Fix CWS Instrumentation webhook label selector and error handling

LICENSE-3rdparty.csv

@@ -176,8 +176,6 @@ core,github.com/Azure/go-amqp/internal/encoding,MIT,Copyright (C) 2017 Kale Blan
 core,github.com/Azure/go-amqp/internal/frames,MIT,Copyright (C) 2017 Kale Blankenship | Copyright (C) Microsoft Corporation
 core,github.com/Azure/go-amqp/internal/queue,MIT,Copyright (C) 2017 Kale Blankenship | Copyright (C) Microsoft Corporation
 core,github.com/Azure/go-amqp/internal/shared,MIT,Copyright (C) 2017 Kale Blankenship | Copyright (C) Microsoft Corporation
-core,github.com/Azure/go-ansiterm,MIT,Copyright (c) 2015 Microsoft Corporation
-core,github.com/Azure/go-ansiterm/winterm,MIT,Copyright (c) 2015 Microsoft Corporation
 core,github.com/Azure/go-autorest,Apache-2.0,Copyright 2015 Microsoft Corporation
 core,github.com/Azure/go-autorest/autorest,Apache-2.0,Copyright 2015 Microsoft Corporation
 core,github.com/Azure/go-autorest/autorest/adal,Apache-2.0,Copyright 2015 Microsoft Corporation
@@ -1916,7 +1914,6 @@ core,github.com/mitchellh/copystructure,MIT,Copyright (c) 2014 Mitchell Hashimot
 core,github.com/mitchellh/go-homedir,MIT,Copyright (c) 2013 Mitchell Hashimoto
 core,github.com/mitchellh/go-ps,MIT,Copyright (c) 2014 Mitchell Hashimoto
 core,github.com/mitchellh/go-testing-interface,MIT,Copyright (c) 2016 Mitchell Hashimoto
-core,github.com/mitchellh/go-wordwrap,MIT,Copyright (c) 2014 Mitchell Hashimoto
 core,github.com/mitchellh/hashstructure,MIT,Copyright (c) 2016 Mitchell Hashimoto
 core,github.com/mitchellh/hashstructure/v2,MIT,Copyright (c) 2016 Mitchell Hashimoto
 core,github.com/mitchellh/mapstructure,MIT,Copyright (c) 2013 Mitchell Hashimoto
@@ -1935,8 +1932,6 @@ core,github.com/moby/sys/mountinfo,Apache-2.0,Copyright (c) 2014-2018 The Docker
 core,github.com/moby/sys/sequential,Apache-2.0,Kir Kolyshkin <[email protected]>|Sebastiaan van Stijn <[email protected]>|Sebastiaan van Stijn <[email protected]>|Tibor Vass <[email protected]>|Brian Goff <[email protected]>|John Howard <[email protected]>|Victor Vieux <[email protected]>|Michael Crosby <[email protected]>|Daniel Nephin <[email protected]>|Tianon Gravi <[email protected]>|Vincent Batts <[email protected]>|Akihiro Suda <[email protected]>|Michael Crosby <[email protected]>|Yong Tang <[email protected]>|Kir Kolyshkin <[email protected]>|Christopher Jones <[email protected]>|Guillaume J. Charmes <[email protected]>|Kato Kazuyoshi <[email protected]>|Manu Gupta <[email protected]>|Michael Crosby <[email protected]>|Vincent Demeester <[email protected]>|Aleksa Sarai <[email protected]>|Amit Krishnan <[email protected]>|Arnaud Porterie <[email protected]>|Brian Goff <[email protected]>|Brian Goff <[email protected]>|Dan Walsh <[email protected]>|Michael Crosby <[email protected]>|Phil Estes <[email protected]>|Shengjing Zhu <[email protected]>|Solomon Hykes <[email protected]>|Tobias Klauser <[email protected]>|lalyos <[email protected]>|unclejack <[email protected]>|Akihiro Suda <[email protected]>|Alexander Morozov <[email protected]>|Jessica Frazelle <[email protected]>|Jessica Frazelle <[email protected]>|Jessie Frazelle <[email protected]>|Justas Brazauskas <[email protected]>|Justin Cormack <[email protected]>|Kazuyoshi Kato <[email protected]>|Naveed Jamil <[email protected]>|Vincent Demeester <[email protected]>|shuai-z <[email protected]>|Ahmet Alp Balkan <[email protected]>|Aleksa Sarai <[email protected]>|Alexander Larsson <[email protected]>|Alexander Morozov <[email protected]>|Alexandr Morozov <[email protected]>|Alexandr Morozov <[email protected]>|Antonio Murdaca <[email protected]>|Antonio Murdaca <[email protected]>|Antonio Murdaca <[email protected]>|Artem Khramov <[email protected]>|Cezar Sa Espinola <[email protected]>|Chen Hanxiao <[email protected]>|Darren Stahl <[email protected]>|David Calavera <[email protected]>|Derek McGowan <[email protected]>|Eng Zer Jun <[email protected]>|Erik Dubbelboer <[email protected]>|Fabian Kramm <[email protected]>|Guillaume Dufour <[email protected]>|Guillaume J. Charmes <[email protected]>|Hajime Tazaki <[email protected]>|Jamie Hannaford <[email protected]>|Jason A. Donenfeld <[email protected]>|Jhon Honce <[email protected]>|Josh Soref <[email protected]>|Kasper Fabæch Brandt <[email protected]>|Kathryn Baldauf <[email protected]>|Kenfe-Mickael Laventure <[email protected]>|Kirill Kolyshkin <[email protected]>|Muhammad Kaisar Arkhan <[email protected]>|Oli <[email protected]>|Olli Janatuinen <[email protected]>|Paul Nasrat <[email protected]>|Peter Bourgon <[email protected]>|Peter Waller <[email protected]>|Phil Estes <[email protected]>|Samuel Karp <[email protected]>|Stefan J. Wernli <[email protected]>|Steven Hartland <[email protected]>|Stig Larsson <[email protected]>|Tim Wang <[email protected]>|Victor Vieux <[email protected]>|Victor Vieux <[email protected]>|Yan Feng <[email protected]>|jhowardmsft <[email protected]>|liuxiaodong <[email protected]>|phineas <[email protected]>|unclejack <[email protected]>|yuexiao-wang <[email protected]>|谢致邦 (XIE Zhibang) <[email protected]>
 core,github.com/moby/sys/signal,Apache-2.0,Copyright (c) 2014-2018 The Docker & Go Authors. All rights reserved.
 core,github.com/moby/sys/user,Apache-2.0,Copyright (c) 2014-2018 The Docker & Go Authors. All rights reserved.
-core,github.com/moby/term,Apache-2.0,"Copyright 2013-2018 Docker, Inc | copyright 2015 Docker, inc. Code released under the Apache 2.0 license. Docs released under Creative commons"
-core,github.com/moby/term/windows,Apache-2.0,"Copyright 2013-2018 Docker, Inc | copyright 2015 Docker, inc. Code released under the Apache 2.0 license. Docs released under Creative commons"
 core,github.com/modern-go/concurrent,Apache-2.0,Copyright (c) 2018 Tao Wen
 core,github.com/modern-go/reflect2,Apache-2.0,Copyright (c) 2018 Tao Wen
 core,github.com/mohae/deepcopy,MIT,Copyright (c) 2014 Joel
@@ -4750,8 +4745,6 @@ core,k8s.io/kube-state-metrics/v2/pkg/watch,Apache-2.0,Copyright 2014 The Kubern
 core,k8s.io/kubectl/pkg/cmd/util,Apache-2.0,Copyright 2014 The Kubernetes Authors.
 core,k8s.io/kubectl/pkg/cmd/util/podcmd,Apache-2.0,Copyright 2014 The Kubernetes Authors.
 core,k8s.io/kubectl/pkg/scheme,Apache-2.0,Copyright 2014 The Kubernetes Authors.
-core,k8s.io/kubectl/pkg/util/interrupt,Apache-2.0,Copyright 2014 The Kubernetes Authors.
-core,k8s.io/kubectl/pkg/util/term,Apache-2.0,Copyright 2014 The Kubernetes Authors.
 core,k8s.io/kubelet/pkg/apis/stats/v1alpha1,Apache-2.0,Copyright 2014 The Kubernetes Authors.
 core,k8s.io/metrics/pkg/apis/custom_metrics,Apache-2.0,Copyright 2014 The Kubernetes Authors.
 core,k8s.io/metrics/pkg/apis/custom_metrics/install,Apache-2.0,Copyright 2014 The Kubernetes Authors.

