search

DataDog / helm-charts

Helm charts for Datadog products
Apache License 2.0
341 stars 1.01k forks source link

Admission controller violates Kubernetes baseline PodSecurityStandard #1480

Closed matt-matt-tmatt closed 1 month ago

matt-matt-tmatt commented 1 month ago

Describe what happened:

When Datadog admission controller is enabled, pods are created with a hostpath volume which violates Kubernetes baseline PodSecurityStandard.

All back to normal when the admission controller is disabled.

❯ kubectl get events --sort-by='.lastTimestamp'
...
40m         Warning   FailedCreate        replicaset/redacted      Error creating: pods "redacted" is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volume "datadog")
...

Additional environment details (Operating System, Cloud provider, etc):

Server Version: v1.28.11-eks-db838b0

❯ k get po datadog-95n7g -o jsonpath={..image}
eu.gcr.io/datadoghq/agent:7.55.2 eu.gcr.io/datadoghq/agent:7.55.2 eu.gcr.io/datadoghq/agent:7.55.2 eu.gcr.io/datadoghq/agent:7.55.2 eu.gcr.io/datadoghq/agent:7.55.2 eu.gcr.io/datadoghq/agent:7.55.2 eu.gcr.io/datadoghq/agent:7.55.2 eu.gcr.io/datadoghq/agent:7.55.2 eu.gcr.io/datadoghq/agent:7.55.2 eu.gcr.io/datadoghq/agent:7.55.2 eu.gcr.io/datadoghq/agent:7.55.2 eu.gcr.io/datadoghq/agent:7.55.2 eu.gcr.io/datadoghq/agent:7.55.2 eu.gcr.io/datadoghq/agent:7.55.2 eu.gcr.io/datadoghq/agent:7.55.2 eu.gcr.io/datadoghq/agent:7.55.2%

❯ helm list
NAME    NAMESPACE   REVISION    UPDATED                                 STATUS      CHART           APP VERSION
datadog datadog     10          2024-08-06 16:30:53.922109 +0300 EEST   deployed    datadog-3.69.3  7
matt-matt-tmatt commented 1 month ago

Moved this to the agent repository https://github.com/DataDog/datadog-agent/issues/28274