Skip to content

Commit

Permalink
update podresources mount to only be in agent container (#1716)
Browse files Browse the repository at this point in the history
  • Loading branch information
@celenechang
celenechang authored Feb 21, 2025
1 parent 35b5bc9 commit 8ba3647
Show file tree
Hide file tree
Showing 2 changed files with 88 additions and 62 deletions.
19 changes: 5 additions & 14 deletions internal/controller/datadogagent/override/global.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -287,31 +287,22 @@ func applyGlobalSettings(logger logr.Logger, manager feature.PodTemplateManagers
})
}
if config.Kubelet.PodResourcesSocketPath != "" {
manager.EnvVar().AddEnvVar(&corev1.EnvVar{
manager.EnvVar().AddEnvVarToContainer(apicommon.CoreAgentContainerName, &corev1.EnvVar{
Name: DDKubernetesPodResourcesSocket,
Value: path.Join(config.Kubelet.PodResourcesSocketPath, "kubelet.sock"),
})

podResourcesVol, podResourcesMount := volume.GetVolumes(common.KubeletPodResourcesVolumeName, config.Kubelet.PodResourcesSocketPath, config.Kubelet.PodResourcesSocketPath, false)
if singleContainerStrategyEnabled {
manager.VolumeMount().AddVolumeMountToContainers(
manager.VolumeMount().AddVolumeMountToContainer(
&podResourcesMount,
[]apicommon.AgentContainerName{
apicommon.UnprivilegedSingleAgentContainerName,
},
apicommon.UnprivilegedSingleAgentContainerName,
)
manager.Volume().AddVolume(&podResourcesVol)
} else {
manager.VolumeMount().AddVolumeMountToContainers(
manager.VolumeMount().AddVolumeMountToContainer(
&podResourcesMount,
[]apicommon.AgentContainerName{
apicommon.CoreAgentContainerName,
apicommon.ProcessAgentContainerName,
apicommon.TraceAgentContainerName,
apicommon.SecurityAgentContainerName,
apicommon.AgentDataPlaneContainerName,
apicommon.SystemProbeContainerName,
},
apicommon.CoreAgentContainerName,
)
manager.Volume().AddVolume(&podResourcesVol)
}
Expand Down
131 changes: 83 additions & 48 deletions internal/controller/datadogagent/override/global_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,10 +60,12 @@ func TestNodeAgentComponenGlobalSettings(t *testing.T) {
name string
dda *v2alpha1.DatadogAgent
singleContainerStrategyEnabled bool
wantCoreAgentVolumeMounts []*corev1.VolumeMount
wantVolumeMounts []*corev1.VolumeMount
wantVolumes []*corev1.Volume
wantCoreAgentEnvVars []*corev1.EnvVar
wantEnvVars []*corev1.EnvVar
want func(t testing.TB, mgrInterface feature.PodTemplateManagers, expectedEnvVars []*corev1.EnvVar, expectedVolumes []*corev1.Volume, expectedVolumeMounts []*corev1.VolumeMount)
want func(t testing.TB, mgrInterface feature.PodTemplateManagers, expectedCoreAgentEnvVars, expectedEnvVars []*corev1.EnvVar, expectedVolumes []*corev1.Volume, expectedCoreAgentVolumeMounts, expectedVolumeMounts []*corev1.VolumeMount)
wantDependency func(t testing.TB, resourcesManager feature.ResourceManagers)
}{
{
Expand All @@ -73,6 +75,12 @@ func TestNodeAgentComponenGlobalSettings(t *testing.T) {
WithGlobalKubeletConfig(hostCAPath, agentCAPath, true, podResourcesSocketDir).
WithGlobalDockerSocketPath(dockerSocketPath).
BuildWithDefaults(),
wantCoreAgentEnvVars: []*corev1.EnvVar{
{
Name: DDKubernetesPodResourcesSocket,
Value: podResourcesSocket,
},
},
wantEnvVars: getExpectedEnvVars([]*corev1.EnvVar{
{
Name: DDKubeletTLSVerify,
Expand All @@ -82,18 +90,15 @@ func TestNodeAgentComponenGlobalSettings(t *testing.T) {
Name: DDKubeletCAPath,
Value: agentCAPath,
},
{
Name: DDKubernetesPodResourcesSocket,
Value: podResourcesSocket,
},
{
Name: DockerHost,
Value: "unix:///host" + dockerSocketPath,
},
}...),
wantVolumeMounts: getExpectedVolumeMounts(defaultVolumes, kubeletCAVolumes, criSocketVolume),
wantVolumes: getExpectedVolumes(defaultVolumes, kubeletCAVolumes, criSocketVolume),
want: assertAll,
wantCoreAgentVolumeMounts: getExpectedVolumeMounts(defaultVolumes, kubeletCAVolumes, criSocketVolume),
wantVolumeMounts: getExpectedVolumeMounts(kubeletCAVolumes, criSocketVolume),
wantVolumes: getExpectedVolumes(defaultVolumes, kubeletCAVolumes, criSocketVolume),
want: assertAll,
},
{
name: "Kubelet volume configured",
Expand All @@ -102,6 +107,12 @@ func TestNodeAgentComponenGlobalSettings(t *testing.T) {
WithGlobalKubeletConfig(hostCAPath, agentCAPath, true, podResourcesSocketDir).
WithGlobalDockerSocketPath(dockerSocketPath).
BuildWithDefaults(),
wantCoreAgentEnvVars: []*corev1.EnvVar{
{
Name: DDKubernetesPodResourcesSocket,
Value: podResourcesSocket,
},
},
wantEnvVars: getExpectedEnvVars([]*corev1.EnvVar{
{
Name: DDKubeletTLSVerify,
Expand All @@ -111,46 +122,57 @@ func TestNodeAgentComponenGlobalSettings(t *testing.T) {
Name: DDKubeletCAPath,
Value: agentCAPath,
},
{
Name: DDKubernetesPodResourcesSocket,
Value: podResourcesSocket,
},
{
Name: DockerHost,
