[CSPM] implement RunInSystemProbe

paulcacheux · paulcacheux · commit 0950bc4be371 · 2026-01-15T17:23:27.000+01:00
diff --git a/api/datadoghq/v2alpha1/datadogagent_types.go b/api/datadoghq/v2alpha1/datadogagent_types.go
@@ -448,6 +448,12 @@ type CSPMFeatureConfig struct {
 	// HostBenchmarks contains configuration for host benchmarks.
 	// +optional
 	HostBenchmarks *CSPMHostBenchmarksConfig `json:"hostBenchmarks,omitempty"`
+
+	// RunInSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.
+	// This is an experimental feature. Contact support before using.
+	// Default: false
+	// +optional
+	RunInSystemProbe *bool `json:"runInSystemProbe,omitempty"`
 }
 
 // CSPMHostBenchmarksConfig contains configuration for host benchmarks.
diff --git a/api/datadoghq/v2alpha1/zz_generated.deepcopy.go b/api/datadoghq/v2alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/v1/datadoghq.com_datadogagentinternals.yaml b/config/crd/bases/v1/datadoghq.com_datadogagentinternals.yaml
@@ -1154,6 +1154,12 @@ spec:
                                 Default: true
                               type: boolean
                           type: object
+                        runInSystemProbe:
+                          description: |-
+                            RunInSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.
+                            This is an experimental feature. Contact support before using.
+                            Default: false
+                          type: boolean
                       type: object
                     cws:
                       description: CWS (Cloud Workload Security) configuration.
@@ -9142,6 +9148,12 @@ spec:
                                     Default: true
                                   type: boolean
                               type: object
+                            runInSystemProbe:
+                              description: |-
+                                RunInSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.
+                                This is an experimental feature. Contact support before using.
+                                Default: false
+                              type: boolean
                           type: object
                         cws:
                           description: CWS (Cloud Workload Security) configuration.
diff --git a/config/crd/bases/v1/datadoghq.com_datadogagentinternals_v1alpha1.json b/config/crd/bases/v1/datadoghq.com_datadogagentinternals_v1alpha1.json
@@ -1159,6 +1159,10 @@
                     }
                   },
                   "type": "object"
+                },
+                "runInSystemProbe": {
+                  "description": "RunInSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.\nThis is an experimental feature. Contact support before using.\nDefault: false",
+                  "type": "boolean"
                 }
               },
               "type": "object"
@@ -9010,6 +9014,10 @@
                         }
                       },
                       "type": "object"
+                    },
+                    "runInSystemProbe": {
+                      "description": "RunInSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.\nThis is an experimental feature. Contact support before using.\nDefault: false",
+                      "type": "boolean"
                     }
                   },
                   "type": "object"
diff --git a/config/crd/bases/v1/datadoghq.com_datadogagentprofiles.yaml b/config/crd/bases/v1/datadoghq.com_datadogagentprofiles.yaml
@@ -1154,6 +1154,12 @@ spec:
                                     Default: true
                                   type: boolean
                               type: object
+                            runInSystemProbe:
+                              description: |-
+                                RunInSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.
+                                This is an experimental feature. Contact support before using.
+                                Default: false
+                              type: boolean
                           type: object
                         cws:
                           description: CWS (Cloud Workload Security) configuration.
diff --git a/config/crd/bases/v1/datadoghq.com_datadogagentprofiles_v1alpha1.json b/config/crd/bases/v1/datadoghq.com_datadogagentprofiles_v1alpha1.json
@@ -1163,6 +1163,10 @@
                         }
                       },
                       "type": "object"
+                    },
+                    "runInSystemProbe": {
+                      "description": "RunInSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.\nThis is an experimental feature. Contact support before using.\nDefault: false",
+                      "type": "boolean"
                     }
                   },
                   "type": "object"
diff --git a/config/crd/bases/v1/datadoghq.com_datadogagents.yaml b/config/crd/bases/v1/datadoghq.com_datadogagents.yaml
@@ -1154,6 +1154,12 @@ spec:
                                 Default: true
                               type: boolean
                           type: object
+                        runInSystemProbe:
+                          description: |-
+                            RunInSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.
+                            This is an experimental feature. Contact support before using.
+                            Default: false
+                          type: boolean
                       type: object
                     cws:
                       description: CWS (Cloud Workload Security) configuration.
@@ -9192,6 +9198,12 @@ spec:
                                     Default: true
                                   type: boolean
                               type: object
+                            runInSystemProbe:
+                              description: |-
+                                RunInSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.
+                                This is an experimental feature. Contact support before using.
+                                Default: false
+                              type: boolean
                           type: object
                         cws:
                           description: CWS (Cloud Workload Security) configuration.
diff --git a/config/crd/bases/v1/datadoghq.com_datadogagents_v2alpha1.json b/config/crd/bases/v1/datadoghq.com_datadogagents_v2alpha1.json
@@ -1159,6 +1159,10 @@
                     }
                   },
                   "type": "object"
+                },
+                "runInSystemProbe": {
+                  "description": "RunInSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.\nThis is an experimental feature. Contact support before using.\nDefault: false",
+                  "type": "boolean"
                 }
               },
               "type": "object"
@@ -9075,6 +9079,10 @@
                         }
                       },
                       "type": "object"
+                    },
+                    "runInSystemProbe": {
+                      "description": "RunInSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.\nThis is an experimental feature. Contact support before using.\nDefault: false",
+                      "type": "boolean"
                     }
                   },
                   "type": "object"
diff --git a/docs/configuration.v2alpha1.md b/docs/configuration.v2alpha1.md
@@ -83,6 +83,7 @@ spec:
 | features.cspm.customBenchmarks.configMap.name | Is the name of the ConfigMap. |
 | features.cspm.enabled | Enables Cloud Security Posture Management. Default: false |
 | features.cspm.hostBenchmarks.enabled | Enables host benchmarks. Default: true |
+| features.cspm.runInSystemProbe | RunInSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent. This is an experimental feature. Contact support before using. Default: false |
 | features.cws.customPolicies.configData | ConfigData corresponds to the configuration file content. |
 | features.cws.customPolicies.configMap.items | Maps a ConfigMap data `key` to a file `path` mount. |
 | features.cws.customPolicies.configMap.name | Is the name of the ConfigMap. |
diff --git a/docs/configuration_public.md b/docs/configuration_public.md
@@ -132,6 +132,9 @@ spec:
 `features.cspm.hostBenchmarks.enabled`
 : Enables host benchmarks. Default: true
 
