Support runtimeClassName override (including in DAP) (#1546)

* implement runtimeclassname override

* implement runtimeclassname in dap

* doc review

api/datadoghq/v1alpha1/datadogagentprofile_types.go

@@ -54,6 +54,12 @@ type Override struct {
 	// +optional
 	PriorityClassName *string `json:"priorityClassName,omitempty"`
 
+	// If specified, indicates the pod's RuntimeClass kubelet should use to run the pod.
+	// If the named RuntimeClass does not exist, or the CRI cannot run the corresponding handler, the pod enters the Failed terminal phase.
+	// If no runtimeClassName is specified, the default RuntimeHandler is used, which is equivalent to the behavior when the RuntimeClass feature is disabled.
+	// +optional
+	RuntimeClassName *string `json:"runtimeClassName,omitempty"`
+
 	// The deployment strategy to use to replace existing pods with new ones.
 	// Valid types are `RollingUpdate` or `OnDelete` for DaemonSets
 	// +optional

api/datadoghq/v2alpha1/datadogagent_types.go

@@ -1539,6 +1539,12 @@ type DatadogAgentComponentOverride struct {
 	// the pod priority is default, or zero if there is no default.
 	PriorityClassName *string `json:"priorityClassName,omitempty"`
 
+	// If specified, indicates the pod's RuntimeClass kubelet should use to run the pod.
+	// If the named RuntimeClass does not exist, or the CRI cannot run the corresponding handler, the pod enters the Failed terminal phase.
+	// If no runtimeClassName is specified, the default RuntimeHandler is used, which is equivalent to the behavior when the RuntimeClass feature is disabled.
+	// +optional
+	RuntimeClassName *string `json:"runtimeClassName,omitempty"`
+
 	// If specified, the pod's scheduling constraints.
 	// +optional
 	Affinity *corev1.Affinity `json:"affinity,omitempty"`

config/crd/bases/v1/datadoghq.com_datadogagentprofiles.yaml

@@ -254,6 +254,12 @@ spec:
                               If not specified, the pod priority will be default or zero if there is no
                               default.
                             type: string
+                          runtimeClassName:
+                            description: |-
+                              If specified, indicates the pod's RuntimeClass kubelet should use to run the pod.
+                              If the named RuntimeClass does not exist, or the CRI cannot run the corresponding handler, the pod enters the Failed terminal phase.
+                              If no runtimeClassName is specified, the default RuntimeHandler is used, which is equivalent to the behavior when the RuntimeClass feature is disabled.
+                            type: string
                           updateStrategy:
                             description: |-
                               The deployment strategy to use to replace existing pods with new ones.

config/crd/bases/v1/datadoghq.com_datadogagentprofiles_v1alpha1.json

@@ -242,6 +242,10 @@
                     "description": "If specified, indicates the pod's priority. \"system-node-critical\" and\n\"system-cluster-critical\" are two special keywords which indicate the\nhighest priorities with the former being the highest priority. Any other\nname must be defined by creating a PriorityClass object with that name.\nIf not specified, the pod priority will be default or zero if there is no\ndefault.",
                     "type": "string"
                   },
+                  "runtimeClassName": {
+                    "description": "If specified, indicates the pod's RuntimeClass kubelet should use to run the pod.\nIf the named RuntimeClass does not exist, or the CRI cannot run the corresponding handler, the pod enters the Failed terminal phase.\nIf no runtimeClassName is specified, the default RuntimeHandler is used, which is equivalent to the behavior when the RuntimeClass feature is disabled.",
+                    "type": "string"
+                  },
                   "updateStrategy": {
                     "additionalProperties": false,
                     "description": "The deployment strategy to use to replace existing pods with new ones.\nValid types are `RollingUpdate` or `OnDelete` for DaemonSets",

config/crd/bases/v1/datadoghq.com_datadogagents.yaml

@@ -4572,6 +4572,12 @@ spec:
                           Not applicable for a DaemonSet/ExtendedDaemonSet deployment
                         format: int32
                         type: integer
+                      runtimeClassName:
+                        description: |-
+                          If specified, indicates the pod's RuntimeClass kubelet should use to run the pod.
+                          If the named RuntimeClass does not exist, or the CRI cannot run the corresponding handler, the pod enters the Failed terminal phase.
+                          If no runtimeClassName is specified, the default RuntimeHandler is used, which is equivalent to the behavior when the RuntimeClass feature is disabled.
+                        type: string
                       securityContext:
                         description: Pod-level SecurityContext.
                         properties:

config/crd/bases/v1/datadoghq.com_datadogagents_v2alpha1.json

@@ -4639,6 +4639,10 @@
                 "format": "int32",
                 "type": "integer"
               },
+              "runtimeClassName": {
+                "description": "If specified, indicates the pod's RuntimeClass kubelet should use to run the pod.\nIf the named RuntimeClass does not exist, or the CRI cannot run the corresponding handler, the pod enters the Failed terminal phase.\nIf no runtimeClassName is specified, the default RuntimeHandler is used, which is equivalent to the behavior when the RuntimeClass feature is disabled.",
+                "type": "string"
+              },
               "securityContext": {
                 "additionalProperties": false,
                 "description": "Pod-level SecurityContext.",

