Do not mount /etc/passwd on Talos nodes

Author: aureleoules

internal/controller/datadogagent/feature/cspm/feature.go

@@ -297,10 +297,12 @@ func (f *cspmFeature) ManageNodeAgent(managers feature.PodTemplateManagers, prov
 	volMountMgr.AddVolumeMountToContainer(&cgroupsVolMount, apicommon.SecurityAgentContainerName)
 	VolMgr.AddVolume(&cgroupsVol)
 
-	// passwd volume mount
-	passwdVol, passwdVolMount := volume.GetVolumes(common.PasswdVolumeName, common.PasswdHostPath, common.PasswdMountPath, true)
-	volMountMgr.AddVolumeMountToContainer(&passwdVolMount, apicommon.SecurityAgentContainerName)
-	VolMgr.AddVolume(&passwdVol)
+	if provider != kubernetes.TalosProvider {
+		// passwd volume mount
+		passwdVol, passwdVolMount := volume.GetVolumes(common.PasswdVolumeName, common.PasswdHostPath, common.PasswdMountPath, true)
+		volMountMgr.AddVolumeMountToContainer(&passwdVolMount, apicommon.SecurityAgentContainerName)
+		VolMgr.AddVolume(&passwdVol)
+	}
 
 	// procdir volume mount
 	procdirVol, procdirVolMount := volume.GetVolumes(common.ProcdirVolumeName, common.ProcdirHostPath, common.ProcdirMountPath, true)

internal/controller/datadogagent/feature/cws/feature.go

@@ -283,10 +283,12 @@ func (f *cwsFeature) ManageNodeAgent(managers feature.PodTemplateManagers, provi
 	volMountMgr.AddVolumeMountToContainer(&procdirVolMount, apicommon.SystemProbeContainerName)
 	volMgr.AddVolume(&procdirVol)
 
-	// passwd volume mount
-	passwdVol, passwdVolMount := volume.GetVolumes(common.PasswdVolumeName, common.PasswdHostPath, common.PasswdMountPath, true)
-	volMountMgr.AddVolumeMountToContainer(&passwdVolMount, apicommon.SystemProbeContainerName)
-	volMgr.AddVolume(&passwdVol)
+	if provider != kubernetes.TalosProvider {
+		// passwd volume mount
+		passwdVol, passwdVolMount := volume.GetVolumes(common.PasswdVolumeName, common.PasswdHostPath, common.PasswdMountPath, true)
+		volMountMgr.AddVolumeMountToContainer(&passwdVolMount, apicommon.SystemProbeContainerName)
+		volMgr.AddVolume(&passwdVol)
+	}
 
 	// group volume mount
 	groupVol, groupVolMount := volume.GetVolumes(common.GroupVolumeName, common.GroupHostPath, common.GroupMountPath, true)

internal/controller/datadogagent/feature/liveprocess/feature.go

@@ -15,6 +15,7 @@ import (
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/feature"
 	featutils "github.com/DataDog/datadog-operator/internal/controller/datadogagent/feature/utils"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/object/volume"
+	"github.com/DataDog/datadog-operator/pkg/kubernetes"
 )
 
 func init() {
@@ -117,10 +118,12 @@ func (f *liveProcessFeature) ManageNodeAgent(managers feature.PodTemplateManager
 
 func (f *liveProcessFeature) manageNodeAgent(agentContainerName apicommon.AgentContainerName, managers feature.PodTemplateManagers, provider string) error {
 
-	// passwd volume mount
-	passwdVol, passwdVolMount := volume.GetVolumes(common.PasswdVolumeName, common.PasswdHostPath, common.PasswdMountPath, true)
-	managers.VolumeMount().AddVolumeMountToContainer(&passwdVolMount, agentContainerName)
-	managers.Volume().AddVolume(&passwdVol)
+	if provider != kubernetes.TalosProvider {
+		// passwd volume mount
+		passwdVol, passwdVolMount := volume.GetVolumes(common.PasswdVolumeName, common.PasswdHostPath, common.PasswdMountPath, true)
+		managers.VolumeMount().AddVolumeMountToContainer(&passwdVolMount, agentContainerName)
+		managers.Volume().AddVolume(&passwdVol)
+	}
 