+`features.cspm.runInSystemProbe`
+: RunInSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent. This is an experimental feature. Contact support before using. Default: false
+
 `features.cws.customPolicies.configData`
 : ConfigData corresponds to the configuration file content.
 
diff --git a/internal/controller/datadogagent/feature/cspm/feature.go b/internal/controller/datadogagent/feature/cspm/feature.go
@@ -47,6 +47,7 @@ type cspmFeature struct {
 	serviceAccountName    string
 	checkInterval         string
 	hostBenchmarksEnabled bool
+	runInSystemProbe      bool
 
 	owner  metav1.Object
 	logger logr.Logger
@@ -96,6 +97,16 @@ func (f *cspmFeature) Configure(dda metav1.Object, ddaSpec *v2alpha1.DatadogAgen
 			f.hostBenchmarksEnabled = true
 		}
 
+		f.runInSystemProbe = apiutils.BoolValue(cspmConfig.RunInSystemProbe)
+
+		// Determine which container to use for CSPM on the node
+		var nodeContainer apicommon.AgentContainerName
+		if f.runInSystemProbe {
+			nodeContainer = apicommon.SystemProbeContainerName
+		} else {
+			nodeContainer = apicommon.SecurityAgentContainerName
+		}
+
 		reqComp = feature.RequiredComponents{
 			ClusterAgent: feature.RequiredComponent{
 				IsRequired: apiutils.NewBoolPointer(true),
@@ -104,7 +115,7 @@ func (f *cspmFeature) Configure(dda metav1.Object, ddaSpec *v2alpha1.DatadogAgen
 			Agent: feature.RequiredComponent{
 				IsRequired: apiutils.NewBoolPointer(true),
 				Containers: []apicommon.AgentContainerName{
-					apicommon.SecurityAgentContainerName,
+					nodeContainer,
 				},
 			},
 		}
@@ -230,12 +241,18 @@ func (f *cspmFeature) ManageSingleContainerNodeAgent(managers feature.PodTemplat
 // ManageNodeAgent allows a feature to configure the Node Agent's corev1.PodTemplateSpec
 // It should do nothing if the feature doesn't need to configure it.
 func (f *cspmFeature) ManageNodeAgent(managers feature.PodTemplateManagers, provider string) error {
+	// Determine which container to use based on runInSystemProbe
+	targetContainer := apicommon.SecurityAgentContainerName
+	if f.runInSystemProbe {
+		targetContainer = apicommon.SystemProbeContainerName
+	}
+
 	// security context capabilities
 	capabilities := []corev1.Capability{
 		"AUDIT_CONTROL",
 		"AUDIT_READ",
 	}
-	managers.SecurityContext().AddCapabilitiesToContainer(capabilities, apicommon.SecurityAgentContainerName)
+	managers.SecurityContext().AddCapabilitiesToContainer(capabilities, targetContainer)
 