docs/configuration.v2alpha1.md

@@ -396,6 +396,7 @@ In the table, `spec.override.nodeAgent.image.name` and `spec.override.nodeAgent.
 | [key].nodeSelector `map[string]string` | A map of key-value pairs. For this pod to run on a specific node, the node must have these key-value pairs as labels. See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
 | [key].priorityClassName | If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority is default, or zero if there is no default. |
 | [key].replicas | Number of the replicas. Not applicable for a DaemonSet/ExtendedDaemonSet deployment |
+| [key].runtimeClassName | If specified, indicates the pod's RuntimeClass kubelet should use to run the pod. If the named RuntimeClass does not exist, or the CRI cannot run the corresponding handler, the pod enters the Failed terminal phase. If no runtimeClassName is specified, the default RuntimeHandler is used, which is equivalent to the behavior when the RuntimeClass feature is disabled. |
 | [key].securityContext.appArmorProfile.localhostProfile | localhostProfile indicates a profile loaded on the node that should be used. The profile must be preconfigured on the node to work. Must match the loaded name of the profile. Must be set if and only if type is "Localhost". |
 | [key].securityContext.appArmorProfile.type | type indicates which kind of AppArmor profile will be applied. Valid options are:   Localhost - a profile pre-loaded on the node.   RuntimeDefault - the container runtime's default profile.   Unconfined - no AppArmor enforcement. |
 | [key].securityContext.fsGroup | A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:  1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw----  If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows. |

docs/datadog_agent_profiles.md

@@ -67,3 +67,4 @@ DAP is disabled by default. To enable DAP using the [datadog-operator helm chart
 | override.[nodeAgent].containers.[\*].env | v1.8.0 |
 | override.[nodeAgent].labels | v1.8.0 |
 | override.[nodeAgent].updateStrategy | v1.9.0 |
+| override.[nodeAgent].runtimeClassName | v1.12.0 |

internal/controller/datadogagent/override/podtemplatespec.go

@@ -140,6 +140,10 @@ func PodTemplateSpec(logger logr.Logger, manager feature.PodTemplateManagers, ov
 		manager.PodTemplateSpec().Spec.PriorityClassName = *override.PriorityClassName
 	}
 
+	if override.RuntimeClassName != nil {
+		manager.PodTemplateSpec().Spec.RuntimeClassName = override.RuntimeClassName
+	}
+
 	if override.Affinity != nil {
 		manager.PodTemplateSpec().Spec.Affinity = mergeAffinities(manager.PodTemplateSpec().Spec.Affinity, override.Affinity)
 	}

internal/controller/datadogagent/override/podtemplatespec_test.go

@@ -678,6 +678,20 @@ func TestPodTemplateSpec(t *testing.T) {
 				assert.Equal(t, "new-name", manager.PodTemplateSpec().Spec.PriorityClassName)
 			},
 		},
+		{
+			name: "override runtime class name",
+			existingManager: func() *fake.PodTemplateManagers {
+				manager := fake.NewPodTemplateManagers(t, v1.PodTemplateSpec{})
+				manager.PodTemplateSpec().Spec.RuntimeClassName = apiutils.NewStringPointer("old-name")
+				return manager
+			},
+			override: v2alpha1.DatadogAgentComponentOverride{
+				RuntimeClassName: apiutils.NewStringPointer("new-name"),
+			},
+			validateManager: func(t *testing.T, manager *fake.PodTemplateManagers) {
+				assert.Equal(t, "new-name", *manager.PodTemplateSpec().Spec.RuntimeClassName)
+			},
+		},
 		{
 			name: "override affinity",
 			existingManager: func() *fake.PodTemplateManagers {

pkg/agentprofile/agent_profile.go

@@ -183,6 +183,7 @@ func OverrideFromProfile(profile *v1alpha1.DatadogAgentProfile) v2alpha1.Datadog
 		if nodeAgentOverride, ok := profile.Spec.Config.Override[v1alpha1.NodeAgentComponentName]; ok {
 			profileComponentOverride.Containers = containersOverride(nodeAgentOverride)
 			profileComponentOverride.PriorityClassName = nodeAgentOverride.PriorityClassName
+			profileComponentOverride.RuntimeClassName = nodeAgentOverride.RuntimeClassName
 			profileComponentOverride.UpdateStrategy = nodeAgentOverride.UpdateStrategy
 		}
 	}

pkg/agentprofile/agent_profile_test.go

@@ -350,6 +350,7 @@ func TestOverrideFromProfile(t *testing.T) {
 					},
 				},
 				PriorityClassName: apiutils.NewStringPointer("foo"),
+				RuntimeClassName:  apiutils.NewStringPointer("bar"),
 				UpdateStrategy: &apicommon.UpdateStrategy{
 					Type: "RollingUpdate",
 					RollingUpdate: &apicommon.RollingUpdate{
@@ -718,6 +719,7 @@ func configWithAllOverrides(cpuRequest string) *v1alpha1.Config {
 		Override: map[v1alpha1.ComponentName]*v1alpha1.Override{
 			v1alpha1.NodeAgentComponentName: {
 				PriorityClassName: apiutils.NewStringPointer("foo"),
+				RuntimeClassName:  apiutils.NewStringPointer("bar"),
 				UpdateStrategy: &apicommon.UpdateStrategy{
 					Type: "RollingUpdate",
 					RollingUpdate: &apicommon.RollingUpdate{