/controllers/datadogagent/component/agent/default.go @@ -19,7 +19,6 @@ import ( componentdca "github.com/DataDog/datadog-operator/controllers/datadogagent/component/clusteragent" "github.com/DataDog/datadog-operator/pkg/defaulting" - securityv1 "github.com/openshift/api/security/v1" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -380,63 +379,6 @@ func volumeMountsForSystemProbe() []corev1.VolumeMount { } } -// GetDefaultSCC returns the default SCC for the node agent component -func GetDefaultSCC(dda *v2alpha1.DatadogAgent) *securityv1.SecurityContextConstraints { - return &securityv1.SecurityContextConstraints{ - Users: []string{ - fmt.Sprintf("system:serviceaccount:%s:%s", dda.Namespace, v2alpha1.GetAgentServiceAccount(dda)), - }, - Priority: apiutils.NewInt32Pointer(8), - AllowHostPorts: v2alpha1.IsHostNetworkEnabled(dda, v2alpha1.NodeAgentComponentName), - AllowHostNetwork: v2alpha1.IsHostNetworkEnabled(dda, v2alpha1.NodeAgentComponentName), - Volumes: []securityv1.FSType{ - securityv1.FSTypeConfigMap, - securityv1.FSTypeDownwardAPI, - securityv1.FSTypeEmptyDir, - securityv1.FSTypeHostPath, - securityv1.FSTypeSecret, - }, - SELinuxContext: securityv1.SELinuxContextStrategyOptions{ - Type: securityv1.SELinuxStrategyMustRunAs, - SELinuxOptions: &corev1.SELinuxOptions{ - User: "system_u", - Role: "system_r", - Type: "spc_t", - Level: "s0", - }, - }, - SeccompProfiles: []string{ - "runtime/default", - "localhost/system-probe", - }, - AllowedCapabilities: []corev1.Capability{ - "SYS_ADMIN", - "SYS_RESOURCE", - "SYS_PTRACE", - "NET_ADMIN", - "NET_BROADCAST", - "NET_RAW", - "IPC_LOCK", - "CHOWN", - "AUDIT_CONTROL", - "AUDIT_READ", - }, - AllowHostDirVolumePlugin: true, - AllowHostIPC: true, - AllowPrivilegedContainer: false, - FSGroup: securityv1.FSGroupStrategyOptions{ - Type: securityv1.FSGroupStrategyMustRunAs, - }, - ReadOnlyRootFilesystem: false, - RunAsUser: securityv1.RunAsUserStrategyOptions{ - Type: securityv1.RunAsUserStrategyRunAsAny, - }, - SupplementalGroups: securityv1.SupplementalGroupsStrategyOptions{ - Type: securityv1.SupplementalGroupsStrategyRunAsAny, - }, - } -} - func volumeMountsForSeccompSetup() []corev1.VolumeMount { return []corev1.VolumeMount{ component.GetVolumeMountForSecurity(), diff --git a/controllers/datadogagent/component/clusteragent/default.go b/controllers/datadogagent/component/clusteragent/default.go index f391ea122..1e8b796ff 100644 --- a/controllers/datadogagent/component/clusteragent/default.go +++ b/controllers/datadogagent/component/clusteragent/default.go @@ -9,7 +9,6 @@ import ( "fmt" "strconv" - securityv1 "github.com/openshift/api/security/v1" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" @@ -17,7 +16,6 @@ import ( apicommon "github.com/DataDog/datadog-operator/apis/datadoghq/common" apicommonv1 "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1" - "github.com/DataDog/datadog-operator/apis/datadoghq/v2alpha1" apiutils "github.com/DataDog/datadog-operator/apis/utils" "github.com/DataDog/datadog-operator/controllers/datadogagent/common" "github.com/DataDog/datadog-operator/controllers/datadogagent/component" @@ -267,47 +265,3 @@ func GetLeaderElectionPolicyRule(dda metav1.Object) []rbacv1.PolicyRule { }, } } - -// GetDefaultSCC returns the default SCC for the cluster agent component -func GetDefaultSCC(dda *v2alpha1.DatadogAgent) *securityv1.SecurityContextConstraints { - return &securityv1.SecurityContextConstraints{ - Users: []string{ - fmt.Sprintf("system:serviceaccount:%s:%s", dda.Namespace, v2alpha1.GetClusterAgentServiceAccount(dda)), - }, - Priority: apiutils.NewInt32Pointer(8), - AllowHostPorts: v2alpha1.IsHostNetworkEnabled(dda, v2alpha1.ClusterAgentComponentName), - AllowHostNetwork: v2alpha1.IsHostNetworkEnabled(dda, v2alpha1.ClusterAgentComponentName), - AllowHostDirVolumePlugin: false, - AllowHostIPC: false, - AllowHostPID: false, - // AllowPrivilegeEscalation: false, // unavailable: https://github.com/openshift/api/issues/1281 - AllowPrivilegedContainer: false, - FSGroup: securityv1.FSGroupStrategyOptions{ - Type: securityv1.FSGroupStrategyMustRunAs, - }, - ReadOnlyRootFilesystem: false, - RequiredDropCapabilities: []corev1.Capability{ - "KILL", - "MKNOD", - "SETUID", - "SETGID", - }, - RunAsUser: securityv1.RunAsUserStrategyOptions{ - Type: securityv1.RunAsUserStrategyMustRunAsRange, - }, - SELinuxContext: securityv1.SELinuxContextStrategyOptions{ - Type: securityv1.SELinuxStrategyMustRunAs, - }, - SupplementalGroups: securityv1.SupplementalGroupsStrategyOptions{ - Type: securityv1.SupplementalGroupsStrategyRunAsAny, - }, - Volumes: []securityv1.FSType{ - securityv1.FSTypeConfigMap, - securityv1.FSTypeDownwardAPI, - securityv1.FSTypeEmptyDir, - securityv1.FSTypePersistentVolumeClaim, - securityv1.FSProjected, - securityv1.FSTypeSecret, - }, - } -} diff --git a/controllers/datadogagent/component/utils.go b/controllers/datadogagent/component/utils.go index 47dc5ac46..7963f334a 100644 --- a/controllers/datadogagent/component/utils.go +++ b/controllers/datadogagent/component/utils.go @@ -348,11 +348,6 @@ func GetClusterAgentVersion(dda metav1.Object) string { return "" } -// GetClusterAgentSCCName returns the Cluster-Agent SCC name based on the DatadogAgent name -func GetClusterAgentSCCName(dda metav1.Object) string { - return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterAgentResourceSuffix) -} - // GetAgentName return the Agent name based on the DatadogAgent info func GetAgentName(dda metav1.Object) string { return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultAgentResourceSuffix) @@ -377,11 +372,6 @@ func GetAgentVersionFromImage(imageConfig commonv1.AgentImageConfig) string { return version } -// GetAgentSCCName returns the Agent SCC name based on the DatadogAgent name -func GetAgentSCCName(dda metav1.Object) string { - return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultAgentResourceSuffix) -} - // GetClusterChecksRunnerName return the Cluster-Checks-Runner name based on the DatadogAgent name func GetClusterChecksRunnerName(dda metav1.Object) string { return fmt.Sprintf("%s-%s", dda.GetName(), apicommon.DefaultClusterChecksRunnerResourceSuffix) diff --git a/controllers/datadogagent/feature/apm/feature.go b/controllers/datadogagent/feature/apm/feature.go index 3aefe24d3..10c9591f9 100644 --- a/controllers/datadogagent/feature/apm/feature.go +++ b/controllers/datadogagent/feature/apm/feature.go @@ -9,7 +9,6 @@ import ( "path/filepath" "strconv" - securityv1 "github.com/openshift/api/security/v1" corev1 "k8s.io/api/core/v1" netv1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -55,7 +54,6 @@ type apmFeature struct { createKubernetesNetworkPolicy bool createCiliumNetworkPolicy bool - createSCC bool } // ID returns the ID of the Feature @@ -90,8 +88,6 @@ func (f *apmFeature) Configure(dda *v2alpha1.DatadogAgent) (reqComp feature.Requ } f.localServiceName = v2alpha1.GetLocalAgentServiceName(dda) - f.createSCC = v2alpha1.ShouldCreateSCC(dda, v2alpha1.NodeAgentComponentName) - reqComp = feature.RequiredComponents{ Agent: feature.RequiredComponent{ IsRequired: apiutils.NewBoolPointer(true), @@ -226,18 +222,6 @@ func (f *apmFeature) ManageDependencies(managers feature.ResourceManagers, compo } } - // scc - if f.createSCC { - sccName := component.GetAgentSCCName(f.owner) - scc := securityv1.SecurityContextConstraints{} - - if f.hostPortEnabled { - scc.AllowHostPorts = true - } - - return managers.PodSecurityManager().AddSecurityContextConstraints(sccName, f.owner.GetNamespace(), &scc) - } - return nil } diff --git a/controllers/datadogagent/feature/cspm/feature.go b/controllers/datadogagent/feature/cspm/feature.go index bc09e8060..dd8824b97 100644 --- a/controllers/datadogagent/feature/cspm/feature.go +++ b/controllers/datadogagent/feature/cspm/feature.go @@ -6,7 +6,6 @@ package cspm import ( - "fmt" "strconv" apicommon "github.com/DataDog/datadog-operator/apis/datadoghq/common" @@ -14,7 +13,6 @@ import ( "github.com/DataDog/datadog-operator/apis/datadoghq/v1alpha1" "github.com/DataDog/datadog-operator/apis/datadoghq/v2alpha1" apiutils "github.com/DataDog/datadog-operator/apis/utils" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component" "github.com/DataDog/datadog-operator/controllers/datadogagent/feature" "github.com/DataDog/datadog-operator/controllers/datadogagent/object" "github.com/DataDog/datadog-operator/controllers/datadogagent/object/configmap" @@ -23,7 +21,6 @@ import ( "github.com/DataDog/datadog-operator/pkg/kubernetes" "github.com/go-logr/logr" - securityv1 "github.com/openshift/api/security/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -49,7 +46,6 @@ type cspmFeature struct { enable bool serviceAccountName string checkInterval string - createSCC bool createPSP bool hostBenchmarksEnabled bool @@ -93,7 +89,6 @@ func (f *cspmFeature) Configure(dda *v2alpha1.DatadogAgent) (reqComp feature.Req f.configMapName = apicommonv1.GetConfName(dda, f.customConfig, apicommon.DefaultCSPMConf) // TODO add settings to configure f.createPSP - f.createSCC = v2alpha1.ShouldCreateSCC(dda, v2alpha1.NodeAgentComponentName) if dda.Spec.Features.CSPM.HostBenchmarks != nil && apiutils.BoolValue(dda.Spec.Features.CSPM.HostBenchmarks.Enabled) { f.hostBenchmarksEnabled = true @@ -167,15 +162,6 @@ func (f *cspmFeature) ManageDependencies(managers feature.ResourceManagers, comp } } - if f.createSCC { - // Manage SecurityContextConstraints - sccName := component.GetAgentSCCName(f.owner) - scc := securityv1.SecurityContextConstraints{AllowHostPID: true} - if err := managers.PodSecurityManager().AddSecurityContextConstraints(sccName, f.owner.GetNamespace(), &scc); err != nil { - return fmt.Errorf("error adding scc to store: %w", err) - } - } - if f.createPSP { // Manage PodSecurityPolicy pspName := getPSPName(f.owner) diff --git a/controllers/datadogagent/feature/dogstatsd/feature.go b/controllers/datadogagent/feature/dogstatsd/feature.go index 0da6f02c7..fc6913ef4 100644 --- a/controllers/datadogagent/feature/dogstatsd/feature.go +++ b/controllers/datadogagent/feature/dogstatsd/feature.go @@ -9,7 +9,6 @@ import ( "path/filepath" "strconv" - securityv1 "github.com/openshift/api/security/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" @@ -53,8 +52,7 @@ type dogstatsdFeature struct { forceEnableLocalService bool localServiceName string - createSCC bool - owner metav1.Object + owner metav1.Object } // ID returns the ID of the Feature @@ -91,8 +89,6 @@ func (f *dogstatsdFeature) Configure(dda *v2alpha1.DatadogAgent) (reqComp featur } f.localServiceName = v2alpha1.GetLocalAgentServiceName(dda) - f.createSCC = v2alpha1.ShouldCreateSCC(dda, v2alpha1.NodeAgentComponentName) - reqComp = feature.RequiredComponents{ Agent: feature.RequiredComponent{ IsRequired: apiutils.NewBoolPointer(true), @@ -166,19 +162,6 @@ func (f *dogstatsdFeature) ManageDependencies(managers feature.ResourceManagers, } } - if f.createSCC { - sccName := component.GetAgentSCCName(f.owner) - scc := securityv1.SecurityContextConstraints{} - - if f.hostPortEnabled { - scc.AllowHostPorts = true - } - if f.originDetectionEnabled && f.udsEnabled { - scc.AllowHostPID = true - } - - return managers.PodSecurityManager().AddSecurityContextConstraints(sccName, f.owner.GetNamespace(), &scc) - } return nil } diff --git a/controllers/datadogagent/merger/pod_security.go b/controllers/datadogagent/merger/pod_security.go index b532d77b2..c91259ab0 100644 --- a/controllers/datadogagent/merger/pod_security.go +++ b/controllers/datadogagent/merger/pod_security.go @@ -6,20 +6,13 @@ package merger import ( - "fmt" - - apiutils "github.com/DataDog/datadog-operator/apis/utils" "github.com/DataDog/datadog-operator/controllers/datadogagent/dependencies" - "github.com/DataDog/datadog-operator/pkg/kubernetes" - securityv1 "github.com/openshift/api/security/v1" policyv1beta1 "k8s.io/api/policy/v1beta1" ) // PodSecurityManager use to manage Security resources. type PodSecurityManager interface { - // AddSecurityContextConstraints updates a SecurityContextConstraints - AddSecurityContextConstraints(name, namespace string, sccUpdates *securityv1.SecurityContextConstraints) error // GetPodSecurityPolicy gets a PodSecurityPolicy GetPodSecurityPolicy(namespace string, pspName string) (*policyv1beta1.PodSecurityPolicy, error) // UpdatePodSecurityPolicy updates a PodSecurityPolicy @@ -39,85 +32,6 @@ type podSecurityManagerImpl struct { store dependencies.StoreClient } -func (m *podSecurityManagerImpl) AddSecurityContextConstraints(name, namespace string, sccUpdates *securityv1.SecurityContextConstraints) error { - if sccUpdates == nil { - return nil - } - - obj, _ := m.store.GetOrCreate(kubernetes.SecurityContextConstraintsKind, namespace, name) - scc, ok := obj.