[EBPF-998] gpum: fix system-probe mounts (#2248)

Fix mounts

Update baselines

docs

Merge branch 'main' into guillermo.julian/fix-gpum-mounts

Co-authored-by: guillermo.julian <[email protected]>

Author: gjulianm

charts/datadog/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Datadog changelog
 
+## 3.156.3
+
+* Fix mounts of `/host/run/systemd` and pod-resources socket in system-probe container when GPU monitoring.
+
 ## 3.156.2
 
 * Add `ftruncate` and `ftruncate64` syscalls to system-probe seccomp profile when GPU monitoring is enabled and `datadog.gpuMonitoring.configureCgroupPerms` is set to `true`.

charts/datadog/Chart.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: v1
 name: datadog
-version: 3.156.2
+version: 3.156.3
 appVersion: "7"
 description: Datadog Agent
 keywords:

charts/datadog/README.md

@@ -1,6 +1,6 @@
 # Datadog
 
-![Version: 3.156.2](https://img.shields.io/badge/Version-3.156.2-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
+![Version: 3.156.3](https://img.shields.io/badge/Version-3.156.3-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
 
 [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
 

charts/datadog/templates/_container-agent.yaml

@@ -311,11 +311,6 @@
       readOnly: false
     - name: gpu-devices
       mountPath: /var/run/nvidia-container-devices/all
-    {{- if .Values.datadog.gpuMonitoring.configureCgroupPerms }}
-    - name: hostrun
-      mountPath: /host/run
-      readOnly: false
-    {{- end }}
     {{- end }}
     {{- if not .Values.providers.gke.gdc }}
     - name: dsdsocket

charts/datadog/templates/_container-system-probe.yaml

@@ -120,8 +120,16 @@
       readOnly: true
 {{- end }}
 {{- if and .Values.datadog.gpuMonitoring.enabled .Values.datadog.gpuMonitoring.privilegedMode }}
+    - name: pod-resources-socket
+      mountPath: {{ .Values.datadog.kubelet.podResourcesSocketDir }}
+      readOnly: false
     - name: gpu-devices
       mountPath: /var/run/nvidia-container-devices/all
+{{- if .Values.datadog.gpuMonitoring.configureCgroupPerms }}
+    - name: host-systemd-transient
+      mountPath: /host/root/run/systemd/transient
+      readOnly: false
+{{- end }}
 {{- end }}
 {{- if and (eq (include "runtime-compilation-enabled" .) "true") .Values.datadog.systemProbe.enableDefaultKernelHeadersPaths }}
     - name: modules

charts/datadog/templates/_daemonset-volumes-linux.yaml

@@ -15,9 +15,9 @@
   hostPath:
     path: {{ .Values.datadog.kubelet.podResourcesSocketDir }}
 {{- if .Values.datadog.gpuMonitoring.configureCgroupPerms }}
-- name: hostrun
+- name: host-systemd-transient
   hostPath:
-    path: /run
+    path: /run/systemd/transient
 {{- end }}
 {{- end }}
 {{- if not .Values.providers.gke.gdc }}

test/datadog/baseline/manifests/gpu_monitoring.yaml

@@ -1266,9 +1266,6 @@ spec:
               readOnly: false
             - mountPath: /var/run/nvidia-container-devices/all
               name: gpu-devices
-            - mountPath: /host/run
-              name: hostrun
-              readOnly: false
             - mountPath: /var/run/datadog
               name: dsdsocket
               readOnly: false
@@ -1508,8 +1505,14 @@ spec:
               mountPropagation: None
               name: hostroot
               readOnly: true
+            - mountPath: /var/lib/kubelet/pod-resources
+              name: pod-resources-socket
+              readOnly: false
             - mountPath: /var/run/nvidia-container-devices/all
               name: gpu-devices
+            - mountPath: /host/root/run/systemd/transient
+              name: host-systemd-transient
+              readOnly: false
       hostPID: true
       initContainers:
         - args:
@@ -1620,8 +1623,8 @@ spec:
             path: /var/lib/kubelet/pod-resources
           name: pod-resources-socket
         - hostPath:
-            path: /run
-          name: hostrun
+            path: /run/systemd/transient
+          name: host-systemd-transient
         - hostPath:
             path: /proc
           name: procdir