go.mod

@@ -694,7 +694,6 @@ require (
 	github.com/jmoiron/sqlx v1.4.0
 	github.com/judwhite/go-svc v1.2.1
 	github.com/kr/pretty v0.3.1
-	github.com/moby/term v0.5.0
 	github.com/planetscale/vtprotobuf v0.6.0
 	github.com/prometheus-community/pro-bing v0.3.0
 	github.com/rickar/props v1.0.0
@@ -750,7 +749,6 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.3.2 // indirect
 	github.com/Azure/azure-storage-queue-go v0.0.0-20230531184854-c06a8eff66fe // indirect
 	github.com/Azure/go-amqp v1.0.5 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
 	github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
@@ -954,7 +952,6 @@ require (
 	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
-	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/hashstructure v1.1.0 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect

pkg/clusteragent/admission/mutate/cwsinstrumentation/cws_instrumentation.go

@@ -66,6 +66,7 @@ const (
 	cwsExcludedResourceReason              = "excluded_resource"
 	cwsDescribePodErrorReason              = "describe_pod_error"
 	cwsExcludedByAnnotationReason          = "excluded_by_annotation"
+	cwsExcludedByLabelReason               = "excluded_by_label"
 	cwsPodNotInstrumentedReason            = "pod_not_instrumented"
 	cwsReadonlyFilesystemReason            = "readonly_filesystem"
 	cwsMissingArchReason                   = "missing_arch"
@@ -268,6 +269,8 @@ type CWSInstrumentation struct {
 	mode InstrumentationMode
 	// mountVolumeForRemoteCopy
 	mountVolumeForRemoteCopy bool
+	// directoryForRemoteCopy
+	directoryForRemoteCopy string
 	// clusterAgentServiceAccount holds the service account name of the cluster agent
 	clusterAgentServiceAccount string
 