(*securityv1.SecurityContextConstraints) - if !ok { - return fmt.Errorf("unable to get from the store the SecurityContextConstraints %s/%s", namespace, name) - } - - if sccUpdates.Priority != nil { - scc.Priority = sccUpdates.Priority - } - scc.AllowPrivilegedContainer = apiutils.BoolValue(&sccUpdates.AllowPrivilegedContainer) - if len(sccUpdates.DefaultAddCapabilities) > 0 { - scc.DefaultAddCapabilities = append(scc.DefaultAddCapabilities, sccUpdates.DefaultAddCapabilities...) - } - if len(sccUpdates.RequiredDropCapabilities) > 0 { - scc.RequiredDropCapabilities = append(scc.RequiredDropCapabilities, sccUpdates.RequiredDropCapabilities...) - } - if len(sccUpdates.AllowedCapabilities) > 0 { - scc.AllowedCapabilities = append(scc.AllowedCapabilities, sccUpdates.AllowedCapabilities...) - } - scc.AllowHostDirVolumePlugin = apiutils.BoolValue(&sccUpdates.AllowHostDirVolumePlugin) - if len(sccUpdates.Volumes) > 0 { - scc.Volumes = append(scc.Volumes, sccUpdates.Volumes...) - } - if len(sccUpdates.AllowedFlexVolumes) > 0 { - scc.AllowedFlexVolumes = append(scc.AllowedFlexVolumes, sccUpdates.AllowedFlexVolumes...) - } - scc.AllowHostNetwork = apiutils.BoolValue(&sccUpdates.AllowHostNetwork) - scc.AllowHostPorts = apiutils.BoolValue(&sccUpdates.AllowHostPorts) - scc.AllowHostPID = apiutils.BoolValue(&sccUpdates.AllowHostPID) - scc.AllowHostIPC = apiutils.BoolValue(&sccUpdates.AllowHostIPC) - if sccUpdates.SELinuxContext.Type != "" { - scc.SELinuxContext.Type = sccUpdates.SELinuxContext.Type - } - if sccUpdates.SELinuxContext.SELinuxOptions != nil { - scc.SELinuxContext.SELinuxOptions = sccUpdates.SELinuxContext.SELinuxOptions - } - if sccUpdates.RunAsUser.Type != "" { - scc.RunAsUser.Type = sccUpdates.RunAsUser.Type - } - if sccUpdates.RunAsUser.UID != nil { - scc.RunAsUser.UID = sccUpdates.RunAsUser.UID - } - if sccUpdates.RunAsUser.UIDRangeMin != nil { - scc.RunAsUser.UIDRangeMin = sccUpdates.RunAsUser.UIDRangeMin - } - if sccUpdates.RunAsUser.UIDRangeMax != nil { - scc.RunAsUser.UIDRangeMax = sccUpdates.RunAsUser.UIDRangeMax - } - if sccUpdates.SupplementalGroups.Type != "" { - scc.SupplementalGroups.Type = sccUpdates.SupplementalGroups.Type - } - if len(sccUpdates.SupplementalGroups.Ranges) > 0 { - scc.SupplementalGroups.Ranges = append(scc.SupplementalGroups.Ranges, sccUpdates.SupplementalGroups.Ranges...) - } - if sccUpdates.FSGroup.Type != "" { - scc.FSGroup.Type = sccUpdates.FSGroup.Type - } - if len(sccUpdates.FSGroup.Ranges) > 0 { - scc.FSGroup.Ranges = append(scc.FSGroup.Ranges, sccUpdates.FSGroup.Ranges...) - } - scc.ReadOnlyRootFilesystem = apiutils.BoolValue(&sccUpdates.ReadOnlyRootFilesystem) - if len(sccUpdates.Users) > 0 { - scc.Users = append(scc.Users, sccUpdates.Users...) - } - if len(sccUpdates.Groups) > 0 { - scc.Groups = append(scc.Groups, sccUpdates.Groups...) - } - if len(sccUpdates.SeccompProfiles) > 0 { - scc.SeccompProfiles = append(scc.SeccompProfiles, sccUpdates.SeccompProfiles...) - } - - return m.store.AddOrUpdate(kubernetes.SecurityContextConstraintsKind, scc) -} - func (m *podSecurityManagerImpl) GetPodSecurityPolicy(namespace string, pspName string) (psp *policyv1beta1.PodSecurityPolicy, err error) { // TODO // obj, _ := m.store.GetOrCreate(kubernetes.PodSecurityPoliciesKind, namespace, pspName) diff --git a/controllers/datadogagent/merger/pod_security_test.go b/controllers/datadogagent/merger/pod_security_test.go index 8e8ffb155..39d8a5c0b 100644 --- a/controllers/datadogagent/merger/pod_security_test.go +++ b/controllers/datadogagent/merger/pod_security_test.go @@ -5,166 +5,4 @@ package merger -import ( - "fmt" - "testing" - - "github.com/DataDog/datadog-operator/apis/datadoghq/v2alpha1" - apiutils "github.com/DataDog/datadog-operator/apis/utils" - "github.com/DataDog/datadog-operator/controllers/datadogagent/dependencies" - "github.com/DataDog/datadog-operator/pkg/kubernetes" - - securityv1 "github.com/openshift/api/security/v1" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" -) - -func TestPodSecurityManager_AddSecurityContextConstraints(t *testing.T) { - ns := "bar" - newSCCName := "foo" - existingSCCName := "foo2" - - newSCC := &securityv1.SecurityContextConstraints{ - Users: []string{ - fmt.Sprintf("system:serviceaccount:%s:%s", ns, newSCCName), - }, - Priority: apiutils.NewInt32Pointer(8), - AllowedCapabilities: []corev1.Capability{ - "SYS_ADMIN", - "SYS_RESOURCE", - "SYS_PTRACE", - "NET_ADMIN", - "NET_BROADCAST", - "NET_RAW", - "IPC_LOCK", - "CHOWN", - "AUDIT_CONTROL", - "AUDIT_READ", - }, - AllowHostDirVolumePlugin: true, - AllowHostIPC: true, - AllowPrivilegedContainer: false, - FSGroup: securityv1.FSGroupStrategyOptions{ - Type: securityv1.FSGroupStrategyMustRunAs, - }, - } - - existingSCC := securityv1.SecurityContextConstraints{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: ns, - Name: existingSCCName, - }, - Users: []string{ - fmt.Sprintf("system:serviceaccount:%s:%s", ns, existingSCCName), - }, - AllowHostDirVolumePlugin: false, - FSGroup: securityv1.FSGroupStrategyOptions{ - Type: securityv1.FSGroupStrategyMustRunAs, - }, - Volumes: []securityv1.FSType{ - securityv1.FSTypeConfigMap, - securityv1.FSTypeDownwardAPI, - securityv1.FSTypeEmptyDir, - securityv1.FSTypePersistentVolumeClaim, - securityv1.FSProjected, - securityv1.FSTypeSecret, - }, - } - - testScheme := runtime.NewScheme() - testScheme.AddKnownTypes(v2alpha1.GroupVersion, &v2alpha1.DatadogAgent{}) - storeOptions := &dependencies.StoreOptions{ - Scheme: testScheme, - } - - owner := &v2alpha1.DatadogAgent{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: ns, - Name: newSCCName, - }, - } - - type args struct { - namespace string - name string - scc *securityv1.SecurityContextConstraints - } - tests := []struct { - name string - store *dependencies.Store - args args - wantErr bool - validateFunc func(*testing.T, *dependencies.Store) - }{ - { - name: "empty store", - store: dependencies.NewStore(owner, storeOptions), - args: args{ - namespace: ns, - name: newSCCName, - scc: newSCC, - }, - wantErr: false, - validateFunc: func(t *testing.T, store *dependencies.Store) { - if _, found := store.Get(kubernetes.SecurityContextConstraintsKind, ns, newSCCName); !found { - t.Errorf("missing SecurityContextConstraints %s/%s", ns, newSCCName) - } - }, - }, - { - name: "another SecurityContextConstraints already exists", - store: dependencies.NewStore(owner, storeOptions).AddOrUpdateStore(kubernetes.SecurityContextConstraintsKind, &existingSCC), - args: args{ - namespace: ns, - name: newSCCName, - scc: newSCC, - }, - wantErr: false, - validateFunc: func(t *testing.T, store *dependencies.Store) { - if _, found := store.Get(kubernetes.SecurityContextConstraintsKind, ns, newSCCName); !found { - t.Errorf("missing SecurityContextConstraints %s/%s", ns, newSCCName) - } - }, - }, - { - name: "update existing SecurityContextConstraints", - store: dependencies.NewStore(owner, storeOptions).AddOrUpdateStore(kubernetes.SecurityContextConstraintsKind, &existingSCC), - args: args{ - namespace: ns, - name: existingSCCName, - scc: newSCC, - }, - wantErr: false, - validateFunc: func(t *testing.T, store *dependencies.Store) { - obj, found := store.Get(kubernetes.SecurityContextConstraintsKind, ns, existingSCCName) - if !found { - t.Errorf("missing SecurityContextConstraints %s/%s", ns, existingSCCName) - } - scc, ok := obj.(*securityv1.SecurityContextConstraints) - if !ok || !scc.AllowHostDirVolumePlugin { - t.Errorf("AllowHostDirVolumePlugin not updated in SecurityContextConstraints %s/%s", ns, existingSCCName) - } - if len(scc.Volumes) != 6 { - t.Errorf("Volumes changed in SecurityContextConstraints %s/%s", ns, existingSCCName) - } - if len(scc.AllowedCapabilities) != 10 { - t.Errorf("AllowedCapabilities not added in SecurityContextConstraints %s/%s", ns, existingSCCName) - } - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - m := &podSecurityManagerImpl{ - store: tt.store, - } - if err := m.AddSecurityContextConstraints(tt.args.name, tt.args.namespace, tt.args.scc); (err != nil) != tt.wantErr { - t.Errorf("PodSecurityManager.AddSecurityContextConstraints() error = %v, wantErr %v", err, tt.wantErr) - } - if tt.validateFunc != nil { - tt.validateFunc(t, tt.store) - } - }) - } -} +// TODO: Add tests for PodSecurityPolicies diff --git a/controllers/datadogagent/override/dependencies.go