datadog-agent
datadog-agent copied to clipboard
DataDog
[CWS] Use admission controller to get container tags at container startup
What does this PR do?
This PR adds the ability for the admission controller to inject information about the running workload (such as image name, image tag) as environment variables.
This PR is a rewritten version of https://github.com/DataDog/datadog-agent/pull/16673 on top of the CWS instrumentation.
Motivation
With this PR, the security probe is able to resolve the workload at the first event of it, without having to wait for the tagger to resolve the tags (which can take a few seconds). This allows to apply security profiles at the very beginning of a workload startup.
Additional Notes
Possible Drawbacks / Trade-offs
Describe how to test/QA your changes
Reviewer's Checklist
- [ ] If known, an appropriate milestone has been selected; otherwise the
Triagemilestone is set. - [ ] Use the
major_changelabel if your change either has a major impact on the code base, is impacting multiple teams or is changing important well-established internals of the Agent. This label will be use during QA to make sure each team pay extra attention to the changed behavior. For any customer facing change use a releasenote. - [ ] A release note has been added or the
changelog/no-changeloglabel has been applied. - [ ] Changed code has automated tests for its functionality.
- [ ] Adequate QA/testing plan information is provided if the
qa/skip-qalabel is not applied. - [ ] At least one
team/..label has been applied, indicating the team(s) that should QA this change. - [ ] If applicable, docs team has been notified or an issue has been opened on the documentation repo.
- [ ] If applicable, the
need-change/operatorandneed-change/helmlabels have been applied. - [ ] If applicable, the
k8s/<min-version>label, indicating the lowest Kubernetes version compatible with this feature. - [ ] If applicable, the config template has been updated.
Bloop Bleep... Dogbot Here
Regression Detector Results
Run ID: 55bb3e98-2f4d-4e92-8586-3e0a6a9fb6af
Baseline: 6da9e2ffcc52e71cfa99c48f6d9d174a9ac4f1c5
Comparison: 82adfdaf7b8bec561b297e0857bae05628522e4b
Total datadog-agent CPUs: 7
Explanation
A regression test is an integrated performance test for datadog-agent in a repeatable rig, with varying configuration for datadog-agent. What follows is a statistical summary of a brief datadog-agent run for each configuration across SHAs given above. The goal of these tests are to determine quickly if datadog-agent performance is changed and to what degree by a pull request.
Because a target's optimization goal performance in each experiment will vary somewhat each time it is run, we can only estimate mean differences in optimization goal relative to the baseline target. We express these differences as a percentage change relative to the baseline target, denoted "Δ mean %". These estimates are made to a precision that balances accuracy and cost control. We represent this precision as a 90.00% confidence interval denoted "Δ mean % CI": there is a 90.00% chance that the true value of "Δ mean %" is in that interval.
We decide whether a change in performance is a "regression" -- a change worth investigating further -- if both of the following two criteria are true:
-
The estimated |Δ mean %| ≥ 5.00%. This criterion intends to answer the question "Does the estimated change in mean optimization goal performance have a meaningful impact on your customers?". We assume that when |Δ mean %| < 5.00%, the impact on your customers is not meaningful. We also assume that a performance change in optimization goal is worth investigating whether it is an increase or decrease, so long as the magnitude of the change is sufficiently large.
-
Zero is not in the 90.00% confidence interval "Δ mean % CI" about "Δ mean %". This statement is equivalent to saying that there is at least a 90.00% chance that the mean difference in optimization goal is not zero. This criterion intends to answer the question, "Is there a statistically significant difference in mean optimization goal performance?". It also means there is no more than a 10.00% chance this criterion reports a statistically significant difference when the true difference in mean optimization goal is zero -- a "false positive". We assume you are willing to accept a 10.00% chance of inaccurately detecting a change in performance when no true difference exists.
The table below, if present, lists those experiments that have experienced a statistically significant change in mean optimization goal performance between baseline and comparison SHAs with 90.00% confidence OR have been detected as newly erratic. Negative values of "Δ mean %" mean that baseline is faster, whereas positive values of "Δ mean %" mean that comparison is faster. Results that do not exhibit more than a ±5.00% change in their mean optimization goal are discarded. An experiment is erratic if its coefficient of variation is greater than 0.1. The abbreviated table will be omitted if no interesting change is observed.
No interesting changes in experiment optimization goals with confidence ≥ 90.00% and |Δ mean %| ≥ 5.00%.
Fine details of change detection per experiment.
| experiment | goal | Δ mean % | Δ mean % CI | confidence |
|---|---|---|---|---|
| tcp_syslog_to_blackhole | ingress throughput | +0.38 | [+0.25, +0.51] | 100.00% |
| process_agent_standard_check | egress throughput | +0.10 | [-3.46, +3.67] | 3.83% |
| process_agent_standard_check_with_stats | egress throughput | +0.07 | [-1.97, +2.10] | 4.42% |
| trace_agent_msgpack | ingress throughput | +0.03 | [-0.10, +0.16] | 32.26% |
| uds_dogstatsd_to_api | ingress throughput | +0.03 | [-0.14, +0.20] | 20.06% |
| dogstatsd_string_interner_64MiB_1k | ingress throughput | +0.00 | [-0.13, +0.13] | 1.71% |
| dogstatsd_string_interner_8MiB_1k | ingress throughput | +0.00 | [-0.10, +0.10] | 1.17% |
| dogstatsd_string_interner_8MiB_10k | ingress throughput | +0.00 | [-0.00, +0.00] | 17.08% |
| trace_agent_json | ingress throughput | +0.00 | [-0.13, +0.14] | 0.33% |
| dogstatsd_string_interner_8MiB_100k | ingress throughput | +0.00 | [-0.06, +0.06] | 0.00% |
| dogstatsd_string_interner_64MiB_100 | ingress throughput | -0.00 | [-0.14, +0.14] | 0.07% |
| dogstatsd_string_interner_128MiB_100 | ingress throughput | -0.00 | [-0.14, +0.14] | 0.27% |
| dogstatsd_string_interner_128MiB_1k | ingress throughput | -0.00 | [-0.14, +0.14] | 0.52% |
| dogstatsd_string_interner_8MiB_100 | ingress throughput | -0.00 | [-0.13, +0.13] | 3.30% |
| tcp_dd_logs_filter_exclude | ingress throughput | -0.01 | [-0.17, +0.16] | 4.89% |
| dogstatsd_string_interner_8MiB_50k | ingress throughput | -0.02 | [-0.08, +0.05] | 32.24% |
| idle | egress throughput | -0.03 | [-2.54, +2.49] | 1.31% |
| file_to_blackhole | egress throughput | -0.03 | [-1.05, +0.99] | 4.08% |
| file_tree | egress throughput | -0.24 | [-2.12, +1.65] | 16.43% |
| process_agent_real_time_mode | egress throughput | -0.64 | [-3.15, +1.88] | 32.28% |
| otel_to_otel_logs | ingress throughput | -0.73 | [-2.30, +0.85] | 55.27% |
![pr-commenter[bot] avatar](https://avatars.githubusercontent.com/u/365230?v=4 "Published by a pub.dev verified publisher"){kind=small}