[CWS] Remove UID / GID from cws instrumentation security context (#23674

)
DataDog · Mar 13, 2024 · 2597229 · 2597229
1 parent 9e3202c
commit 2597229
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 37 deletions.
diff --git a/Dockerfiles/cws-instrumentation/Dockerfile b/Dockerfiles/cws-instrumentation/Dockerfile
@@ -1,4 +1,4 @@
 FROM scratch
 ARG TARGETARCH
 COPY --chmod=0755 cws-instrumentation.$TARGETARCH /cws-instrumentation
-USER 10000
+USER 1000
diff --git a/pkg/clusteragent/admission/mutate/cwsinstrumentation/cws_instrumentation.go b/pkg/clusteragent/admission/mutate/cwsinstrumentation/cws_instrumentation.go
@@ -41,8 +41,6 @@ const (
 	cwsInstrumentationPodAnotationReady  = "ready"
 	cwsInjectorInitContainerName         = "cws-instrumentation"
 	cwsUserSessionDataMaxSize            = 1024
-	cwsInjectorInitContainerUser         = int64(10000)
-	cwsInjectorInitContainerGroup        = int64(10000)
 
 	// PodLabelEnabled is used to label pods that should be instrumented or skipped by the CWS mutating webhook
 	PodLabelEnabled = "admission.datadoghq.com/cws-instrumentation.enabled"
@@ -451,9 +449,6 @@ func injectCWSInitContainer(pod *corev1.Pod, resources *corev1.ResourceRequireme
 		}
 	}
 
-	runAsUser := cwsInjectorInitContainerUser
-	runAsGroup := cwsInjectorInitContainerGroup
-
 	initContainer := corev1.Container{
 		Name:    cwsInjectorInitContainerName,
 		Image:   image,
@@ -464,11 +459,6 @@ func injectCWSInitContainer(pod *corev1.Pod, resources *corev1.ResourceRequireme
 				MountPath: cwsMountPath,
 			},
 		},
-		// Set a default user and group to support pod deployments with a `runAsNonRoot` security context
-		SecurityContext: &corev1.SecurityContext{
-			RunAsUser:  &runAsUser,
-			RunAsGroup: &runAsGroup,
-		},
 	}
 	if resources != nil {
 		initContainer.Resources = *resources

diff --git a/pkg/clusteragent/admission/mutate/cwsinstrumentation/cws_instrumentation_test.go b/pkg/clusteragent/admission/mutate/cwsinstrumentation/cws_instrumentation_test.go
@@ -446,8 +446,6 @@ func Test_injectCWSCommandInstrumentation(t *testing.T) {
 
 func Test_injectCWSPodInstrumentation(t *testing.T) {
 	commonRegistry := "gcr.io/datadoghq"
-	runAsUser := cwsInjectorInitContainerUser
-	runAsGroup := cwsInjectorInitContainerGroup
 
 	type args struct {
 		pod *corev1.Pod
@@ -501,10 +499,6 @@ func Test_injectCWSPodInstrumentation(t *testing.T) {
 						MountPath: cwsMountPath,
 					},
 				},
-				SecurityContext: &corev1.SecurityContext{
-					RunAsUser:  &runAsUser,
-					RunAsGroup: &runAsGroup,
-				},
 			},
 			wantInstrumentation: true,
 		},
@@ -528,10 +522,6 @@ func Test_injectCWSPodInstrumentation(t *testing.T) {
 						MountPath: cwsMountPath,
 					},
 				},
-				SecurityContext: &corev1.SecurityContext{
-					RunAsUser:  &runAsUser,
-					RunAsGroup: &runAsGroup,
-				},
 			},
 			wantInstrumentation: true,
 		},
@@ -555,10 +545,6 @@ func Test_injectCWSPodInstrumentation(t *testing.T) {
 						MountPath: cwsMountPath,
 					},
 				},
-				SecurityContext: &corev1.SecurityContext{
-					RunAsUser:  &runAsUser,
-					RunAsGroup: &runAsGroup,
-				},
 			},
 			wantInstrumentation: true,
 		},
@@ -593,10 +579,6 @@ func Test_injectCWSPodInstrumentation(t *testing.T) {
 						MountPath: cwsMountPath,
 					},
 				},
-				SecurityContext: &corev1.SecurityContext{
-					RunAsUser:  &runAsUser,
-					RunAsGroup: &runAsGroup,
-				},
 			},
 			wantInstrumentation: true,
 		},
@@ -657,10 +639,6 @@ func Test_injectCWSPodInstrumentation(t *testing.T) {
 						MountPath: cwsMountPath,
 					},
 				},
-				SecurityContext: &corev1.SecurityContext{
-					RunAsUser:  &runAsUser,
-					RunAsGroup: &runAsGroup,
-				},
 			},
 			wantInstrumentation: true,
 		},
@@ -701,10 +679,6 @@ func Test_injectCWSPodInstrumentation(t *testing.T) {
 						MountPath: cwsMountPath,
 					},
 				},
-				SecurityContext: &corev1.SecurityContext{
-					RunAsUser:  &runAsUser,
-					RunAsGroup: &runAsGroup,
-				},
 			},
 			wantInstrumentation: true,
 		},