 	// cgroups volume mount
 	cgroupsVol, cgroupsVolMount := volume.GetVolumes(common.CgroupsVolumeName, common.CgroupsHostPath, common.CgroupsMountPath, true)

internal/controller/datadogagent/feature/processdiscovery/feature.go

@@ -15,6 +15,7 @@ import (
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/feature"
 	featutils "github.com/DataDog/datadog-operator/internal/controller/datadogagent/feature/utils"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/object/volume"
+	"github.com/DataDog/datadog-operator/pkg/kubernetes"
 )
 
 func init() {
@@ -96,9 +97,11 @@ func (p processDiscoveryFeature) ManageSingleContainerNodeAgent(managers feature
 
 func (p processDiscoveryFeature) manageNodeAgent(agentContainerName apicommon.AgentContainerName, managers feature.PodTemplateManagers, provider string) error {
 	// passwd volume mount
-	passwdVol, passwdVolMount := volume.GetVolumes(common.PasswdVolumeName, common.PasswdHostPath, common.PasswdMountPath, true)
-	managers.VolumeMount().AddVolumeMountToContainer(&passwdVolMount, agentContainerName)
-	managers.Volume().AddVolume(&passwdVol)
+	if provider != kubernetes.TalosProvider {
+		passwdVol, passwdVolMount := volume.GetVolumes(common.PasswdVolumeName, common.PasswdHostPath, common.PasswdMountPath, true)
+		managers.VolumeMount().AddVolumeMountToContainer(&passwdVolMount, agentContainerName)
+		managers.Volume().AddVolume(&passwdVol)
+	}
 
 	// cgroups volume mount
 	cgroupsVol, cgroupsVolMount := volume.GetVolumes(common.CgroupsVolumeName, common.CgroupsHostPath, common.CgroupsMountPath, true)

pkg/kubernetes/provider.go

@@ -22,6 +22,8 @@ const (
 	// DefaultProvider Default provider name
 	DefaultProvider = "default"
 
+	TalosProvider = "talos"
+
 	// GKE provider types: https://cloud.google.com/kubernetes-engine/docs/concepts/node-images#available_node_images
 	// GKECosType is the Container-Optimized OS node image offered by GKE
 	GKECosType = "cos"
@@ -39,16 +41,20 @@ var providerValueAllowlist = map[string]struct{}{
 }
 
 // determineProvider creates a Provider based on a map of labels
-func determineProvider(labels map[string]string) string {
-	if len(labels) > 0 {
+func determineProvider(node *corev1.Node) string {
+	if len(node.Labels) > 0 {
 		// GKE
-		if val, ok := labels[GKEProviderLabel]; ok {
+		if val, ok := node.Labels[GKEProviderLabel]; ok {
 			if provider := generateValidProviderName(GKECloudProvider, val); provider != "" {
 				return provider
 			}
 		}
 	}
 
+	if strings.Contains(node.Status.NodeInfo.OSImage, "Talos") {
+		return TalosProvider
+	}
+
 	return DefaultProvider
 }
 
@@ -183,7 +189,7 @@ func GetAgentNameWithProvider(overrideDSName, provider string) string {
 func GetProviderListFromNodeList(nodeList []corev1.Node, logger logr.Logger) map[string]struct{} {
 	providerList := make(map[string]struct{})
 	for _, node := range nodeList {
-		provider := determineProvider(node.Labels)
+		provider := determineProvider(&node)
 		if _, ok := providerList[provider]; !ok {
 			providerList[provider] = struct{}{}
 			logger.V(1).Info("New provider detected", "provider", provider)

pkg/kubernetes/provider_test.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 var (
@@ -20,34 +21,42 @@ var (
 func Test_determineProvider(t *testing.T) {
 	tests := []struct {
 		name     string
-		labels   map[string]string
+		node     corev1.Node
 		provider string
 	}{
 		{
 			name: "random provider",
-			labels: map[string]string{
-				"foo": "bar",
+			node: corev1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						"foo": "bar",
+					},
+				},
 			},
 			provider: defaultProvider,
 		},
 		{
 			name:     "empty labels",
-			labels:   map[string]string{},
+			node:     corev1.Node{},
 			provider: defaultProvider,
 		},
 		{
 			name: "gke provider",
-			labels: map[string]string{
-				"foo":            "bar",
-				GKEProviderLabel: GKECosType,
+			node: corev1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						"foo":            "bar",
+						GKEProviderLabel: GKECosType,
+					},
+				},
 			},
 			provider: generateValidProviderName(GKECloudProvider, GKECosType),
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			p := determineProvider(tt.labels)
+			p := determineProvider(&tt.node)
 			assert.Equal(t, tt.provider, p)
 		})
 	}