datadog-agent
datadog-agent copied to clipboard
DataDog
Handle configuration secrets in system-probe
What does this PR do?
This PR aims to make system-probe handle configuration secrets. It makes system-probe use the core-agent api so that we can get the secrets decrypted by the core-agent
Motivation
In an effort, to use CWS with system-probe only, we are migrating some of the security-agent functionalities to system-probe
Additional Notes
Possible Drawbacks / Trade-offs
Describe how to test/QA your changes
- Define api_key in datadog.yaml as a secret: Instructions
- Enabled the sync server in the core-agent by setting:
agent_ipc:
port: XXXX
config_refresh_interval: 30
- Print out the api_key somewhere in system-probe and check if we get the actual decrypted key
coreconfig.Datadog().GetString("api_key")
Test changes on VM
Use this command from test-infra-definitions to manually test this PR changes on a VM:
inv create-vm --pipeline-id=37844930 --os-family=ubuntu
Note: This applies to commit 33de3b80
![pr-commenter[bot] avatar](https://avatars.githubusercontent.com/u/365230?v=4 "Published by a pub.dev verified publisher"){kind=small}
Regression Detector
Regression Detector Results
Run ID: b12ea5d5-a2d2-4abd-903e-f4ead9d2379a Metrics dashboard Target profiles
Baseline: 8af0eb8991601c0a7b4bcc8ce456a226c5c58b90 Comparison: a94d31cd9a4c36725e21685c845c0be36bdfbb82
Performance changes are noted in the perf column of each table:
- ✅ = significantly better comparison variant performance
- ❌ = significantly worse comparison variant performance
- ➖ = no significant change in performance
No significant changes in experiment optimization goals
Confidence level: 90.00% Effect size tolerance: |Δ mean %| ≥ 5.00%
There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.
Fine details of change detection per experiment
| perf | experiment | goal | Δ mean % | Δ mean % CI | links |
|---|---|---|---|---|---|
| ➖ | pycheck_1000_100byte_tags | % cpu utilization | +1.09 | [-3.82, +6.01] | Logs |
| ➖ | idle | memory utilization | +0.14 | [+0.11, +0.17] | Logs |
| ➖ | tcp_dd_logs_filter_exclude | ingress throughput | +0.00 | [-0.01, +0.01] | Logs |
| ➖ | uds_dogstatsd_to_api | ingress throughput | +0.00 | [-0.00, +0.00] | Logs |
| ➖ | otel_to_otel_logs | ingress throughput | -0.20 | [-1.00, +0.61] | Logs |
| ➖ | uds_dogstatsd_to_api_cpu | % cpu utilization | -0.50 | [-1.40, +0.41] | Logs |
| ➖ | tcp_syslog_to_blackhole | ingress throughput | -0.53 | [-13.50, +12.45] | Logs |
| ➖ | file_tree | memory utilization | -0.79 | [-0.91, -0.68] | Logs |
| ➖ | basic_py_check | % cpu utilization | -1.66 | [-4.35, +1.02] | Logs |
Explanation
A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".
For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:
-
Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
-
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
-
Its configuration does not mark it "erratic".
Won't this allow a non-privileged user to provide a program that would be executed by root? That seems like a privilege escalation?
This was previously intentionally disabled in #18222 so what has changed?
Same question than @brycekahle: Not enabling secrets on system-probe was required by the security-team.
It also raise more issue as we require the the binary being executed to be own by the same user than the agent process. On a host install we can't have the same binary own by dd-agent for the core-agent and root for system-probe.
We have a feature, disable right now, that allow different Datadog processes to fetch the API key from the core-agent which already uses secrets. We could work on enabling it by default and updating our HELM chart. This would give system-probe access to the API key through secrets without directly executing anything.
Yep, that makes sense, thanks for raising this issue. I'll explore the approach using the feature that syncs the API key with other agents.
Go Package Import Differences
Baseline: 8af0eb8991601c0a7b4bcc8ce456a226c5c58b90 Comparison: 33de3b8090b6f90e510861b94af4def665a70408
| binary | os | arch | change |
|---|---|---|---|
| system-probe | linux | amd64 | +4, -0
+github.com/DataDog/datadog-agent/comp/api/authtoken
+github.com/DataDog/datadog-agent/comp/api/authtoken/fetchonlyimpl
+github.com/DataDog/datadog-agent/comp/core/configsync
+github.com/DataDog/datadog-agent/comp/core/configsync/configsyncimpl
|
| system-probe | linux | arm64 | +4, -0
+github.com/DataDog/datadog-agent/comp/api/authtoken
+github.com/DataDog/datadog-agent/comp/api/authtoken/fetchonlyimpl
+github.com/DataDog/datadog-agent/comp/core/configsync
+github.com/DataDog/datadog-agent/comp/core/configsync/configsyncimpl
|
| system-probe | windows | amd64 | +4, -0
+github.com/DataDog/datadog-agent/comp/api/authtoken
+github.com/DataDog/datadog-agent/comp/api/authtoken/fetchonlyimpl
+github.com/DataDog/datadog-agent/comp/core/configsync
+github.com/DataDog/datadog-agent/comp/core/configsync/configsyncimpl
|
![cit-pr-commenter[bot] avatar](https://avatars.githubusercontent.com/in/330445?v=4 "Published by a pub.dev verified publisher"){kind=small}
Can you explain why the system-probe needs the API key (or other secrets)?
In an effort, to use CWS with system-probe only, we are migrating some of the security-agent functionalities to system-probe.