[CSPM] implement directSendFromSystemProbeFeature

paulcacheux · paulcacheux · commit 64788a04ff26 · 2026-01-12T15:01:43.000+01:00
diff --git a/api/datadoghq/v2alpha1/datadogagent_types.go b/api/datadoghq/v2alpha1/datadogagent_types.go
@@ -446,6 +446,12 @@ type CSPMFeatureConfig struct {
 	// HostBenchmarks contains configuration for host benchmarks.
 	// +optional
 	HostBenchmarks *CSPMHostBenchmarksConfig `json:"hostBenchmarks,omitempty"`
+
+	// DirectSendFromSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.
+	// This is an experimental feature. Contact support before using.
+	// Default: false
+	// +optional
+	DirectSendFromSystemProbe *bool `json:"directSendFromSystemProbe,omitempty"`
 }
 
 // CSPMHostBenchmarksConfig contains configuration for host benchmarks.
diff --git a/api/datadoghq/v2alpha1/zz_generated.deepcopy.go b/api/datadoghq/v2alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/v1/datadoghq.com_datadogagentinternals.yaml b/config/crd/bases/v1/datadoghq.com_datadogagentinternals.yaml
@@ -1140,6 +1140,12 @@ spec:
                                   type: string
                               type: object
                           type: object
+                        directSendFromSystemProbe:
+                          description: |-
+                            DirectSendFromSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.
+                            This is an experimental feature. Contact support before using.
+                            Default: false
+                          type: boolean
                         enabled:
                           description: |-
                             Enabled enables Cloud Security Posture Management.
@@ -9080,6 +9086,12 @@ spec:
                                       type: string
                                   type: object
                               type: object
+                            directSendFromSystemProbe:
+                              description: |-
+                                DirectSendFromSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.
+                                This is an experimental feature. Contact support before using.
+                                Default: false
+                              type: boolean
                             enabled:
                               description: |-
                                 Enabled enables Cloud Security Posture Management.
diff --git a/config/crd/bases/v1/datadoghq.com_datadogagentinternals_v1alpha1.json b/config/crd/bases/v1/datadoghq.com_datadogagentinternals_v1alpha1.json
@@ -1145,6 +1145,10 @@
                   },
                   "type": "object"
                 },
+                "directSendFromSystemProbe": {
+                  "description": "DirectSendFromSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.\nThis is an experimental feature. Contact support before using.\nDefault: false",
+                  "type": "boolean"
+                },
                 "enabled": {
                   "description": "Enabled enables Cloud Security Posture Management.\nDefault: false",
                   "type": "boolean"
@@ -8939,6 +8943,10 @@
                       },
                       "type": "object"
                     },
+                    "directSendFromSystemProbe": {
+                      "description": "DirectSendFromSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.\nThis is an experimental feature. Contact support before using.\nDefault: false",
+                      "type": "boolean"
+                    },
                     "enabled": {
                       "description": "Enabled enables Cloud Security Posture Management.\nDefault: false",
                       "type": "boolean"
diff --git a/config/crd/bases/v1/datadoghq.com_datadogagentprofiles.yaml b/config/crd/bases/v1/datadoghq.com_datadogagentprofiles.yaml
@@ -1140,6 +1140,12 @@ spec:
                                       type: string
                                   type: object
                               type: object
+                            directSendFromSystemProbe:
+                              description: |-
+                                DirectSendFromSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.
+                                This is an experimental feature. Contact support before using.
+                                Default: false
+                              type: boolean
                             enabled:
                               description: |-
                                 Enabled enables Cloud Security Posture Management.
diff --git a/config/crd/bases/v1/datadoghq.com_datadogagentprofiles_v1alpha1.json b/config/crd/bases/v1/datadoghq.com_datadogagentprofiles_v1alpha1.json
