Comments (2)
clamoriniere
commented on August 24, 2024
Hi @praseodym,
Thanks for opening this issue, I'm adding this issue to our backlog.
IMO the cluster-agent doesn't require to run as root. So if we can apply by default the proper level of permission to the cluster-agent container it should also solve the issue.
could you share with us, what will be the security context that you want to apply to the cluster-agent?
from datadog-operator.
praseodym
commented on August 24, 2024
The cluster agent runs as root by default, the image doesn't specify that it should run as another user:
$ docker run --rm -it --entrypoint /bin/id gcr.io/datadoghq/cluster-agent:1.13.1
uid=0(root) gid=0(root) groups=0(root)
To fix that I'd need to set the securityContext.runAsUser property to the correct uid. If the image does need to run as root, I'd need to set securityContext.runAsNonRoot to false.
Another solution would be to update the cluster agent Docker image to use a numeric uid greater than 0 (i.e. non-root) as its USER. It needs to be numeric because usernames can resolve to uid 0, and kubelet explictly checks this.
from datadog-operator.
Related Issues (20)
- admission controller breaks native sidecar support for pods HOT 1
- Feature Request: Allow specifying to not create the datadog-agent service account HOT 2
- Add a "watchNamespacesLabel" to allow watching namespaces by label in addition to the simple "watchNamespaces" current option
- docker-operator cannot execute /readsecret.sh or /helpers if GID>0 HOT 6
- DataDog operator does not create kubernetes secrets when `apiKey` and `appKey` values are supplied HOT 1
- The dnsPolicy cannot be defined for the DatadogAgent in v2alpha1 HOT 3
- clusterAgent maxSurge and maxUnavailable with `kind:DatadogAgent` HOT 7
- When adding custom labels to nodeAgent in DatadogAgent the label ends up on the DaemonSet and not in the pod spec
- Feature Request: customizable requeue time per monitor
- Dead link in docs datadog-operator/docs /configuration.v2alpha1.md HOT 2
- DataDogMonitor CRD is missing the renotifyStatuses field HOT 1
- Adopting pre-existing SLOs HOT 2
- Feature Request: Enable operator to pull the latest agent, and only pin to upstream version (Major or Minor)
- Clarification on "blessed" approach for running multiple different datadog agent setups within a single cluster HOT 6
- Applying or editing the datadog operator does not trigger rollout upgrade of the underlying agents HOT 4
- DatadogMonitor Finalizers get removed regardless of failure
- onMissingData support for monitor type "metric alert" HOT 3
- Resources on agent pods HOT 1
- DatadogMonitor finalizer removed on deletion despite monitor still existing within DataDog. HOT 1
- Can the operator reconcile multiple DatadogAgent objects? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from datadog-operator.