b/controllers/datadogagent/override/dependencies.go index 0a0369fd2..dfaffef13 100644 --- a/controllers/datadogagent/override/dependencies.go +++ b/controllers/datadogagent/override/dependencies.go @@ -11,14 +11,9 @@ import ( "github.com/go-logr/logr" - securityv1 "github.com/openshift/api/security/v1" "k8s.io/apimachinery/pkg/util/errors" "github.com/DataDog/datadog-operator/apis/datadoghq/v2alpha1" - apiutils "github.com/DataDog/datadog-operator/apis/utils" - ddacomponent "github.com/DataDog/datadog-operator/controllers/datadogagent/component" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component/agent" - "github.com/DataDog/datadog-operator/controllers/datadogagent/component/clusteragent" "github.com/DataDog/datadog-operator/controllers/datadogagent/feature" "github.com/DataDog/datadog-operator/controllers/datadogagent/object" "github.com/DataDog/datadog-operator/controllers/datadogagent/object/configmap" @@ -47,9 +42,6 @@ func Dependencies(logger logr.Logger, manager feature.ResourceManagers, dda *v2a // Handle custom check files checksdCMName := fmt.Sprintf(v2alpha1.ExtraChecksdConfigMapName, strings.ToLower((string(component)))) errs = append(errs, overrideExtraConfigs(logger, manager, override.ExtraChecksd, namespace, checksdCMName, false)...) - - // Handle scc - errs = append(errs, overrideSCC(manager, dda)...) } return errs @@ -123,30 +115,3 @@ func overrideExtraConfigs(logger logr.Logger, manager feature.ResourceManagers, } return errs } - -func overrideSCC(manager feature.ResourceManagers, dda *v2alpha1.DatadogAgent) (errs []error) { - for component, override := range dda.Spec.Override { - sccConfig := override.SecurityContextConstraints - if sccConfig != nil && apiutils.BoolValue(sccConfig.Create) { - var sccName string - scc := &securityv1.SecurityContextConstraints{} - - switch component { - case v2alpha1.NodeAgentComponentName: - sccName = ddacomponent.GetAgentSCCName(dda) - scc = agent.GetDefaultSCC(dda) - case v2alpha1.ClusterAgentComponentName: - sccName = ddacomponent.GetClusterAgentSCCName(dda) - scc = clusteragent.GetDefaultSCC(dda) - } - - if sccConfig.CustomConfiguration != nil { - scc = sccConfig.CustomConfiguration - } - - errs = append(errs, manager.PodSecurityManager().AddSecurityContextConstraints(sccName, dda.Namespace, scc)) - } - } - - return errs -} diff --git a/controllers/datadogagent/override/dependencies_test.go b/controllers/datadogagent/override/dependencies_test.go index 870ac63c2..f926ed407 100644 --- a/controllers/datadogagent/override/dependencies_test.go +++ b/controllers/datadogagent/override/dependencies_test.go @@ -125,26 +125,6 @@ func TestDependencies(t *testing.T) { }, expectsErrors: false, }, - { - name: "override scc without errors", - dda: v2alpha1.DatadogAgent{ - Spec: v2alpha1.DatadogAgentSpec{ - Override: map[v2alpha1.ComponentName]*v2alpha1.DatadogAgentComponentOverride{ - v2alpha1.ClusterAgentComponentName: { - SecurityContextConstraints: &v2alpha1.SecurityContextConstraintsConfig{ - Create: apiutils.NewBoolPointer(false), - }, - }, - v2alpha1.NodeAgentComponentName: { - SecurityContextConstraints: &v2alpha1.SecurityContextConstraintsConfig{ - Create: apiutils.NewBoolPointer(false), - }, - }, - }, - }, - }, - expectsErrors: false, - }, } for _, test := range tests { diff --git a/docs/configuration.v2alpha1.md b/docs/configuration.v2alpha1.md index c1571be67..01fec83cd 100644 --- a/docs/configuration.v2alpha1.md +++ b/docs/configuration.v2alpha1.md @@ -322,39 +322,6 @@ In the table, `spec.override.nodeAgent.image.name` and `spec.override.nodeAgent. | [key].securityContext.windowsOptions.gmsaCredentialSpecName | GMSACredentialSpecName is the name of the GMSA credential spec to use. | | [key].securityContext.windowsOptions.hostProcess | HostProcess determines if a container should be run as a 'Host Process' container. This field is alpha-level and will only be honored by components that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors when validating the Pod. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true. | | [key].securityContext.windowsOptions.runAsUserName | The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. | -| [key].securityContextConstraints.create | Create defines whether to create a SecurityContextConstraints for the current component. If CustomConfiguration is not set, setting Create to `true` creates a default SCC. | -| [key].securityContextConstraints.customConfiguration.allowHostDirVolumePlugin | AllowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin | -| [key].securityContextConstraints.customConfiguration.allowHostIPC | AllowHostIPC determines if the policy allows host ipc in the containers. | -| [key].securityContextConstraints.customConfiguration.allowHostNetwork | AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec. | -| [key].securityContextConstraints.customConfiguration.allowHostPID | AllowHostPID determines if the policy allows host pid in the containers. | -| [key].securityContextConstraints.customConfiguration.allowHostPorts | AllowHostPorts determines if the policy allows host ports in the containers. | -| [key].securityContextConstraints.customConfiguration.allowPrivilegedContainer | AllowPrivilegedContainer determines if a container can request to be run as privileged. | -| [key].securityContextConstraints.customConfiguration.allowedCapabilities | AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field maybe added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. To allow all capabilities you may use '*'. | -| [key].securityContextConstraints.customConfiguration.allowedFlexVolumes | AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "Volumes" field. | -| [key].securityContextConstraints.customConfiguration.apiVersion | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | -| [key].securityContextConstraints.customConfiguration.defaultAddCapabilities | DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities. | -| [key].securityContextConstraints.customConfiguration.fsGroup.ranges | Ranges are the allowed ranges of fs groups. If you would like to force a single fs group then supply a single range with the same start and end. | -| [key].securityContextConstraints.customConfiguration.fsGroup.type | Type is the strategy that will dictate what FSGroup is used in the SecurityContext. | -| [key].securityContextConstraints.customConfiguration.groups | The groups that have permission to use this security context constraints | -| [key].securityContextConstraints.customConfiguration.kind | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | -| [key].securityContextConstraints.customConfiguration.metadata | Standard object's metadata. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata | -| [key].securityContextConstraints.customConfiguration.priority | Priority influences the sort order of SCCs when evaluating which SCCs to try first for a given pod request based on access in the Users and Groups fields. The higher the int, the higher priority. An unset value is considered a 0 priority. If scores for multiple SCCs are equal they will be sorted from most restrictive to least restrictive. If both priorities and restrictions are equal the SCCs will be sorted by name. | -| [key].securityContextConstraints.customConfiguration.readOnlyRootFilesystem | ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the SCC should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to. | -| [key].securityContextConstraints.customConfiguration.requiredDropCapabilities | RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added. | -| [key].securityContextConstraints.customConfiguration.runAsUser.type | Type is the strategy that will dictate what RunAsUser is used in the SecurityContext. | -| [key].securityContextConstraints.customConfiguration.runAsUser.uid | UID is the user id that containers must run as. Required for the MustRunAs strategy if not using namespace/service account allocated uids. | -| [key].securityContextConstraints.customConfiguration.runAsUser.uidRangeMax | UIDRangeMax defines the max value for a strategy that allocates by range. | -| [key].securityContextConstraints.customConfiguration.runAsUser.uidRangeMin | UIDRangeMin defines the min value for a strategy that allocates by range. | -| [key].securityContextConstraints.customConfiguration.seLinuxContext.seLinuxOptions.level | Level is SELinux level label that