 	volMountMgr := managers.VolumeMount()
 	VolMgr := managers.Volume()
@@ -281,10 +298,10 @@ func (f *cspmFeature) ManageNodeAgent(managers feature.PodTemplateManagers, prov
 			}
 		}
 
-		// Add empty volume to Security Agent
+		// Add empty volume to target container (Security Agent or System Probe)
 		benchmarksVol, benchmarksVolMount := volume.GetVolumesEmptyDir(securityAgentComplianceConfigDirVolumeName, securityAgentComplianceConfigDirVolumePath, true)
 		managers.Volume().AddVolume(&benchmarksVol)
-		managers.VolumeMount().AddVolumeMountToContainer(&benchmarksVolMount, apicommon.SecurityAgentContainerName)
+		managers.VolumeMount().AddVolumeMountToContainer(&benchmarksVolMount, targetContainer)
 
 		// Add compliance.d volume mount to init-volume container at different path
 		benchmarkVolMountInitVol := corev1.VolumeMount{
@@ -297,55 +314,55 @@ func (f *cspmFeature) ManageNodeAgent(managers feature.PodTemplateManagers, prov
 
 	// cgroups volume mount
 	cgroupsVol, cgroupsVolMount := volume.GetVolumes(common.CgroupsVolumeName, common.CgroupsHostPath, common.CgroupsMountPath, true)
-	volMountMgr.AddVolumeMountToContainer(&cgroupsVolMount, apicommon.SecurityAgentContainerName)
+	volMountMgr.AddVolumeMountToContainer(&cgroupsVolMount, targetContainer)
 	VolMgr.AddVolume(&cgroupsVol)
 
 	// passwd volume mount
 	passwdVol, passwdVolMount := volume.GetVolumes(common.PasswdVolumeName, common.PasswdHostPath, common.PasswdMountPath, true)
-	volMountMgr.AddVolumeMountToContainer(&passwdVolMount, apicommon.SecurityAgentContainerName)
+	volMountMgr.AddVolumeMountToContainer(&passwdVolMount, targetContainer)
 	VolMgr.AddVolume(&passwdVol)
 
 	// procdir volume mount
 	procdirVol, procdirVolMount := volume.GetVolumes(common.ProcdirVolumeName, common.ProcdirHostPath, common.ProcdirMountPath, true)
-	volMountMgr.AddVolumeMountToContainer(&procdirVolMount, apicommon.SecurityAgentContainerName)
+	volMountMgr.AddVolumeMountToContainer(&procdirVolMount, targetContainer)
 	VolMgr.AddVolume(&procdirVol)
 
 	// host root volume mount
 	hostRootVol, hostRootVolMount := volume.GetVolumes(common.HostRootVolumeName, common.HostRootHostPath, common.HostRootMountPath, true)
-	volMountMgr.AddVolumeMountToContainer(&hostRootVolMount, apicommon.SecurityAgentContainerName)
+	volMountMgr.AddVolumeMountToContainer(&hostRootVolMount, targetContainer)
 	VolMgr.AddVolume(&hostRootVol)
 
 	// group volume mount
 	groupVol, groupVolMount := volume.GetVolumes(common.GroupVolumeName, common.GroupHostPath, common.GroupMountPath, true)
-	volMountMgr.AddVolumeMountToContainer(&groupVolMount, apicommon.SecurityAgentContainerName)
+	volMountMgr.AddVolumeMountToContainer(&groupVolMount, targetContainer)
 	VolMgr.AddVolume(&groupVol)
 