@@ -1149,6 +1149,10 @@
                       },
                       "type": "object"
                     },
+                    "directSendFromSystemProbe": {
+                      "description": "DirectSendFromSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.\nThis is an experimental feature. Contact support before using.\nDefault: false",
+                      "type": "boolean"
+                    },
                     "enabled": {
                       "description": "Enabled enables Cloud Security Posture Management.\nDefault: false",
                       "type": "boolean"
diff --git a/config/crd/bases/v1/datadoghq.com_datadogagents.yaml b/config/crd/bases/v1/datadoghq.com_datadogagents.yaml
@@ -1140,6 +1140,12 @@ spec:
                                   type: string
                               type: object
                           type: object
+                        directSendFromSystemProbe:
+                          description: |-
+                            DirectSendFromSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.
+                            This is an experimental feature. Contact support before using.
+                            Default: false
+                          type: boolean
                         enabled:
                           description: |-
                             Enabled enables Cloud Security Posture Management.
@@ -9130,6 +9136,12 @@ spec:
                                       type: string
                                   type: object
                               type: object
+                            directSendFromSystemProbe:
+                              description: |-
+                                DirectSendFromSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.
+                                This is an experimental feature. Contact support before using.
+                                Default: false
+                              type: boolean
                             enabled:
                               description: |-
                                 Enabled enables Cloud Security Posture Management.
diff --git a/config/crd/bases/v1/datadoghq.com_datadogagents_v2alpha1.json b/config/crd/bases/v1/datadoghq.com_datadogagents_v2alpha1.json
@@ -1145,6 +1145,10 @@
                   },
                   "type": "object"
                 },
+                "directSendFromSystemProbe": {
+                  "description": "DirectSendFromSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.\nThis is an experimental feature. Contact support before using.\nDefault: false",
+                  "type": "boolean"
+                },
                 "enabled": {
                   "description": "Enabled enables Cloud Security Posture Management.\nDefault: false",
                   "type": "boolean"
@@ -9004,6 +9008,10 @@
                       },
                       "type": "object"
                     },
+                    "directSendFromSystemProbe": {
+                      "description": "DirectSendFromSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent.\nThis is an experimental feature. Contact support before using.\nDefault: false",
+                      "type": "boolean"
+                    },
                     "enabled": {
                       "description": "Enabled enables Cloud Security Posture Management.\nDefault: false",
                       "type": "boolean"
diff --git a/docs/configuration.v2alpha1.md b/docs/configuration.v2alpha1.md
@@ -81,6 +81,7 @@ spec:
 | features.cspm.customBenchmarks.configData | ConfigData corresponds to the configuration file content. |
 | features.cspm.customBenchmarks.configMap.items | Maps a ConfigMap data `key` to a file `path` mount. |
 | features.cspm.customBenchmarks.configMap.name | Is the name of the ConfigMap. |
+| features.cspm.directSendFromSystemProbe | DirectSendFromSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent. This is an experimental feature. Contact support before using. Default: false |
 | features.cspm.enabled | Enables Cloud Security Posture Management. Default: false |
 | features.cspm.hostBenchmarks.enabled | Enables host benchmarks. Default: true |
 | features.cws.customPolicies.configData | ConfigData corresponds to the configuration file content. |
diff --git a/docs/configuration_public.md b/docs/configuration_public.md
@@ -126,6 +126,9 @@ spec:
 `features.cspm.customBenchmarks`
 : CustomBenchmarks contains CSPM benchmarks. The content of the ConfigMap will be merged with the benchmarks bundled with the agent. Any benchmarks with the same name as those existing in the agent will take precedence.
 
