This repository has been archived by the owner on Feb 22, 2022. It is now read-only.
[stable/datadog] Add some missing syscalls to the system-probe seccomp profile
#21456
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
helm-bot
added
Contribution Allowed
k8s-ci-robot
added
approved
|
Hi @L3n41c. Thanks for your PR. I'm waiting for a helm member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
leeavital
approved these changes
Mar 13, 2020
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
and removed
needs-ok-to-test
|
Hi @clamoriniere , |
…omp profile The added syscalls are syscalls that an unconfined `system-probe` would do. Signed-off-by: Lénaïc Huard <lenaic.huard@datadoghq.com>
helm-bot
added
size/S
|
/ok-to-test |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: clamoriniere, L3n41c The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
omerli
pushed a commit
to omerli/charts
that referenced
this pull request
Mar 19, 2020
…omp profile (helm#21456) The added syscalls are syscalls that an unconfined `system-probe` would do. Signed-off-by: Lénaïc Huard <lenaic.huard@datadoghq.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com>
k8s-ci-robot
pushed a commit
that referenced
this pull request
Mar 19, 2020
…template (#21510) * enable deployment annotations, bump chart version (#21502) Signed-off-by: Ryan Holt <ryan@ryanholt.net> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/datalog] Do not enable the `cri` check when running on a `docker` setup (#21476) Signed-off-by: Lénaïc Huard <lenaic.huard@datadoghq.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/datadog] Add some missing syscalls to the `system-probe` seccomp profile (#21456) The added syscalls are syscalls that an unconfined `system-probe` would do. Signed-off-by: Lénaïc Huard <lenaic.huard@datadoghq.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/minio] corrected syntax error in statefulset (#21503) * corrected syntax error in statefulset Signed-off-by: Thomas Wilkinson <thomas.wilkinson@us.ibm.com> * chart version bump Signed-off-by: Thomas Wilkinson <thomas.wilkinson@us.ibm.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/redis-ha] Make emptyDir configurable from values (#21489) Signed-off-by: Jeroen Castelein <jeroencastelein11@gmail.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * Set DD_APM_ENABLED With the new Helm chart, even if `datadog.apm.enabled` is set to false, it reverts to the docker defaults (true). Having the trace-agent running in the background is pretty harmless from a resource overhead standpoint, however, the logic of the helm chart will automatically do the 8126 port-forwarding, and since we don't want non-apm customers to have this port exposed, we need to respect the chart settings. Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * Bumped version Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * 2.0.12 Fixed a bug where datadog.apm.enabled was not being respected Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * re-applying the changes Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> Co-authored-by: Ryan Holt <ryan@ryanholt.net> Co-authored-by: Lénaïc Huard <L3n41c@users.noreply.github.com> Co-authored-by: Thomas Wilkinson <thomas@capnajax.com> Co-authored-by: Jeroen Castelein <jeroen.castelein@kpn.com>
fowlie
pushed a commit
to fowlie/charts
that referenced
this pull request
Mar 20, 2020
…omp profile (helm#21456) The added syscalls are syscalls that an unconfined `system-probe` would do. Signed-off-by: Lénaïc Huard <lenaic.huard@datadoghq.com>
fowlie
pushed a commit
to fowlie/charts
that referenced
this pull request
Mar 20, 2020
…template (helm#21510) * enable deployment annotations, bump chart version (helm#21502) Signed-off-by: Ryan Holt <ryan@ryanholt.net> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/datalog] Do not enable the `cri` check when running on a `docker` setup (helm#21476) Signed-off-by: Lénaïc Huard <lenaic.huard@datadoghq.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/datadog] Add some missing syscalls to the `system-probe` seccomp profile (helm#21456) The added syscalls are syscalls that an unconfined `system-probe` would do. Signed-off-by: Lénaïc Huard <lenaic.huard@datadoghq.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/minio] corrected syntax error in statefulset (helm#21503) * corrected syntax error in statefulset Signed-off-by: Thomas Wilkinson <thomas.wilkinson@us.ibm.com> * chart version bump Signed-off-by: Thomas Wilkinson <thomas.wilkinson@us.ibm.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/redis-ha] Make emptyDir configurable from values (helm#21489) Signed-off-by: Jeroen Castelein <jeroencastelein11@gmail.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * Set DD_APM_ENABLED With the new Helm chart, even if `datadog.apm.enabled` is set to false, it reverts to the docker defaults (true). Having the trace-agent running in the background is pretty harmless from a resource overhead standpoint, however, the logic of the helm chart will automatically do the 8126 port-forwarding, and since we don't want non-apm customers to have this port exposed, we need to respect the chart settings. Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * Bumped version Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * 2.0.12 Fixed a bug where datadog.apm.enabled was not being respected Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * re-applying the changes Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> Co-authored-by: Ryan Holt <ryan@ryanholt.net> Co-authored-by: Lénaïc Huard <L3n41c@users.noreply.github.com> Co-authored-by: Thomas Wilkinson <thomas@capnajax.com> Co-authored-by: Jeroen Castelein <jeroen.castelein@kpn.com>
