Reapply "Add PodResources mount (#1696)" (#1714)

* Reapply "Add PodResources mount" (#1708)

This reverts commit 645031f.

* Mount only for non-windows, non-gke

* Fix for GDC and autopilot

* Fix setting

* Update baselines

* Update baselines

Author: gjulianm

charts/datadog/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Datadog changelog
 
+## 3.102.0
+
+* Add a mount for the Kubernetes PodResources socket.
+
 ## 3.101.1
 
 * Add the `NVIDIA_VISIBLE_DEVICES` environment variable to the containers when GPU monitoring is enabled: if the NVIDIA k8s device plugin does not support volume mounts for requesting devices (controlled by the `accept-nvidia-visible-devices-as-volume-mount` setting) we need to request devices via the environment variable.

charts/datadog/Chart.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: v1
 name: datadog
-version: 3.101.1
+version: 3.102.0
 appVersion: "7"
 description: Datadog Agent
 keywords:

charts/datadog/README.md

@@ -1,6 +1,6 @@
 # Datadog
 
-![Version: 3.101.1](https://img.shields.io/badge/Version-3.101.1-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
+![Version: 3.102.0](https://img.shields.io/badge/Version-3.102.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
 
 [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
 
@@ -778,6 +778,7 @@ helm install <RELEASE_NAME> \
 | datadog.kubelet.host | object | `{"valueFrom":{"fieldRef":{"fieldPath":"status.hostIP"}}}` | Override kubelet IP |
 | datadog.kubelet.hostCAPath | string | None (no mount from host) | Path (on host) where the Kubelet CA certificate is stored |
 | datadog.kubelet.podLogsPath | string | /var/log/pods on Linux, C:\var\log\pods on Windows | Path (on host) where the PODs logs are located |
+| datadog.kubelet.podResourcesSocketDir | string | /var/lib/kubelet/pod-resources | Path (on host) where the kubelet.sock socket for the PodResources API is located |
 | datadog.kubelet.tlsVerify | string | true | Toggle kubelet TLS verification |
 | datadog.kubernetesEvents.collectedEventTypes | list | `[{"kind":"Pod","reasons":["Failed","BackOff","Unhealthy","FailedScheduling","FailedMount","FailedAttachVolume"]},{"kind":"Node","reasons":["TerminatingEvictedPod","NodeNotReady","Rebooted","HostPortConflict"]},{"kind":"CronJob","reasons":["SawCompletedJob"]}]` | Event types to be collected. This requires datadog.kubernetesEvents.unbundleEvents to be set to true. |
 | datadog.kubernetesEvents.filteringEnabled | bool | `false` | Enable this to only include events that match the pre-defined allowed events. (Requires Cluster Agent 7.57.0+). |

charts/datadog/templates/_container-agent.yaml

@@ -205,6 +205,10 @@
     - name: DD_OTELCOLLECTOR_ENABLED
       value: "true"
     {{- end }}
+    {{- if and (not .Values.providers.gke.gdc) (not .Values.providers.gke.autopilot) }}
+    - name: DD_KUBERNETES_KUBELET_PODRESOURCES_SOCKET
+      value: {{ printf "%s/kubelet.sock" .Values.datadog.kubelet.podResourcesSocketDir | quote }}
+    {{- end }}
     {{- if .Values.datadog.gpuMonitoring.enabled }}
     # depending on the NVIDIA container toolkit configuration, we might need to request visible devices via this env var or via the /var/run/nvidia-container-devices/all volume mount
     - name: NVIDIA_VISIBLE_DEVICES
@@ -246,6 +250,11 @@
       readOnly: true
     {{- end }}
     {{- if eq .Values.targetSystem "linux" }}
+    {{- if and (not .Values.providers.gke.gdc) (not .Values.providers.gke.autopilot) }}
+    - name: pod-resources-socket
+      mountPath: {{ .Values.datadog.kubelet.podResourcesSocketDir }}
+      readOnly: false
+    {{- end }}
     {{- if not .Values.providers.gke.gdc }}
     - name: dsdsocket
       mountPath: {{ (dir .Values.datadog.dogstatsd.socketPath) }}

charts/datadog/templates/_daemonset-volumes-linux.yaml

@@ -10,6 +10,11 @@
   configMap:
     name: {{ include "agents.confd-configmap-name" . }}
 {{- end }}
+{{- if and (not .Values.providers.gke.gdc) (not .Values.providers.gke.autopilot) }}
+- name: pod-resources-socket
+  hostPath:
+    path: {{ .Values.datadog.kubelet.podResourcesSocketDir }}
+{{- end }}
 {{- if not .Values.providers.gke.gdc }}
 - hostPath:
     path: /proc

charts/datadog/values.yaml

@@ -313,6 +313,10 @@ datadog:
     # datadog.kubelet.coreCheckEnabled -- Toggle if kubelet core check should be used instead of Python check. (Requires Agent/Cluster Agent 7.53.0+)
     # @default -- true
     coreCheckEnabled: true
+    # datadog.kubelet.podResourcesSocketDir -- Path (on host) where the kubelet.sock socket for the PodResources API is located
+    # @default -- /var/lib/kubelet/pod-resources
+    podResourcesSocketDir: /var/lib/kubelet/pod-resources
+
 
