Revert "[CWS] Add missing system-probe cws volume mount points (#2308)" (#2316)

swang392 · web-flow · commit 24f1c332ada5 · 2025-11-17T09:53:02.000+01:00
This reverts commit c956954.
diff --git a/internal/controller/datadogagent/component/agent/default.go b/internal/controller/datadogagent/component/agent/default.go
@@ -750,9 +750,6 @@ func volumeMountsForSystemProbe() []corev1.VolumeMount {
 		common.GetVolumeMountForLogs(),
 		common.GetVolumeMountForAuth(true),
 		common.GetVolumeMountForConfig(),
-		common.GetVolumeMountForDogstatsdSocket(false),
-		common.GetVolumeMountForRuntimeSocket(true),
-		common.GetVolumeMountForProc(),
 	}
 }
 
diff --git a/internal/controller/datadogagent/feature/cws/const.go b/internal/controller/datadogagent/feature/cws/const.go
@@ -13,8 +13,11 @@ const (
 	securityAgentRuntimePoliciesDirVolumeName    = "runtimepoliciesdir"
 	securityAgentRuntimePoliciesDirVolumePath    = "/etc/datadog-agent/runtime-security.d"
 
-	tracefsVolumeName = "tracefs"
-	tracefsPath       = "/sys/kernel/tracing"
+	tracefsVolumeName    = "tracefs"
+	tracefsPath          = "/sys/kernel/tracing"
+	securityfsVolumeName = "securityfs"
+	securityfsVolumePath = "/sys/kernel/security"
+	securityfsMountPath  = "/host/sys/kernel/security"
 
 	// DefaultCWSConf default CWS ConfigMap name
 	defaultCWSConf string = "cws-config"
diff --git a/internal/controller/datadogagent/feature/cws/feature.go b/internal/controller/datadogagent/feature/cws/feature.go
@@ -271,6 +271,11 @@ func (f *cwsFeature) ManageNodeAgent(managers feature.PodTemplateManagers, provi
 	volMountMgr.AddVolumeMountToContainer(&tracefsVolMount, apicommon.SystemProbeContainerName)
 	volMgr.AddVolume(&tracefsVol)
 
+	// securityfs volume mount
+	securityfsVol, securityfsVolMount := volume.GetVolumes(securityfsVolumeName, securityfsVolumePath, securityfsMountPath, true)
+	volMountMgr.AddVolumeMountToContainer(&securityfsVolMount, apicommon.SystemProbeContainerName)
+	volMgr.AddVolume(&securityfsVol)
+
 	// socket volume mount (needs write perms for the system probe container but not the others)
 	socketVol, socketVolMount := volume.GetVolumesEmptyDir(common.SystemProbeSocketVolumeName, common.SystemProbeSocketVolumePath, false)
 	volMountMgr.AddVolumeMountToContainer(&socketVolMount, apicommon.SystemProbeContainerName)
@@ -309,16 +314,6 @@ func (f *cwsFeature) ManageNodeAgent(managers feature.PodTemplateManagers, provi
 	volMountMgr.AddVolumeMountToContainer(&osReleaseVolMount, apicommon.SystemProbeContainerName)
 	volMgr.AddVolume(&osReleaseVol)
 
-	// cgroup volume mount
-	cgroupsVol, cgroupsVolMount := volume.GetVolumes(common.CgroupsVolumeName, common.CgroupsHostPath, common.CgroupsMountPath, true)
-	volMountMgr.AddVolumeMountToContainer(&cgroupsVolMount, apicommon.SystemProbeContainerName)
-	volMgr.AddVolume(&cgroupsVol)
-
-	// host root volume mount
-	hostRootVol, hostRootVolMount := volume.GetVolumes(common.HostRootVolumeName, common.HostRootHostPath, common.HostRootMountPath, true)
-	volMountMgr.AddVolumeMountToContainer(&hostRootVolMount, apicommon.SystemProbeContainerName)
-	volMgr.AddVolume(&hostRootVol)
-
 	// Custom policies are copied and merged with default policies via a workaround in the init-volume container.
 	if f.customConfig != nil {
 		var vol corev1.Volume
diff --git a/internal/controller/datadogagent/feature/cws/feature_test.go b/internal/controller/datadogagent/feature/cws/feature_test.go
@@ -211,6 +211,11 @@ func cwsAgentNodeWantFunc(withSubFeatures bool, directSendFromSysProbe bool) *te
 					MountPath: tracefsPath,
 					ReadOnly:  false,
 				},
+				{
+					Name:      securityfsVolumeName,
+					MountPath: securityfsMountPath,
+					ReadOnly:  true,
+				},
 				{
 					Name:      common.SystemProbeSocketVolumeName,
 					MountPath: common.SystemProbeSocketVolumePath,
@@ -236,16 +241,6 @@ func cwsAgentNodeWantFunc(withSubFeatures bool, directSendFromSysProbe bool) *te
 					MountPath: common.SystemProbeOSReleaseDirMountPath,
 					ReadOnly:  true,
 				},
-				{
-					Name:      common.CgroupsVolumeName,
-					MountPath: common.CgroupsMountPath,
-					ReadOnly:  true,
-				},
-				{
-					Name:      common.HostRootVolumeName,
-					MountPath: common.HostRootMountPath,
-					ReadOnly:  true,
-				},
 				{
 					Name:      securityAgentRuntimePoliciesDirVolumeName,
 					MountPath: securityAgentRuntimePoliciesDirVolumePath,
@@ -280,6 +275,14 @@ func cwsAgentNodeWantFunc(withSubFeatures bool, directSendFromSysProbe bool) *te
 						},
 					},
 				},
+				{
+					Name: securityfsVolumeName,
+					VolumeSource: corev1.VolumeSource{
+						HostPath: &corev1.HostPathVolumeSource{
+							Path: securityfsVolumePath,
+						},
+					},
+				},
 				{
 					Name: common.SystemProbeSocketVolumeName,
 					VolumeSource: corev1.VolumeSource{
@@ -318,22 +321,6 @@ func cwsAgentNodeWantFunc(withSubFeatures bool, directSendFromSysProbe bool) *te
 						},
 					},
 				},
-				{
-					Name: common.CgroupsVolumeName,
-					VolumeSource: corev1.VolumeSource{
-						HostPath: &corev1.HostPathVolumeSource{
-							Path: common.CgroupsHostPath,
-						},
-					},
-				},
-				{
-					Name: common.HostRootVolumeName,
-					VolumeSource: corev1.VolumeSource{
-						HostPath: &corev1.HostPathVolumeSource{
-							Path: common.HostRootHostPath,
-						},
-					},
-				},
 				{
 					Name: cwsConfigVolumeName,
 					VolumeSource: corev1.VolumeSource{

Original file line number	Diff line number	Diff line change
`@@ -750,9 +750,6 @@ func volumeMountsForSystemProbe() []corev1.VolumeMount {`
`750`	`750`	`common.GetVolumeMountForLogs(),`
`751`	`751`	`common.GetVolumeMountForAuth(true),`
`752`	`752`	`common.GetVolumeMountForConfig(),`
`753`		`- common.GetVolumeMountForDogstatsdSocket(false),`
`754`		`- common.GetVolumeMountForRuntimeSocket(true),`
`755`		`- common.GetVolumeMountForProc(),`
`756`	`753`	`}`
`757`	`754`	`}`
`758`	`755`