Charts: [stable/datadog] Process Agent isn't passed DD Site & seccompRoot causes failures on system-probe

Created on 21 Nov 2019 · 6Comments · Source: helm/charts

Logs on process agent showed it failing to communicate with datadog.com; but main config "SITE" is set to .eu.

datadog/agent:6.14.0
Helm Template Version: 1.38.3

Temporary fix was to specify it manually

daemonset: 
  containers: 
    processAgent: 
      env: 
        - { name: DD_SITE, value: "datadoghq.eu" }

Config

clusterAgent: 
  clusterChecks: 
    enabled: true
  enabled: true
  metricsProvider: 
    enabled: true
daemonset: 
  containers: 
    processAgent: 
      env: 
        - { name: DD_SITE, value: "datadoghq.eu" }
  useDedicatedContainers: true
  useHostPort: true
datadog: 
  site: "datadoghq.eu"
  apiKey: "xx"
  appKey: "xx"
  clusterName: "aws-eks-uk"
  collectEvents: true
  leaderElection: true
  logLevel: "error"
  nonLocalTraffic: true
  podLabelsAsTags: 
    app: "kube_app"
    release: "IMAGE_VERSION"
kube-state-metrics: 
  rbac: 
    create: true
  serviceAccount: 
    create: true
rbac: 
  create: true
systemProbe: 
  enabled: true
  apparmor: "unconfined"

seccompRoot causes errors if set.

The docs show https://docs.datadoghq.com/network_performance_monitoring/installation/?tab=kubernetes only the apparmor setting; when left to default it sets the value to
container.seccomp.security.alpha.kubernetes.io/system-probe: localhost/system-probe
which errors

 RunContainerError: failed to start container "3bd49e00db0baf58dd79cc44aec3010da00aca62562e41af005b733376354e4b": Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "operation not permitted": unknown

  | Error creating: pods "datadog-" is forbidden: unable to  validate against any pod security policy:  [pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/system-probe]:  Forbidden: seccomp may not be set spec.volumes[1]: Invalid value:  "hostPath": hostPath volumes are not allowed to be used spec.volumes[2]:  Invalid value: "hostPath": hostPath volumes are not allowed to be used  spec.volumes[3]: Invalid value: "hostPath": hostPath volumes are not  allowed to be used spec.volumes[5]: Invalid value: "hostPath": hostPath  volumes are not allowed to be used spec.volumes[8]: Invalid value:  "hostPath": hostPath volumes are not allowed to be used spec.volumes[9]:  Invalid value: "hostPath": hostPath volumes are not allowed to be used  spec.containers[0].hostPort: Invalid value: 8125: Host port 8125 is not  allowed to be used. Allowed ports: []  pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/system-probe]:  Forbidden: seccomp may not be set  spec.containers[2].securityContext.capabilities.add: Invalid value:  "NET_ADMIN": capability may not be added  spec.containers[2].securityContext.capabilities.add: Invalid value:  "SYS_ADMIN": capability may not be added  spec.containers[2].securityContext.capabilities.add: Invalid value:  "SYS_PTRACE": capability may not be added  spec.containers[2].securityContext.capabilities.add: Invalid value:  "SYS_RESOURCE": capability may not be added]
-- | --

So far I've only been able to correct this by removing it.

lifecyclstale

Source

ChrisMcKee

All 6 comments

Similarly DD_SITE isn't set on the datadog-clusterchecks resulting in the logs showing it attempting to send data to .com

ChrisMcKee on 21 Nov 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.