Value: "unix:///host" + dockerSocketPath,
},
}...),
wantVolumeMounts: getExpectedVolumeMounts(defaultVolumes, kubeletCAVolumes, criSocketVolume),
wantVolumes: getExpectedVolumes(defaultVolumes, kubeletCAVolumes, criSocketVolume),
want: assertAllAgentSingleContainer,
wantCoreAgentVolumeMounts: getExpectedVolumeMounts(defaultVolumes, kubeletCAVolumes, criSocketVolume),
wantVolumeMounts: getExpectedVolumeMounts(kubeletCAVolumes, criSocketVolume),
wantVolumes: getExpectedVolumes(defaultVolumes, kubeletCAVolumes, criSocketVolume),
want: assertAllAgentSingleContainer,
},
{
name: "Checks tag cardinality set to orchestrator",
singleContainerStrategyEnabled: false,
dda: testutils.NewDatadogAgentBuilder().
WithChecksTagCardinality("orchestrator").
BuildWithDefaults(),
wantCoreAgentEnvVars: []*corev1.EnvVar{
{
Name: DDKubernetesPodResourcesSocket,
Value: podResourcesSocket,
},
},
wantEnvVars: getExpectedEnvVars(&corev1.EnvVar{
Name: DDChecksTagCardinality,
Value: "orchestrator",
}),
wantVolumeMounts: getExpectedVolumeMounts(defaultVolumes),
wantVolumes: getExpectedVolumes(defaultVolumes),
want: assertAll,
wantCoreAgentVolumeMounts: getExpectedVolumeMounts(defaultVolumes),
wantVolumeMounts: getExpectedVolumeMounts(),
wantVolumes: getExpectedVolumes(defaultVolumes),
want: assertAll,
},
{
name: "Unified origin detection activated",
singleContainerStrategyEnabled: false,
dda: testutils.NewDatadogAgentBuilder().
WithOriginDetectionUnified(true).
BuildWithDefaults(),
wantCoreAgentEnvVars: []*corev1.EnvVar{
{
Name: DDKubernetesPodResourcesSocket,
Value: podResourcesSocket,
},
},
wantEnvVars: getExpectedEnvVars(&corev1.EnvVar{
Name: DDOriginDetectionUnified,
Value: "true",
}),
wantVolumeMounts: getExpectedVolumeMounts(defaultVolumes),
wantVolumes: getExpectedVolumes(defaultVolumes),
want: assertAll,
wantCoreAgentVolumeMounts: getExpectedVolumeMounts(defaultVolumes),
wantVolumeMounts: getExpectedVolumeMounts(),
wantVolumes: getExpectedVolumes(defaultVolumes),
want: assertAll,
},
{
name: "Global environment variable configured",
Expand All @@ -167,6 +189,12 @@ func TestNodeAgentComponenGlobalSettings(t *testing.T) {
},
}).
BuildWithDefaults(),
wantCoreAgentEnvVars: []*corev1.EnvVar{
{
Name: DDKubernetesPodResourcesSocket,
Value: podResourcesSocket,
},
},
wantEnvVars: getExpectedEnvVars([]*corev1.EnvVar{
{
Name: "envA",
Expand All @@ -177,9 +205,10 @@ func TestNodeAgentComponenGlobalSettings(t *testing.T) {
Value: "valueB",
},
}...),
wantVolumeMounts: getExpectedVolumeMounts(defaultVolumes),
wantVolumes: getExpectedVolumes(defaultVolumes),
want: assertAll,
wantCoreAgentVolumeMounts: getExpectedVolumeMounts(defaultVolumes),
wantVolumeMounts: getExpectedVolumeMounts(),
wantVolumes: getExpectedVolumes(defaultVolumes),
want: assertAll,
},
{
name: "Secret backend - global permissions",
Expand All @@ -191,6 +220,12 @@ func TestNodeAgentComponenGlobalSettings(t *testing.T) {
WithGlobalSecretBackendGlobalPerms(secretBackendCommand, secretBackendArgs, secretBackendTimeout).
BuildWithDefaults(),
),
wantCoreAgentEnvVars: []*corev1.EnvVar{
{
Name: DDKubernetesPodResourcesSocket,
Value: podResourcesSocket,
},
},
wantEnvVars: getExpectedEnvVars([]*corev1.EnvVar{
{
Name: DDSecretBackendCommand,
Expand All @@ -205,10 +240,11 @@ func TestNodeAgentComponenGlobalSettings(t *testing.T) {
Value: "60",
},
}...),
wantVolumeMounts: getExpectedVolumeMounts(defaultVolumes),
wantVolumes: getExpectedVolumes(defaultVolumes),
want: assertAll,
wantDependency: assertSecretBackendGlobalPerms,
wantCoreAgentVolumeMounts: getExpectedVolumeMounts(defaultVolumes),
wantVolumeMounts: getExpectedVolumeMounts(),
wantVolumes: getExpectedVolumes(defaultVolumes),
want: assertAll,
wantDependency: assertSecretBackendGlobalPerms,
},
{
name: "Secret backend - specific secret permissions",
Expand All @@ -220,6 +256,12 @@ func TestNodeAgentComponenGlobalSettings(t *testing.T) {
WithGlobalSecretBackendSpecificRoles(secretBackendCommand, secretBackendArgs, secretBackendTimeout, secretNamespace, secretNames).
BuildWithDefaults(),
),
wantCoreAgentEnvVars: []*corev1.EnvVar{
{
Name: DDKubernetesPodResourcesSocket,
Value: podResourcesSocket,
},
},
wantEnvVars: getExpectedEnvVars([]*corev1.EnvVar{
{
Name: DDSecretBackendCommand,
Expand All @@ -234,10 +276,11 @@ func TestNodeAgentComponenGlobalSettings(t *testing.T) {
Value: "60",
},
}...),
wantVolumeMounts: getExpectedVolumeMounts(defaultVolumes),
wantVolumes: getExpectedVolumes(defaultVolumes),
want: assertAll,
wantDependency: assertSecretBackendSpecificPerms,
wantCoreAgentVolumeMounts: getExpectedVolumeMounts(defaultVolumes),
wantVolumeMounts: getExpectedVolumeMounts(),
wantVolumes: getExpectedVolumes(defaultVolumes),
want: assertAll,
wantDependency: assertSecretBackendSpecificPerms,
},
}