   # datadog.expvarPort -- Specify the port to expose pprof and expvar to not interfere with the agent metrics port from the cluster-agent, which defaults to 5000
   expvarPort: 6000

test/datadog/baseline/daemonset_default.yaml

@@ -111,6 +111,8 @@ spec:
               value: "true"
             - name: DD_KUBELET_CORE_CHECK_ENABLED
               value: "true"
+            - name: DD_KUBERNETES_KUBELET_PODRESOURCES_SOCKET
+              value: /var/lib/kubelet/pod-resources/kubelet.sock
           image: gcr.io/datadoghq/agent:7.63.2
           imagePullPolicy: IfNotPresent
           livenessProbe:
@@ -173,6 +175,9 @@ spec:
               mountPropagation: None
               name: runtimesocketdir
               readOnly: true
+            - mountPath: /var/lib/kubelet/pod-resources
+              name: pod-resources-socket
+              readOnly: false
             - mountPath: /var/run/datadog
               name: dsdsocket
               readOnly: false
@@ -371,6 +376,9 @@ spec:
           name: tmpdir
         - emptyDir: {}
           name: s6-run
+        - hostPath:
+            path: /var/lib/kubelet/pod-resources
+          name: pod-resources-socket
         - hostPath:
             path: /proc
           name: procdir

test/datadog/baseline/manifests/agent-clusterchecks-deployment_default.yaml

@@ -851,6 +851,8 @@ spec:
               value: "true"
             - name: DD_KUBELET_CORE_CHECK_ENABLED
               value: "true"
+            - name: DD_KUBERNETES_KUBELET_PODRESOURCES_SOCKET
+              value: /var/lib/kubelet/pod-resources/kubelet.sock
           image: gcr.io/datadoghq/agent:7.63.2
           imagePullPolicy: IfNotPresent
           livenessProbe:
@@ -913,6 +915,9 @@ spec:
               mountPropagation: None
               name: runtimesocketdir
               readOnly: true
+            - mountPath: /var/lib/kubelet/pod-resources
+              name: pod-resources-socket
+              readOnly: false
             - mountPath: /var/run/datadog
               name: dsdsocket
               readOnly: false
@@ -1111,6 +1116,9 @@ spec:
           name: tmpdir
         - emptyDir: {}
           name: s6-run
+        - hostPath:
+            path: /var/lib/kubelet/pod-resources
+          name: pod-resources-socket
         - hostPath:
             path: /proc
           name: procdir

test/datadog/baseline/manifests/daemonset_default.yaml

@@ -816,6 +816,8 @@ spec:
               value: "true"
             - name: DD_KUBELET_CORE_CHECK_ENABLED
               value: "true"
+            - name: DD_KUBERNETES_KUBELET_PODRESOURCES_SOCKET
+              value: /var/lib/kubelet/pod-resources/kubelet.sock
           image: gcr.io/datadoghq/agent:7.63.2
           imagePullPolicy: IfNotPresent
           livenessProbe:
@@ -878,6 +880,9 @@ spec:
               mountPropagation: None
               name: runtimesocketdir
               readOnly: true
+            - mountPath: /var/lib/kubelet/pod-resources
+              name: pod-resources-socket
+              readOnly: false
             - mountPath: /var/run/datadog
               name: dsdsocket
               readOnly: false
@@ -1076,6 +1081,9 @@ spec:
           name: tmpdir
         - emptyDir: {}
           name: s6-run
+        - hostPath:
+            path: /var/lib/kubelet/pod-resources
+          name: pod-resources-socket
         - hostPath:
             path: /proc
           name: procdir

test/datadog/baseline/manifests/default_all.yaml

@@ -816,6 +816,8 @@ spec:
               value: "true"
             - name: DD_KUBELET_CORE_CHECK_ENABLED
               value: "true"
+            - name: DD_KUBERNETES_KUBELET_PODRESOURCES_SOCKET
+              value: /var/lib/kubelet/pod-resources/kubelet.sock
           image: gcr.io/datadoghq/agent:7.63.2
           imagePullPolicy: IfNotPresent
           livenessProbe:
@@ -878,6 +880,9 @@ spec:
               mountPropagation: None
               name: runtimesocketdir
               readOnly: true
+            - mountPath: /var/lib/kubelet/pod-resources
+              name: pod-resources-socket
+              readOnly: false
             - mountPath: /var/run/datadog
               name: dsdsocket
               readOnly: false
@@ -1076,6 +1081,9 @@ spec:
           name: tmpdir
         - emptyDir: {}
           name: s6-run
+        - hostPath:
+            path: /var/lib/kubelet/pod-resources
+          name: pod-resources-socket
         - hostPath:
             path: /proc
           name: procdir

test/datadog/baseline/manifests/other_default.yaml

@@ -816,6 +816,8 @@ spec:
               value: "true"
             - name: DD_KUBELET_CORE_CHECK_ENABLED
               value: "true"
+            - name: DD_KUBERNETES_KUBELET_PODRESOURCES_SOCKET
+              value: /var/lib/kubelet/pod-resources/kubelet.sock
           image: gcr.io/datadoghq/agent:7.63.2
           imagePullPolicy: IfNotPresent
           livenessProbe:
@@ -878,6 +880,9 @@ spec:
               mountPropagation: None
               name: runtimesocketdir
               readOnly: true
+            - mountPath: /var/lib/kubelet/pod-resources
+              name: pod-resources-socket
+              readOnly: false
             - mountPath: /var/run/datadog
               name: dsdsocket
               readOnly: false
@@ -1076,6 +1081,9 @@ spec:
           name: tmpdir
         - emptyDir: {}
           name: s6-run
+        - hostPath:
+            path: /var/lib/kubelet/pod-resources
+          name: pod-resources-socket
         - hostPath:
             path: /proc
           name: procdir