@@ -317,6 +320,7 @@ func NewCWSInstrumentation(wmeta workloadmeta.Component) (*CWSInstrumentation, e
 		return nil, fmt.Errorf("can't initiatilize CWS Instrumentation: %v", err)
 	}
 	ci.mountVolumeForRemoteCopy = config.Datadog().GetBool("admission_controller.cws_instrumentation.remote_copy.mount_volume")
+	ci.directoryForRemoteCopy = config.Datadog().GetString("admission_controller.cws_instrumentation.remote_copy.directory")
 
 	if ci.mode == RemoteCopy {
 		// build the cluster agent service account
@@ -450,6 +454,12 @@ func (ci *CWSInstrumentation) injectCWSCommandInstrumentation(exec *corev1.PodEx
 		return false, errors.New(metrics.InternalError)
 	}
 
+	// is the pod excluded explicitly ? (we can filter out with labels in the webhook selector on pods / exec creation)
+	if pod.Labels != nil && pod.Labels[PodLabelEnabled] == "false" {
+		metrics.CWSExecInstrumentationAttempts.Observe(1, ci.mode.String(), "false", cwsExcludedByLabelReason)
+		return false, nil
+	}
+
 	// is the pod targeted by the instrumentation ?
 	if ci.filter.IsExcluded(pod.Annotations, "", "", "") {
 		metrics.CWSExecInstrumentationAttempts.Observe(1, ci.mode.String(), "false", cwsExcludedByAnnotationReason)
@@ -469,6 +479,8 @@ func (ci *CWSInstrumentation) injectCWSCommandInstrumentation(exec *corev1.PodEx
 			return false, nil
 		}
 	case RemoteCopy:
+		cwsInstrumentationRemotePath = filepath.Join(ci.directoryForRemoteCopy, "/cws-instrumentation")
+
 		// if we're using a shared volume, we need to make sure the pod is instrumented first
 		if ci.mountVolumeForRemoteCopy {
 			if !isPodCWSInstrumentationReady(pod.Annotations) {
@@ -477,7 +489,7 @@ func (ci *CWSInstrumentation) injectCWSCommandInstrumentation(exec *corev1.PodEx
 				metrics.CWSExecInstrumentationAttempts.Observe(1, ci.mode.String(), "false", cwsPodNotInstrumentedReason)
 				return false, nil
 			}
-			cwsInstrumentationRemotePath = filepath.Join(cwsMountPath, "cws-instrumentation")
+			cwsInstrumentationRemotePath = filepath.Join(cwsMountPath, cwsInstrumentationRemotePath)
 		} else {
 			// check if the target pod has a read only filesystem
 			if readOnly := ci.hasReadonlyRootfs(pod, exec.Container); readOnly {
@@ -486,7 +498,6 @@ func (ci *CWSInstrumentation) injectCWSCommandInstrumentation(exec *corev1.PodEx
 				metrics.CWSExecInstrumentationAttempts.Observe(1, ci.mode.String(), "false", cwsReadonlyFilesystemReason)
 				return false, errors.New(metrics.InvalidInput)
 			}
-			cwsInstrumentationRemotePath = "/cws-instrumentation"
 		}
 
 		arch, err := ci.resolveNodeArch(pod.Spec.NodeName, apiClient)
@@ -514,7 +525,7 @@ func (ci *CWSInstrumentation) injectCWSCommandInstrumentation(exec *corev1.PodEx
 
 		// copy CWS instrumentation directly to the target container
 		if err := ci.injectCWSCommandInstrumentationRemoteCopy(pod, container.Name, cwsInstrumentationLocalPath, cwsInstrumentationRemotePath); err != nil {
-			log.Errorf("Ignoring exec request into %s, remote copy failed: %v", common.PodString(pod), err)
+			log.Warnf("Ignoring exec request into %s, remote copy failed: %v", common.PodString(pod), err)
 			metrics.CWSExecInstrumentationAttempts.Observe(1, ci.mode.String(), "false", cwsRemoteCopyFailedReason)
 			return false, errors.New(metrics.InternalError)
 		}
@@ -771,10 +782,6 @@ func mutatePodExecOptions(rawPodExecOptions []byte, name string, ns string, muta
 		return nil, fmt.Errorf("failed to decode raw object: %v", err)
 	}
 
-	if _, err := m(&exec, name, ns, userInfo, dc, apiClient); err != nil {
-		return nil, err
-	}
-
 	if injected, err := m(&exec, name, ns, userInfo, dc, apiClient); err != nil {
 		metrics.MutationAttempts.Inc(mutationType, metrics.StatusError, strconv.FormatBool(injected), err.Error())
 	} else {