Output of the info page (if this is a bug)
Describe what happened:
Under a Pod Security Policy regime binding to port 443 will be probably be disabled as generally speaking CAP_NET_BIND_SERVICE is frowned upon.
It seems like the cluster agent may not support changing this port binding to another port, which means I need to create a psp exception for this feature to be enabled. If it does allow for this, perhaps default it to something like 8443 and allow it to be changed via env variable and support this change in the helm chart.
Describe what you expected:
This component to function without a psp exception for linux capabilities. I'm not sure there is a reason that you must expose this on a privileged port.
Steps to reproduce the issue:
Create a restricted psp with the following and try to run your component with it as the cluster agent's only option:
"requiredDropCapabilities": [
"ALL"
],
Additional environment details (Operating System, Cloud provider, etc):
LInux (coreos containeros), aws, not important.
Secondary issue. If I create an exception PSP with:
allowedCapabilities: [
"NET_BIND_SERVICE",
]
There is no way to inject the following snippit into the containerSpec in the helm chart:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
Hey @SleepyBrett - Thank you for raising this one.
You are correct for the first issue, while the option external_metrics_provider.port is available, it is not documented and not exposed in our helm chart.
We backlogged this so it can be fixed asap.
As for the overall restriction of privileges strategy, we are also looking into it.
Thanks again.
Best,
.C
It would be good to have a pod security policy for datadog provided. Now it is a guess work to determine what it should be. At the moment even with
allowedCapabilities:
- "*"
I get the Failed to get host IPs. errors from the agent.
Any news on a pod security policy for the helm chart / agent?
Most helpful comment
It would be good to have a pod security policy for datadog provided. Now it is a guess work to determine what it should be. At the moment even with
I get the
Failed to get host IPs.errors from the agent.