 	// env vars
 	enabledEnvVar := &corev1.EnvVar{
 		Name:  DDComplianceConfigEnabled,
 		Value: "true",
 	}
-	managers.EnvVar().AddEnvVarToContainers([]apicommon.AgentContainerName{apicommon.CoreAgentContainerName, apicommon.SecurityAgentContainerName}, enabledEnvVar)
+	managers.EnvVar().AddEnvVarToContainers([]apicommon.AgentContainerName{apicommon.CoreAgentContainerName, targetContainer}, enabledEnvVar)
 
 	hostRootEnvVar := &corev1.EnvVar{
 		Name:  common.DDHostRootEnvVar,
 		Value: common.HostRootMountPath,
 	}
-	managers.EnvVar().AddEnvVarToContainer(apicommon.SecurityAgentContainerName, hostRootEnvVar)
+	managers.EnvVar().AddEnvVarToContainer(targetContainer, hostRootEnvVar)
 
 	if f.checkInterval != "" {
 		intervalEnvVar := &corev1.EnvVar{
 			Name:  DDComplianceConfigCheckInterval,
 			Value: f.checkInterval,
 		}
-		managers.EnvVar().AddEnvVarToContainer(apicommon.SecurityAgentContainerName, intervalEnvVar)
+		managers.EnvVar().AddEnvVarToContainer(targetContainer, intervalEnvVar)
 	}
 
 	hostBenchmarksEnabledEnvVar := &corev1.EnvVar{
 		Name:  DDComplianceHostBenchmarksEnabled,
 		Value: apiutils.BoolToString(&f.hostBenchmarksEnabled),
 	}
-	managers.EnvVar().AddEnvVarToContainer(apicommon.SecurityAgentContainerName, hostBenchmarksEnabledEnvVar)
+	managers.EnvVar().AddEnvVarToContainer(targetContainer, hostBenchmarksEnabledEnvVar)
 
 	return nil
 }
diff --git a/internal/controller/datadogagent/feature/cspm/feature_test.go b/internal/controller/datadogagent/feature/cspm/feature_test.go
@@ -67,6 +67,25 @@ func Test_cspmFeature_Configure(t *testing.T) {
 		ddaCSPMEnabled.Spec.Features.CSPM.HostBenchmarks = &v2alpha1.CSPMHostBenchmarksConfig{Enabled: apiutils.NewBoolPointer(true)}
 	}
 
+	ddaCSPMDirectSendEnabled := ddaCSPMDisabled.DeepCopy()
+	{
+		ddaCSPMDirectSendEnabled.Spec.Features.CSPM.Enabled = apiutils.NewBoolPointer(true)
+		ddaCSPMDirectSendEnabled.Spec.Features.CSPM.CustomBenchmarks = &v2alpha1.CustomConfig{
+			ConfigMap: &v2alpha1.ConfigMapConfig{
+				Name: "custom_test",
+				Items: []corev1.KeyToPath{
+					{
+						Key:  "key1",
+						Path: "some/path",
+					},
+				},
+			},
+		}
+		ddaCSPMDirectSendEnabled.Spec.Features.CSPM.CheckInterval = &metav1.Duration{Duration: 20 * time.Minute}
+		ddaCSPMDirectSendEnabled.Spec.Features.CSPM.HostBenchmarks = &v2alpha1.CSPMHostBenchmarksConfig{Enabled: apiutils.NewBoolPointer(true)}
+		ddaCSPMDirectSendEnabled.Spec.Features.CSPM.RunInSystemProbe = apiutils.NewBoolPointer(true)
+	}
+
 	tests := test.FeatureTestSuite{
 
 		{
@@ -79,7 +98,14 @@ func Test_cspmFeature_Configure(t *testing.T) {
 			DDA:           ddaCSPMEnabled,
 			WantConfigure: true,
 			ClusterAgent:  cspmClusterAgentWantFunc(),
-			Agent:         cspmAgentNodeWantFunc(),
+			Agent:         cspmAgentNodeWantFunc(false),
+		},
+		{
+			Name:          "CSPM enabled with runInSystemProbe",
+			DDA:           ddaCSPMDirectSendEnabled,
+			WantConfigure: true,
+			ClusterAgent:  cspmClusterAgentWantFunc(),
+			Agent:         cspmAgentNodeWantFunc(true),
 		},
 	}
 