applies to the container. | -| [key].securityContextConstraints.customConfiguration.seLinuxContext.seLinuxOptions.role | Role is a SELinux role label that applies to the container. | -| [key].securityContextConstraints.customConfiguration.seLinuxContext.seLinuxOptions.type | Type is a SELinux type label that applies to the container. | -| [key].securityContextConstraints.customConfiguration.seLinuxContext.seLinuxOptions.user | User is a SELinux user label that applies to the container. | -| [key].securityContextConstraints.customConfiguration.seLinuxContext.type | Type is the strategy that will dictate what SELinux context is used in the SecurityContext. | -| [key].securityContextConstraints.customConfiguration.seccompProfiles | SeccompProfiles lists the allowed profiles that may be set for the pod or container's seccomp annotations. An unset (nil) or empty value means that no profiles may be specifid by the pod or container. The wildcard '*' may be used to allow all profiles. When used to generate a value for a pod the first non-wildcard profile will be used as the default. | -| [key].securityContextConstraints.customConfiguration.supplementalGroups.ranges | Ranges are the allowed ranges of supplemental groups. If you would like to force a single supplemental group then supply a single range with the same start and end. | -| [key].securityContextConstraints.customConfiguration.supplementalGroups.type | Type is the strategy that will dictate what supplemental groups is used in the SecurityContext. | -| [key].securityContextConstraints.customConfiguration.users | The users who have permissions to use this security context constraints | -| [key].securityContextConstraints.customConfiguration.volumes | Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". To allow no volumes, set to ["none"]. | | [key].serviceAccountName | Sets the ServiceAccount used by this component. Ignored if the field CreateRbac is true. | | [key].tolerations `[]object` | Configure the component tolerations. | | [key].volumes `[]object` | Specify additional volumes in the different components (Datadog Agent, Cluster Agent, Cluster Check Runner). | diff --git a/pkg/kubernetes/const.go b/pkg/kubernetes/const.go index 21c0d3ef4..13e812d97 100644 --- a/pkg/kubernetes/const.go +++ b/pkg/kubernetes/const.go @@ -52,8 +52,6 @@ const ( PodSecurityPoliciesKind = "podsecuritypolicies" // CiliumNetworkPoliciesKind CiliumNetworkPolicies resource kind CiliumNetworkPoliciesKind = "ciliumnetworkpolicies" - // SecurityContextConstraintsKind SecurityContextConstraints resource kind - SecurityContextConstraintsKind = "securitycontextconstraints" ) // GetResourcesKind return the list of all possible ObjectKind supported as DatadogAgent dependencies @@ -71,7 +69,6 @@ func getResourcesKind(withCiliumResources, withPodSecurityPolicy bool) []ObjectK ServiceAccountsKind, PodDisruptionBudgetsKind, NetworkPoliciesKind, - // SecurityContextConstraintsKind, } if withCiliumResources { diff --git a/pkg/kubernetes/objects.go b/pkg/kubernetes/objects.go index b4f64114c..e5ae96f9f 100644 --- a/pkg/kubernetes/objects.go +++ b/pkg/kubernetes/objects.go @@ -6,7 +6,6 @@ package kubernetes import ( - securityv1 "github.com/openshift/api/security/v1" admissionregistrationv1 "k8s.io/api/admissionregistration/v1" corev1 "k8s.io/api/core/v1" networkingv1 "k8s.io/api/networking/v1" @@ -49,8 +48,6 @@ func ObjectFromKind(kind ObjectKind, platformInfo PlatformInfo) client.Object { return &policyv1beta1.PodSecurityPolicy{} case CiliumNetworkPoliciesKind: return ciliumv1.EmptyCiliumUnstructuredPolicy() - case SecurityContextConstraintsKind: - return &securityv1.SecurityContextConstraints{} } return nil diff --git a/pkg/kubernetes/objectslist.go b/pkg/kubernetes/objectslist.go index c3619d0e2..8d84fe539 100644 --- a/pkg/kubernetes/objectslist.go +++ b/pkg/kubernetes/objectslist.go @@ -48,8 +48,6 @@ func ObjectListFromKind(kind ObjectKind, platformInfo PlatformInfo) client.Objec return &policyv1beta1.PodSecurityPolicyList{} case CiliumNetworkPoliciesKind: return ciliumv1.EmptyCiliumUnstructuredListPolicy() - // case SecurityContextConstraintsKind: - // return &securityv1.SecurityContextConstraintsList{} } return nil