Expand All @@ -249,7 +292,7 @@ func TestNodeAgentComponenGlobalSettings(t *testing.T) {

ApplyGlobalSettingsNodeAgent(logger, podTemplateManager, tt.dda, resourcesManager, tt.singleContainerStrategyEnabled)

tt.want(t, podTemplateManager, tt.wantEnvVars, tt.wantVolumes, tt.wantVolumeMounts)
tt.want(t, podTemplateManager, tt.wantCoreAgentEnvVars, tt.wantEnvVars, tt.wantVolumes, tt.wantCoreAgentVolumeMounts, tt.wantVolumeMounts)
// Assert dependencies if and only if a dependency is expected
if tt.wantDependency != nil {
tt.wantDependency(t, resourcesManager)
Expand All @@ -258,30 +301,33 @@ func TestNodeAgentComponenGlobalSettings(t *testing.T) {
}
}

func assertAll(t testing.TB, mgrInterface feature.PodTemplateManagers, expectedEnvVars []*corev1.EnvVar, expectedVolumes []*corev1.Volume, expectedVolumeMounts []*corev1.VolumeMount) {
func assertAll(t testing.TB, mgrInterface feature.PodTemplateManagers, expectedCoreAgentEnvVars, expectedEnvVars []*corev1.EnvVar, expectedVolumes []*corev1.Volume, expectedCoreAgentVolumeMounts, expectedVolumeMounts []*corev1.VolumeMount) {
mgr := mgrInterface.(*fake.PodTemplateManagers)