irlevesque
pushed a commit
to quantopian/charts
that referenced
this pull request
Jul 13, 2020
…omp profile (helm#21456) The added syscalls are syscalls that an unconfined `system-probe` would do. Signed-off-by: Lénaïc Huard <lenaic.huard@datadoghq.com>
irlevesque
pushed a commit
to quantopian/charts
that referenced
this pull request
Jul 13, 2020
…template (helm#21510) * enable deployment annotations, bump chart version (helm#21502) Signed-off-by: Ryan Holt <ryan@ryanholt.net> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/datalog] Do not enable the `cri` check when running on a `docker` setup (helm#21476) Signed-off-by: Lénaïc Huard <lenaic.huard@datadoghq.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/datadog] Add some missing syscalls to the `system-probe` seccomp profile (helm#21456) The added syscalls are syscalls that an unconfined `system-probe` would do. Signed-off-by: Lénaïc Huard <lenaic.huard@datadoghq.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/minio] corrected syntax error in statefulset (helm#21503) * corrected syntax error in statefulset Signed-off-by: Thomas Wilkinson <thomas.wilkinson@us.ibm.com> * chart version bump Signed-off-by: Thomas Wilkinson <thomas.wilkinson@us.ibm.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/redis-ha] Make emptyDir configurable from values (helm#21489) Signed-off-by: Jeroen Castelein <jeroencastelein11@gmail.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * Set DD_APM_ENABLED With the new Helm chart, even if `datadog.apm.enabled` is set to false, it reverts to the docker defaults (true). Having the trace-agent running in the background is pretty harmless from a resource overhead standpoint, however, the logic of the helm chart will automatically do the 8126 port-forwarding, and since we don't want non-apm customers to have this port exposed, we need to respect the chart settings. Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * Bumped version Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * 2.0.12 Fixed a bug where datadog.apm.enabled was not being respected Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * re-applying the changes Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> Co-authored-by: Ryan Holt <ryan@ryanholt.net> Co-authored-by: Lénaïc Huard <L3n41c@users.noreply.github.com> Co-authored-by: Thomas Wilkinson <thomas@capnajax.com> Co-authored-by: Jeroen Castelein <jeroen.castelein@kpn.com>
includerandom
pushed a commit
to includerandom/helm_charts
that referenced
this pull request
Jul 19, 2020
…omp profile (helm#21456) The added syscalls are syscalls that an unconfined `system-probe` would do. Signed-off-by: Lénaïc Huard <lenaic.huard@datadoghq.com>
includerandom
pushed a commit
to includerandom/helm_charts
that referenced
this pull request
Jul 19, 2020
…template (helm#21510) * enable deployment annotations, bump chart version (helm#21502) Signed-off-by: Ryan Holt <ryan@ryanholt.net> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/datalog] Do not enable the `cri` check when running on a `docker` setup (helm#21476) Signed-off-by: Lénaïc Huard <lenaic.huard@datadoghq.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/datadog] Add some missing syscalls to the `system-probe` seccomp profile (helm#21456) The added syscalls are syscalls that an unconfined `system-probe` would do. Signed-off-by: Lénaïc Huard <lenaic.huard@datadoghq.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/minio] corrected syntax error in statefulset (helm#21503) * corrected syntax error in statefulset Signed-off-by: Thomas Wilkinson <thomas.wilkinson@us.ibm.com> * chart version bump Signed-off-by: Thomas Wilkinson <thomas.wilkinson@us.ibm.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/redis-ha] Make emptyDir configurable from values (helm#21489) Signed-off-by: Jeroen Castelein <jeroencastelein11@gmail.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * Set DD_APM_ENABLED With the new Helm chart, even if `datadog.apm.enabled` is set to false, it reverts to the docker defaults (true). Having the trace-agent running in the background is pretty harmless from a resource overhead standpoint, however, the logic of the helm chart will automatically do the 8126 port-forwarding, and since we don't want non-apm customers to have this port exposed, we need to respect the chart settings. Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * Bumped version Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * 2.0.12 Fixed a bug where datadog.apm.enabled was not being respected Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * re-applying the changes Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> Co-authored-by: Ryan Holt <ryan@ryanholt.net> Co-authored-by: Lénaïc Huard <L3n41c@users.noreply.github.com> Co-authored-by: Thomas Wilkinson <thomas@capnajax.com> Co-authored-by: Jeroen Castelein <jeroen.castelein@kpn.com>
li-adrienloiseau
pushed a commit
to li-adrienloiseau/charts
that referenced
this pull request
Jul 29, 2020
…omp profile (helm#21456) The added syscalls are syscalls that an unconfined `system-probe` would do. Signed-off-by: Lénaïc Huard <lenaic.huard@datadoghq.com> Signed-off-by: Adrien Loiseau <adrien.loiseau@logic-immo.com>
li-adrienloiseau
pushed a commit
to li-adrienloiseau/charts