+`features.cspm.directSendFromSystemProbe`
+: DirectSendFromSystemProbe configures CSPM to send payloads directly from the system-probe, without using the security-agent. This is an experimental feature. Contact support before using. Default: false
+
 `features.cspm.enabled`
 : Enables Cloud Security Posture Management. Default: false
 
diff --git a/internal/controller/datadogagent/feature/cspm/feature.go b/internal/controller/datadogagent/feature/cspm/feature.go
@@ -43,10 +43,11 @@ func buildCSPMFeature(options *feature.Options) feature.Feature {
 }
 
 type cspmFeature struct {
-	enable                bool
-	serviceAccountName    string
-	checkInterval         string
-	hostBenchmarksEnabled bool
+	enable                    bool
+	serviceAccountName        string
+	checkInterval             string
+	hostBenchmarksEnabled     bool
+	directSendFromSystemProbe bool
 
 	owner  metav1.Object
 	logger logr.Logger
@@ -96,6 +97,16 @@ func (f *cspmFeature) Configure(dda metav1.Object, ddaSpec *v2alpha1.DatadogAgen
 			f.hostBenchmarksEnabled = true
 		}
 
+		f.directSendFromSystemProbe = apiutils.BoolValue(cspmConfig.DirectSendFromSystemProbe)
+
+		// Determine which container to use for CSPM on the node
+		var nodeContainer apicommon.AgentContainerName
+		if f.directSendFromSystemProbe {
+			nodeContainer = apicommon.SystemProbeContainerName
+		} else {
+			nodeContainer = apicommon.SecurityAgentContainerName
+		}
+
 		reqComp = feature.RequiredComponents{
 			ClusterAgent: feature.RequiredComponent{
 				IsRequired: apiutils.NewBoolPointer(true),
@@ -104,7 +115,7 @@ func (f *cspmFeature) Configure(dda metav1.Object, ddaSpec *v2alpha1.DatadogAgen
 			Agent: feature.RequiredComponent{
 				IsRequired: apiutils.NewBoolPointer(true),
 				Containers: []apicommon.AgentContainerName{
-					apicommon.SecurityAgentContainerName,
+					nodeContainer,
 				},
 			},
 		}
@@ -230,12 +241,18 @@ func (f *cspmFeature) ManageSingleContainerNodeAgent(managers feature.PodTemplat
 // ManageNodeAgent allows a feature to configure the Node Agent's corev1.PodTemplateSpec
 // It should do nothing if the feature doesn't need to configure it.
 func (f *cspmFeature) ManageNodeAgent(managers feature.PodTemplateManagers, provider string) error {
+	// Determine which container to use based on directSendFromSystemProbe
+	targetContainer := apicommon.SecurityAgentContainerName
+	if f.directSendFromSystemProbe {
+		targetContainer = apicommon.SystemProbeContainerName
+	}
+
 	// security context capabilities
 	capabilities := []corev1.Capability{
 		"AUDIT_CONTROL",
 		"AUDIT_READ",
 	}
-	managers.SecurityContext().AddCapabilitiesToContainer(capabilities, apicommon.SecurityAgentContainerName)
+	managers.SecurityContext().AddCapabilitiesToContainer(capabilities, targetContainer)
 
 	volMountMgr := managers.VolumeMount()
 	VolMgr := managers.Volume()
@@ -281,10 +298,10 @@ func (f *cspmFeature) ManageNodeAgent(managers feature.PodTemplateManagers, prov
 			}
 		}
 
-		// Add empty volume to Security Agent
+		// Add empty volume to target container (Security Agent or System Probe)
 		benchmarksVol, benchmarksVolMount := volume.GetVolumesEmptyDir(securityAgentComplianceConfigDirVolumeName, securityAgentComplianceConfigDirVolumePath, true)
 		managers.Volume().AddVolume(&benchmarksVol)
-		managers.VolumeMount().AddVolumeMountToContainer(&benchmarksVolMount, apicommon.SecurityAgentContainerName)
+		managers.VolumeMount().AddVolumeMountToContainer(&benchmarksVolMount, targetContainer)
 
 		// Add compliance.d volume mount to init-volume container at different path
 		benchmarkVolMountInitVol := corev1.VolumeMount{
@@ -297,55 +314,55 @@ func (f *cspmFeature) ManageNodeAgent(managers feature.PodTemplateManagers, prov
 
 	// cgroups volume mount
 	cgroupsVol, cgroupsVolMount := volume.GetVolumes(common.CgroupsVolumeName, common.CgroupsHostPath, common.CgroupsMountPath, true)
-	volMountMgr.AddVolumeMountToContainer(&cgroupsVolMount, apicommon.SecurityAgentContainerName)
+	volMountMgr.AddVolumeMountToContainer(&cgroupsVolMount, targetContainer)
 	VolMgr.AddVolume(&cgroupsVol)
 
 	// passwd volume mount
 	passwdVol, passwdVolMount := volume.GetVolumes(common.PasswdVolumeName, common.PasswdHostPath, common.PasswdMountPath, true)
-	volMountMgr.AddVolumeMountToContainer(&passwdVolMount, apicommon.SecurityAgentContainerName)
+	volMountMgr.AddVolumeMountToContainer(&passwdVolMount, targetContainer)
 	VolMgr.AddVolume(&passwdVol)
 
