[CWS] Fix CWS instrumentation user (#23629)

* [CWS] fix CWS instrumentation user * [CWS] fix CWS instrumentation tests
DataDog · Mar 11, 2024 · dfa32f3 · dfa32f3
1 parent ac8dfc6
commit dfa32f3
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 0 deletions.
diff --git a/Dockerfiles/cws-instrumentation/Dockerfile b/Dockerfiles/cws-instrumentation/Dockerfile
@@ -1,3 +1,4 @@
 FROM scratch
 ARG TARGETARCH
 COPY --chmod=0755 cws-instrumentation.$TARGETARCH /cws-instrumentation
+USER 10000
diff --git a/pkg/clusteragent/admission/mutate/cwsinstrumentation/cws_instrumentation.go b/pkg/clusteragent/admission/mutate/cwsinstrumentation/cws_instrumentation.go
@@ -41,6 +41,8 @@ const (
 	cwsInstrumentationPodAnotationReady  = "ready"
 	cwsInjectorInitContainerName         = "cws-instrumentation"
 	cwsUserSessionDataMaxSize            = 1024
+	cwsInjectorInitContainerUser         = int64(10000)
+	cwsInjectorInitContainerGroup        = int64(10000)
 
 	// PodLabelEnabled is used to label pods that should be instrumented or skipped by the CWS mutating webhook
 	PodLabelEnabled = "admission.datadoghq.com/cws-instrumentation.enabled"
@@ -449,6 +451,9 @@ func injectCWSInitContainer(pod *corev1.Pod, resources *corev1.ResourceRequireme
 		}
 	}
 
+	runAsUser := cwsInjectorInitContainerUser
+	runAsGroup := cwsInjectorInitContainerGroup
+
 	initContainer := corev1.Container{
 		Name:    cwsInjectorInitContainerName,
 		Image:   image,
@@ -459,6 +464,11 @@ func injectCWSInitContainer(pod *corev1.Pod, resources *corev1.ResourceRequireme
 				MountPath: cwsMountPath,
 			},
 		},
+		// Set a default user and group to support pod deployments with a `runAsNonRoot` security context
+		SecurityContext: &corev1.SecurityContext{
+			RunAsUser:  &runAsUser,
+			RunAsGroup: &runAsGroup,
+		},
 	}
 	if resources != nil {
 		initContainer.Resources = *resources

diff --git a/pkg/clusteragent/admission/mutate/cwsinstrumentation/cws_instrumentation_test.go b/pkg/clusteragent/admission/mutate/cwsinstrumentation/cws_instrumentation_test.go
@@ -446,6 +446,8 @@ func Test_injectCWSCommandInstrumentation(t *testing.T) {
 
 func Test_injectCWSPodInstrumentation(t *testing.T) {
 	commonRegistry := "gcr.io/datadoghq"
+	runAsUser := cwsInjectorInitContainerUser
+	runAsGroup := cwsInjectorInitContainerGroup
 
 	type args struct {
 		pod *corev1.Pod
@@ -499,6 +501,10 @@ func Test_injectCWSPodInstrumentation(t *testing.T) {
 						MountPath: cwsMountPath,
 					},
 				},
+				SecurityContext: &corev1.SecurityContext{
+					RunAsUser:  &runAsUser,
+					RunAsGroup: &runAsGroup,
+				},
 			},
 			wantInstrumentation: true,
 		},
@@ -522,6 +528,10 @@ func Test_injectCWSPodInstrumentation(t *testing.T) {
 						MountPath: cwsMountPath,
 					},
 				},
+				SecurityContext: &corev1.SecurityContext{
+					RunAsUser:  &runAsUser,
+					RunAsGroup: &runAsGroup,
+				},
 			},
 			wantInstrumentation: true,
 		},
@@ -545,6 +555,10 @@ func Test_injectCWSPodInstrumentation(t *testing.T) {
 						MountPath: cwsMountPath,
 					},
 				},
+				SecurityContext: &corev1.SecurityContext{
+					RunAsUser:  &runAsUser,
+					RunAsGroup: &runAsGroup,
+				},
 			},
 			wantInstrumentation: true,
 		},
@@ -579,6 +593,10 @@ func Test_injectCWSPodInstrumentation(t *testing.T) {
 						MountPath: cwsMountPath,
 					},
 				},
+				SecurityContext: &corev1.SecurityContext{
+					RunAsUser:  &runAsUser,
+					RunAsGroup: &runAsGroup,
+				},
 			},
 			wantInstrumentation: true,
 		},
@@ -639,6 +657,10 @@ func Test_injectCWSPodInstrumentation(t *testing.T) {
 						MountPath: cwsMountPath,
 					},
 				},
+				SecurityContext: &corev1.SecurityContext{
+					RunAsUser:  &runAsUser,
+					RunAsGroup: &runAsGroup,
+				},
 			},
 			wantInstrumentation: true,
 		},
@@ -679,6 +701,10 @@ func Test_injectCWSPodInstrumentation(t *testing.T) {
 						MountPath: cwsMountPath,
 					},
 				},
+				SecurityContext: &corev1.SecurityContext{
+					RunAsUser:  &runAsUser,
+					RunAsGroup: &runAsGroup,
+				},
 			},
 			wantInstrumentation: true,
 		},