JacksonDavenport
commented
6 days ago Hello, that does look like a recent issue introduced in the 3.67.0 version of our Helm Chart and the introduction of a startupProbe to the agent container. https://github.com/DataDog/helm-charts/pull/1420
Of note, if we don't meet certain pattern requirements in GKE Autopilot it will flag pretty much everything. So those hostPath and hostPort values are fine in general under the Datadog exemptions.
For now, we'd recommend to keep on the latest version prior to this. For exmaple:
helm upgrade datadog -f values.yaml datadog/datadog --version 3.66.1We'll get that looked at.
Describe what happened: Error: cannot patch "datadog" with kind DaemonSet: admission webhook "warden-validating.common-webhooks.networking.gke.io" denied the request: GKE Warden rejected the request because it violates one or more constraints
Violations details: {"[denied by autogke-no-host-port]":["container agent specifies host ports [8125], which are disallowed in Autopilot.","container trace-agent specifies host ports [8126], which are disallowed in Autopilot."],"[denied by autogke-no-write-mode-hostpath]":["hostPath volume pointerdir in container agent is accessed in write mode; disallowed in Autopilot.","hostPath volume runtimesocketdir used in container agent uses path /var/run/containerd which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/].","hostPath volume procdir used in container agent uses path /proc which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/].","hostPath volume cgroups used in container agent uses path /sys/fs/cgroup which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/].","hostPath volume logdockercontainerpath used in container agent uses path /var/lib/docker/containers which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/].","hostPath volume runtimesocketdir used in container trace-agent uses path /var/run/containerd which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/].","hostPath volume runtimesocketdir used in container process-agent uses path /var/run/containerd which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/].","hostPath volume cgroups used in container process-agent uses path /sys/fs/cgroup which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/].","hostPath volume passwd used in container process-agent uses path /etc/passwd which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/].","hostPath volume procdir used in container process-agent uses path /proc which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/].","hostPath volume procdir used in container init-config uses path /proc which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/].","hostPath volume runtimesocketdir used in container init-config uses path /var/run/containerd which is not allowed in Autopilot. Allowed path prefixes for hostPath volumes are: [/var/log/]."]}
Describe what you expected:
I wanted to update datadog helm_release minor version from 3.66.0 to 3.67.1
Steps to reproduce the issue:
Additional environment details (Operating System, Cloud provider, etc):
GKE autopilot cluster.