diff --git a/Dockerfiles/cws-instrumentation/Dockerfile b/Dockerfiles/cws-instrumentation/Dockerfile index 2e1959be9081b..730dcfa1571e8 100644 --- a/Dockerfiles/cws-instrumentation/Dockerfile +++ b/Dockerfiles/cws-instrumentation/Dockerfile @@ -1,3 +1,4 @@ FROM scratch ARG TARGETARCH COPY --chmod=0755 cws-instrumentation.$TARGETARCH /cws-instrumentation +USER 10000 diff --git a/pkg/clusteragent/admission/mutate/cwsinstrumentation/cws_instrumentation.go b/pkg/clusteragent/admission/mutate/cwsinstrumentation/cws_instrumentation.go index d5c0dadeb6ea0..947404faffe6f 100644 --- a/pkg/clusteragent/admission/mutate/cwsinstrumentation/cws_instrumentation.go +++ b/pkg/clusteragent/admission/mutate/cwsinstrumentation/cws_instrumentation.go @@ -41,6 +41,8 @@ const ( cwsInstrumentationPodAnotationReady = "ready" cwsInjectorInitContainerName = "cws-instrumentation" cwsUserSessionDataMaxSize = 1024 + cwsInjectorInitContainerUser = int64(10000) + cwsInjectorInitContainerGroup = int64(10000) // PodLabelEnabled is used to label pods that should be instrumented or skipped by the CWS mutating webhook PodLabelEnabled = "admission.datadoghq.com/cws-instrumentation.enabled" @@ -449,6 +451,9 @@ func injectCWSInitContainer(pod *corev1.Pod, resources *corev1.ResourceRequireme } } + runAsUser := cwsInjectorInitContainerUser + runAsGroup := cwsInjectorInitContainerGroup + initContainer := corev1.Container{ Name: cwsInjectorInitContainerName, Image: image, @@ -459,6 +464,11 @@ func injectCWSInitContainer(pod *corev1.Pod, resources *corev1.ResourceRequireme MountPath: cwsMountPath, }, }, + // Set a default user and group to support pod deployments with a `runAsNonRoot` security context + SecurityContext: &corev1.SecurityContext{ + RunAsUser: &runAsUser, + RunAsGroup: &runAsGroup, + }, } if resources != nil { initContainer.Resources = *resources diff --git a/pkg/clusteragent/admission/mutate/cwsinstrumentation/cws_instrumentation_test.go b/pkg/clusteragent/admission/mutate/cwsinstrumentation/cws_instrumentation_test.go index ed715743a3454..86d341882a39b 100644 --- a/pkg/clusteragent/admission/mutate/cwsinstrumentation/cws_instrumentation_test.go +++ b/pkg/clusteragent/admission/mutate/cwsinstrumentation/cws_instrumentation_test.go @@ -446,6 +446,8 @@ func Test_injectCWSCommandInstrumentation(t *testing.T) { func Test_injectCWSPodInstrumentation(t *testing.T) { commonRegistry := "gcr.io/datadoghq" + runAsUser := cwsInjectorInitContainerUser + runAsGroup := cwsInjectorInitContainerGroup type args struct { pod *corev1.Pod @@ -499,6 +501,10 @@ func Test_injectCWSPodInstrumentation(t *testing.T) { MountPath: cwsMountPath, }, }, + SecurityContext: &corev1.SecurityContext{ + RunAsUser: &runAsUser, + RunAsGroup: &runAsGroup, + }, }, wantInstrumentation: true, }, @@ -522,6 +528,10 @@ func Test_injectCWSPodInstrumentation(t *testing.T) { MountPath: cwsMountPath, }, }, + SecurityContext: &corev1.SecurityContext{ + RunAsUser: &runAsUser, + RunAsGroup: &runAsGroup, + }, }, wantInstrumentation: true, }, @@ -545,6 +555,10 @@ func Test_injectCWSPodInstrumentation(t *testing.T) { MountPath: cwsMountPath, }, }, + SecurityContext: &corev1.SecurityContext{ + RunAsUser: &runAsUser, + RunAsGroup: &runAsGroup, + }, }, wantInstrumentation: true, }, @@ -579,6 +593,10 @@ func Test_injectCWSPodInstrumentation(t *testing.T) { MountPath: cwsMountPath, }, }, + SecurityContext: &corev1.SecurityContext{ + RunAsUser: &runAsUser, + RunAsGroup: &runAsGroup, + }, }, wantInstrumentation: true, }, @@ -639,6 +657,10 @@ func Test_injectCWSPodInstrumentation(t *testing.T) { MountPath: cwsMountPath, }, }, + SecurityContext: &corev1.SecurityContext{ + RunAsUser: &runAsUser, + RunAsGroup: &runAsGroup, + }, }, wantInstrumentation: true, }, @@ -679,6 +701,10 @@ func Test_injectCWSPodInstrumentation(t *testing.T) { MountPath: cwsMountPath, }, }, + SecurityContext: &corev1.SecurityContext{ + RunAsUser: &runAsUser, + RunAsGroup: &runAsGroup, + }, }, wantInstrumentation: true, },