Datadog-agent: [Helm Chart/Cluster-Agent] MetricsAPI hardcoded to bind port 443, which under any reasonable PSP regeime is a non-starter

Created on 22 Nov 2019  路  4Comments  路  Source: DataDog/datadog-agent

Output of the info page (if this is a bug)

https://github.com/helm/charts/blob/master/stable/datadog/templates/cluster-agent-deployment.yaml#L75-L79

Describe what happened:
Under a Pod Security Policy regime binding to port 443 will be probably be disabled as generally speaking CAP_NET_BIND_SERVICE is frowned upon.

It seems like the cluster agent may not support changing this port binding to another port, which means I need to create a psp exception for this feature to be enabled. If it does allow for this, perhaps default it to something like 8443 and allow it to be changed via env variable and support this change in the helm chart.

Describe what you expected:

This component to function without a psp exception for linux capabilities. I'm not sure there is a reason that you must expose this on a privileged port.

Steps to reproduce the issue:
Create a restricted psp with the following and try to run your component with it as the cluster agent's only option:

            "requiredDropCapabilities": [
               "ALL"
            ],

Additional environment details (Operating System, Cloud provider, etc):

LInux (coreos containeros), aws, not important.

Most helpful comment

It would be good to have a pod security policy for datadog provided. Now it is a guess work to determine what it should be. At the moment even with

  allowedCapabilities:
    - "*"

I get the Failed to get host IPs. errors from the agent.

All 4 comments

Secondary issue. If I create an exception PSP with:

  allowedCapabilities: [
    "NET_BIND_SERVICE",
  ]

There is no way to inject the following snippit into the containerSpec in the helm chart:

    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        add:
        - NET_BIND_SERVICE
        drop:
        - ALL

Hey @SleepyBrett - Thank you for raising this one.
You are correct for the first issue, while the option external_metrics_provider.port is available, it is not documented and not exposed in our helm chart.
We backlogged this so it can be fixed asap.
As for the overall restriction of privileges strategy, we are also looking into it.

Thanks again.
Best,
.C

It would be good to have a pod security policy for datadog provided. Now it is a guess work to determine what it should be. At the moment even with

  allowedCapabilities:
    - "*"

I get the Failed to get host IPs. errors from the agent.

Any news on a pod security policy for the helm chart / agent?

Was this page helpful?
0 / 5 - 0 ratings