coreAgentVolumeMounts := mgr.VolumeMountMgr.VolumeMountsByC[apicommon.CoreAgentContainerName]
traceAgentVolumeMounts := mgr.VolumeMountMgr.VolumeMountsByC[apicommon.TraceAgentContainerName]
processAgentVolumeMounts := mgr.VolumeMountMgr.VolumeMountsByC[apicommon.ProcessAgentContainerName]

assert.ElementsMatch(t, coreAgentVolumeMounts, expectedVolumeMounts, "core-agent volume mounts \ndiff = %s", cmp.Diff(coreAgentVolumeMounts, expectedVolumeMounts))
assert.ElementsMatch(t, coreAgentVolumeMounts, expectedCoreAgentVolumeMounts, "core-agent volume mounts \ndiff = %s", cmp.Diff(coreAgentVolumeMounts, expectedCoreAgentVolumeMounts))
assert.ElementsMatch(t, traceAgentVolumeMounts, expectedVolumeMounts, "trace-agent volume mounts \ndiff = %s", cmp.Diff(traceAgentVolumeMounts, expectedVolumeMounts))
assert.ElementsMatch(t, processAgentVolumeMounts, expectedVolumeMounts, "process-agent volume mounts \ndiff = %s", cmp.Diff(processAgentVolumeMounts, expectedVolumeMounts))

volumes := mgr.VolumeMgr.Volumes
assert.ElementsMatch(t, volumes, expectedVolumes, "Volumes \ndiff = %s", cmp.Diff(volumes, []*corev1.Volume{}))

coreAgentEnvVars := mgr.EnvVarMgr.EnvVarsByC[apicommon.CoreAgentContainerName]
assert.ElementsMatch(t, coreAgentEnvVars, expectedCoreAgentEnvVars, "core-agent envvars \ndiff = %s", cmp.Diff(coreAgentEnvVars, expectedCoreAgentEnvVars))

agentEnvVars := mgr.EnvVarMgr.EnvVarsByC[apicommon.AllContainers]
assert.ElementsMatch(t, agentEnvVars, expectedEnvVars, "Agent envvars \ndiff = %s", cmp.Diff(agentEnvVars, expectedEnvVars))
}

func assertAllAgentSingleContainer(t testing.TB, mgrInterface feature.PodTemplateManagers, expectedEnvVars []*corev1.EnvVar, expectedVolumes []*corev1.Volume, expectedVolumeMounts []*corev1.VolumeMount) {
func assertAllAgentSingleContainer(t testing.TB, mgrInterface feature.PodTemplateManagers, expectedCoreAgentEnvVars, expectedEnvVars []*corev1.EnvVar, expectedVolumes []*corev1.Volume, expectedCoreAgentVolumeMounts, expectedVolumeMounts []*corev1.VolumeMount) {
mgr := mgrInterface.(*fake.PodTemplateManagers)

agentSingleContainerVolumeMounts := mgr.VolumeMountMgr.VolumeMountsByC[apicommon.UnprivilegedSingleAgentContainerName]

assert.True(t, apiutils.IsEqualStruct(agentSingleContainerVolumeMounts, expectedVolumeMounts), "Volume mounts \ndiff = %s", cmp.Diff(agentSingleContainerVolumeMounts, expectedVolumeMounts))
assert.True(t, apiutils.IsEqualStruct(agentSingleContainerVolumeMounts, expectedCoreAgentVolumeMounts), "Volume mounts \ndiff = %s", cmp.Diff(agentSingleContainerVolumeMounts, expectedCoreAgentVolumeMounts))

volumes := mgr.VolumeMgr.Volumes
assert.True(t, apiutils.IsEqualStruct(volumes, expectedVolumes), "Volumes \ndiff = %s", cmp.Diff(volumes, []*corev1.Volume{}))
Expand All @@ -302,17 +348,6 @@ func getExpectedEnvVars(addedEnvVars ...*corev1.EnvVar) []*corev1.EnvVar {
},
}

containsPodResourcesEnvVar := slices.ContainsFunc(addedEnvVars, func(envVar *corev1.EnvVar) bool {
return envVar.Name == DDKubernetesPodResourcesSocket
})

if !containsPodResourcesEnvVar {
defaultEnvVars = append(defaultEnvVars, &corev1.EnvVar{
Name: DDKubernetesPodResourcesSocket,
Value: podResourcesSocket,
})
}

return append(defaultEnvVars, addedEnvVars...)
}

Expand Down

0 comments on commit 8ba3647

Please sign in to comment.