 	// procdir volume mount
 	procdirVol, procdirVolMount := volume.GetVolumes(common.ProcdirVolumeName, common.ProcdirHostPath, common.ProcdirMountPath, true)
-	volMountMgr.AddVolumeMountToContainer(&procdirVolMount, apicommon.SecurityAgentContainerName)
+	volMountMgr.AddVolumeMountToContainer(&procdirVolMount, targetContainer)
 	VolMgr.AddVolume(&procdirVol)
 
 	// host root volume mount
 	hostRootVol, hostRootVolMount := volume.GetVolumes(common.HostRootVolumeName, common.HostRootHostPath, common.HostRootMountPath, true)
-	volMountMgr.AddVolumeMountToContainer(&hostRootVolMount, apicommon.SecurityAgentContainerName)
+	volMountMgr.AddVolumeMountToContainer(&hostRootVolMount, targetContainer)
 	VolMgr.AddVolume(&hostRootVol)
 
 	// group volume mount
 	groupVol, groupVolMount := volume.GetVolumes(common.GroupVolumeName, common.GroupHostPath, common.GroupMountPath, true)
-	volMountMgr.AddVolumeMountToContainer(&groupVolMount, apicommon.SecurityAgentContainerName)
+	volMountMgr.AddVolumeMountToContainer(&groupVolMount, targetContainer)
 	VolMgr.AddVolume(&groupVol)
 
 	// env vars
 	enabledEnvVar := &corev1.EnvVar{
 		Name:  DDComplianceConfigEnabled,
 		Value: "true",
 	}
-	managers.EnvVar().AddEnvVarToContainers([]apicommon.AgentContainerName{apicommon.CoreAgentContainerName, apicommon.SecurityAgentContainerName}, enabledEnvVar)
+	managers.EnvVar().AddEnvVarToContainers([]apicommon.AgentContainerName{apicommon.CoreAgentContainerName, targetContainer}, enabledEnvVar)
 
 	hostRootEnvVar := &corev1.EnvVar{
 		Name:  common.DDHostRootEnvVar,
 		Value: common.HostRootMountPath,
 	}
-	managers.EnvVar().AddEnvVarToContainer(apicommon.SecurityAgentContainerName, hostRootEnvVar)
+	managers.EnvVar().AddEnvVarToContainer(targetContainer, hostRootEnvVar)
 
 	if f.checkInterval != "" {
 		intervalEnvVar := &corev1.EnvVar{
 			Name:  DDComplianceConfigCheckInterval,
 			Value: f.checkInterval,
 		}
-		managers.EnvVar().AddEnvVarToContainer(apicommon.SecurityAgentContainerName, intervalEnvVar)
+		managers.EnvVar().AddEnvVarToContainer(targetContainer, intervalEnvVar)
 	}
 
 	hostBenchmarksEnabledEnvVar := &corev1.EnvVar{
 		Name:  DDComplianceHostBenchmarksEnabled,
 		Value: apiutils.BoolToString(&f.hostBenchmarksEnabled),
 	}
-	managers.EnvVar().AddEnvVarToContainer(apicommon.SecurityAgentContainerName, hostBenchmarksEnabledEnvVar)
+	managers.EnvVar().AddEnvVarToContainer(targetContainer, hostBenchmarksEnabledEnvVar)
 
 	return nil
 }
diff --git a/internal/controller/datadogagent/feature/cspm/feature_test.go b/internal/controller/datadogagent/feature/cspm/feature_test.go
@@ -67,6 +67,25 @@ func Test_cspmFeature_Configure(t *testing.T) {
 		ddaCSPMEnabled.Spec.Features.CSPM.HostBenchmarks = &v2alpha1.CSPMHostBenchmarksConfig{Enabled: apiutils.NewBoolPointer(true)}
 	}
 