that referenced
this pull request
Jul 29, 2020
…template (helm#21510) * enable deployment annotations, bump chart version (helm#21502) Signed-off-by: Ryan Holt <ryan@ryanholt.net> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/datalog] Do not enable the `cri` check when running on a `docker` setup (helm#21476) Signed-off-by: Lénaïc Huard <lenaic.huard@datadoghq.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/datadog] Add some missing syscalls to the `system-probe` seccomp profile (helm#21456) The added syscalls are syscalls that an unconfined `system-probe` would do. Signed-off-by: Lénaïc Huard <lenaic.huard@datadoghq.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/minio] corrected syntax error in statefulset (helm#21503) * corrected syntax error in statefulset Signed-off-by: Thomas Wilkinson <thomas.wilkinson@us.ibm.com> * chart version bump Signed-off-by: Thomas Wilkinson <thomas.wilkinson@us.ibm.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/redis-ha] Make emptyDir configurable from values (helm#21489) Signed-off-by: Jeroen Castelein <jeroencastelein11@gmail.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * Set DD_APM_ENABLED With the new Helm chart, even if `datadog.apm.enabled` is set to false, it reverts to the docker defaults (true). Having the trace-agent running in the background is pretty harmless from a resource overhead standpoint, however, the logic of the helm chart will automatically do the 8126 port-forwarding, and since we don't want non-apm customers to have this port exposed, we need to respect the chart settings. Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * Bumped version Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * 2.0.12 Fixed a bug where datadog.apm.enabled was not being respected Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * re-applying the changes Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> Co-authored-by: Ryan Holt <ryan@ryanholt.net> Co-authored-by: Lénaïc Huard <L3n41c@users.noreply.github.com> Co-authored-by: Thomas Wilkinson <thomas@capnajax.com> Co-authored-by: Jeroen Castelein <jeroen.castelein@kpn.com> Signed-off-by: Adrien Loiseau <adrien.loiseau@logic-immo.com>
mmingorance-dh
pushed a commit
to mmingorance-dh/charts
that referenced
this pull request
Aug 28, 2020
…omp profile (helm#21456) The added syscalls are syscalls that an unconfined `system-probe` would do. Signed-off-by: Lénaïc Huard <lenaic.huard@datadoghq.com> Signed-off-by: Miguel Mingorance <miguel.mingorance@deliveryhero.com>
mmingorance-dh
pushed a commit
to mmingorance-dh/charts
that referenced
this pull request
Aug 28, 2020
…template (helm#21510) * enable deployment annotations, bump chart version (helm#21502) Signed-off-by: Ryan Holt <ryan@ryanholt.net> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/datalog] Do not enable the `cri` check when running on a `docker` setup (helm#21476) Signed-off-by: Lénaïc Huard <lenaic.huard@datadoghq.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/datadog] Add some missing syscalls to the `system-probe` seccomp profile (helm#21456) The added syscalls are syscalls that an unconfined `system-probe` would do. Signed-off-by: Lénaïc Huard <lenaic.huard@datadoghq.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/minio] corrected syntax error in statefulset (helm#21503) * corrected syntax error in statefulset Signed-off-by: Thomas Wilkinson <thomas.wilkinson@us.ibm.com> * chart version bump Signed-off-by: Thomas Wilkinson <thomas.wilkinson@us.ibm.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * [stable/redis-ha] Make emptyDir configurable from values (helm#21489) Signed-off-by: Jeroen Castelein <jeroencastelein11@gmail.com> Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * Set DD_APM_ENABLED With the new Helm chart, even if `datadog.apm.enabled` is set to false, it reverts to the docker defaults (true). Having the trace-agent running in the background is pretty harmless from a resource overhead standpoint, however, the logic of the helm chart will automatically do the 8126 port-forwarding, and since we don't want non-apm customers to have this port exposed, we need to respect the chart settings. Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * Bumped version Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * 2.0.12 Fixed a bug where datadog.apm.enabled was not being respected Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> * re-applying the changes Signed-off-by: Omer Lifshitz <omer.lifshitz@datadoghq.com> Co-authored-by: Ryan Holt <ryan@ryanholt.net> Co-authored-by: Lénaïc Huard <L3n41c@users.noreply.github.com> Co-authored-by: Thomas Wilkinson <thomas@capnajax.com> Co-authored-by: Jeroen Castelein <jeroen.castelein@kpn.com> Signed-off-by: Miguel Mingorance <miguel.mingorance@deliveryhero.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Add some missing syscalls to the
system-probeseccomp profileWhich issue this PR fixes
There’s some OS / kernel versions where
system-probeends inCrashLoopBackOffstate with the current seccomp profile. And reverting to the default seccomp profile fixes the issue, which is the sign that the current seccomp profile is too restrictive of those platforms.So, I ran
system-probeunderstracewith the default seccomp profile to see all the syscalls that it does and I added in the custom seccomp profile the ones that were missing.Special notes for your reviewer:
Checklist
[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]
[stable/mychartname])