@@ -145,11 +171,17 @@ func cspmClusterAgentWantFunc() *test.ComponentTest {
 	)
 }
 
-func cspmAgentNodeWantFunc() *test.ComponentTest {
+func cspmAgentNodeWantFunc(runInSystemProbe bool) *test.ComponentTest {
 	return test.NewDefaultComponentTest().WithWantFunc(
 		func(t testing.TB, mgrInterface feature.PodTemplateManagers) {
 			mgr := mgrInterface.(*fake.PodTemplateManagers)
 
+			// Determine which container to check based on runInSystemProbe
+			targetContainer := apicommon.SecurityAgentContainerName
+			if runInSystemProbe {
+				targetContainer = apicommon.SystemProbeContainerName
+			}
+
 			want := []*corev1.EnvVar{
 				{
 					Name:  DDComplianceConfigEnabled,
@@ -169,8 +201,8 @@ func cspmAgentNodeWantFunc() *test.ComponentTest {
 				},
 			}
 
-			securityAgentEnvVars := mgr.EnvVarMgr.EnvVarsByC[apicommon.SecurityAgentContainerName]
-			assert.True(t, apiutils.IsEqualStruct(securityAgentEnvVars, want), "Agent envvars \ndiff = %s", cmp.Diff(securityAgentEnvVars, want))
+			targetContainerEnvVars := mgr.EnvVarMgr.EnvVarsByC[targetContainer]
+			assert.True(t, apiutils.IsEqualStruct(targetContainerEnvVars, want), "Agent envvars \ndiff = %s", cmp.Diff(targetContainerEnvVars, want))
 
 			// check volume mounts
 			wantVolumeMounts := []corev1.VolumeMount{
@@ -206,8 +238,8 @@ func cspmAgentNodeWantFunc() *test.ComponentTest {
 				},
 			}
 
-			securityAgentVolumeMounts := mgr.VolumeMountMgr.VolumeMountsByC[apicommon.SecurityAgentContainerName]
-			assert.True(t, apiutils.IsEqualStruct(securityAgentVolumeMounts, wantVolumeMounts), "Security Agent volume mounts \ndiff = %s", cmp.Diff(securityAgentVolumeMounts, wantVolumeMounts))
+			targetContainerVolumeMounts := mgr.VolumeMountMgr.VolumeMountsByC[targetContainer]
+			assert.True(t, apiutils.IsEqualStruct(targetContainerVolumeMounts, wantVolumeMounts), "Target container volume mounts \ndiff = %s", cmp.Diff(targetContainerVolumeMounts, wantVolumeMounts))
 
 			// check volumes
 			wantVolumes := []corev1.Volume{

Original file line number	Diff line number	Diff line change
`@@ -1159,6 +1159,10 @@`
`1159`	`1159`	`}`
`1160`	`1160`	`},`
`1161`	`1161`	`"type": "object"`
	`1162`	`+ },`
	`1163`	`+ "runInSystemProbe": {`
	`1164`	`+ "description": "RunInSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.\nThis is an experimental feature. Contact support before using.\nDefault: false",`
	`1165`	`+ "type": "boolean"`
`1162`	`1166`	`}`
`1163`	`1167`	`},`
`1164`	`1168`	`"type": "object"`
`@@ -9010,6 +9014,10 @@`
`9010`	`9014`	`}`
`9011`	`9015`	`},`
`9012`	`9016`	`"type": "object"`
	`9017`	`+ },`
	`9018`	`+ "runInSystemProbe": {`
	`9019`	`+ "description": "RunInSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.\nThis is an experimental feature. Contact support before using.\nDefault: false",`
	`9020`	`+ "type": "boolean"`
`9013`	`9021`	`}`
`9014`	`9022`	`},`
`9015`	`9023`	`"type": "object"`
Original file line number	Diff line number	Diff line change
`@@ -1163,6 +1163,10 @@`
`1163`	`1163`	`}`
`1164`	`1164`	`},`
`1165`	`1165`	`"type": "object"`
	`1166`	`+ },`
	`1167`	`+ "runInSystemProbe": {`
	`1168`	`+ "description": "RunInSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.\nThis is an experimental feature. Contact support before using.\nDefault: false",`
	`1169`	`+ "type": "boolean"`
`1166`	`1170`	`}`
`1167`	`1171`	`},`
`1168`	`1172`	`"type": "object"`