+	ddaCSPMDirectSendEnabled := ddaCSPMDisabled.DeepCopy()
+	{
+		ddaCSPMDirectSendEnabled.Spec.Features.CSPM.Enabled = apiutils.NewBoolPointer(true)
+		ddaCSPMDirectSendEnabled.Spec.Features.CSPM.CustomBenchmarks = &v2alpha1.CustomConfig{
+			ConfigMap: &v2alpha1.ConfigMapConfig{
+				Name: "custom_test",
+				Items: []corev1.KeyToPath{
+					{
+						Key:  "key1",
+						Path: "some/path",
+					},
+				},
+			},
+		}
+		ddaCSPMDirectSendEnabled.Spec.Features.CSPM.CheckInterval = &metav1.Duration{Duration: 20 * time.Minute}
+		ddaCSPMDirectSendEnabled.Spec.Features.CSPM.HostBenchmarks = &v2alpha1.CSPMHostBenchmarksConfig{Enabled: apiutils.NewBoolPointer(true)}
+		ddaCSPMDirectSendEnabled.Spec.Features.CSPM.DirectSendFromSystemProbe = apiutils.NewBoolPointer(true)
+	}
+
 	tests := test.FeatureTestSuite{
 
 		{
@@ -79,7 +98,14 @@ func Test_cspmFeature_Configure(t *testing.T) {
 			DDA:           ddaCSPMEnabled,
 			WantConfigure: true,
 			ClusterAgent:  cspmClusterAgentWantFunc(),
-			Agent:         cspmAgentNodeWantFunc(),
+			Agent:         cspmAgentNodeWantFunc(false),
+		},
+		{
+			Name:          "CSPM enabled with directSendFromSystemProbe",
+			DDA:           ddaCSPMDirectSendEnabled,
+			WantConfigure: true,
+			ClusterAgent:  cspmClusterAgentWantFunc(),
+			Agent:         cspmAgentNodeWantFunc(true),
 		},
 	}
 
@@ -145,11 +171,17 @@ func cspmClusterAgentWantFunc() *test.ComponentTest {
 	)
 }
 
-func cspmAgentNodeWantFunc() *test.ComponentTest {
+func cspmAgentNodeWantFunc(directSendFromSystemProbe bool) *test.ComponentTest {
 	return test.NewDefaultComponentTest().WithWantFunc(
 		func(t testing.TB, mgrInterface feature.PodTemplateManagers) {
 			mgr := mgrInterface.(*fake.PodTemplateManagers)
 
+			// Determine which container to check based on directSendFromSystemProbe
+			targetContainer := apicommon.SecurityAgentContainerName
+			if directSendFromSystemProbe {
+				targetContainer = apicommon.SystemProbeContainerName
+			}
+
 			want := []*corev1.EnvVar{
 				{
 					Name:  DDComplianceConfigEnabled,
@@ -169,8 +201,8 @@ func cspmAgentNodeWantFunc() *test.ComponentTest {
 				},
 			}
 
-			securityAgentEnvVars := mgr.EnvVarMgr.EnvVarsByC[apicommon.SecurityAgentContainerName]
-			assert.True(t, apiutils.IsEqualStruct(securityAgentEnvVars, want), "Agent envvars \ndiff = %s", cmp.Diff(securityAgentEnvVars, want))
+			targetContainerEnvVars := mgr.EnvVarMgr.EnvVarsByC[targetContainer]
+			assert.True(t, apiutils.IsEqualStruct(targetContainerEnvVars, want), "Agent envvars \ndiff = %s", cmp.Diff(targetContainerEnvVars, want))
 
 			// check volume mounts
 			wantVolumeMounts := []corev1.VolumeMount{
@@ -206,8 +238,8 @@ func cspmAgentNodeWantFunc() *test.ComponentTest {
 				},
 			}
 
-			securityAgentVolumeMounts := mgr.VolumeMountMgr.VolumeMountsByC[apicommon.SecurityAgentContainerName]
-			assert.True(t, apiutils.IsEqualStruct(securityAgentVolumeMounts, wantVolumeMounts), "Security Agent volume mounts \ndiff = %s", cmp.Diff(securityAgentVolumeMounts, wantVolumeMounts))
+			targetContainerVolumeMounts := mgr.VolumeMountMgr.VolumeMountsByC[targetContainer]
+			assert.True(t, apiutils.IsEqualStruct(targetContainerVolumeMounts, wantVolumeMounts), "Target container volume mounts \ndiff = %s", cmp.Diff(targetContainerVolumeMounts, wantVolumeMounts))
 
 			// check volumes
 			wantVolumes := []corev1.Volume{
