Add host volume mounts and NET_RAW capability to PAR container (#2799) (#2828)

dd-octo-sts[bot] · matt-dz · claude · web-flow · commit 60007ef5c1c8 · 2026-03-25T14:10:03.000-04:00
* Add host volume mounts to Private Action Runner container Mount /var/log, /etc/os-release, and /proc from the host into the PAR container under /host as read-only volumes. This enables the PAR to inspect host-level logs, OS information, and process data. * Add PAR host volumes only when PAR container is required Move host-varlog and host-osrelease volumes from the base volumesForAgent list into a conditional block gated on PrivateActionRunnerContainerName, mirroring the existing SystemProbe pattern. This prevents unused HostPath volumes from being added to every Agent pod, which can cause admission failures in environments enforcing HostPath allowlists. * style: format files * Add NET_RAW capability to PAR container The Private Action Runner container needs the NET_RAW capability to perform network operations on the host. * Move PAR host volumes, mounts, and NET_RAW to feature code Volumes, mounts, and capabilities should be managed by the feature system, not hardcoded in component defaults. This moves host volume mounts (/proc, /etc/os-release, /var/log) and the NET_RAW capability from default.go into the PAR feature's ManageNodeAgent(), following the same pattern used by logcollection, npm, and other features. * Add generic HostOSRelease aliases for os-release volume constants The SystemProbeOSReleaseDirVolumeName constants are semantically tied to system-probe despite being general-purpose. Add generic aliases (HostOSReleaseVolumeName, HostOSReleaseHostPath, HostOSReleaseMountPath) and use them in PAR feature code and volume helpers so that privateactionrunner does not reference system-probe constants. * Use standalone values for HostOSRelease constants Define HostOSRelease constants with their own literal values instead of aliasing the SystemProbe variants. * Move host volume constants to PAR package, remove unused common helpers Host volume constants (varlog, os-release, proc) are only used by the PAR feature, so they belong in the PAR package as unexported constants. Remove the now-unused GetVolumeForHostVarLog, GetVolumeMountForHostVarLog, GetVolumeForOSRelease, GetVolumeMountForOSRelease helpers and their corresponding exported constants from common. * revert const.go * Reuse existing common constants for procdir and os-release volumes The procdir and os-release volume constants already exist in common/const.go. Remove the duplicates from PAR's const.go and reference the common ones directly. * Add host volumes individually instead of loop Replace loop-based volume addition with individual volume.GetVolumes() calls per volume, matching the pattern used by npm and other features for better readability. --------- (cherry picked from commit 8c060c4) Co-authored-by: Matthew DeGuzman <91019033+matt-dz@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Timothée Bavelier <97530782+tbavelier@users.noreply.github.com> Co-authored-by: levan-m <116471169+levan-m@users.noreply.github.com>
diff --git a/internal/controller/datadogagent/feature/privateactionrunner/const.go b/internal/controller/datadogagent/feature/privateactionrunner/const.go
@@ -11,4 +11,8 @@ const (
 	privateActionRunnerVolumeNameSuffix = "privateactionrunner-config"
 	privateActionRunnerFileName         = "privateactionrunner.yaml"
 	privateActionRunnerSuffix           = "private-action-runner"
+
+	hostVarLogVolumeName = "host-varlog"
+	hostVarLogHostPath   = "/var/log"
+	hostVarLogMountPath  = "/host/var/log"
 )
diff --git a/internal/controller/datadogagent/feature/privateactionrunner/feature.go b/internal/controller/datadogagent/feature/privateactionrunner/feature.go
@@ -15,6 +15,7 @@ import (
 	apicommon "github.com/DataDog/datadog-operator/api/datadoghq/common"
 	"github.com/DataDog/datadog-operator/api/datadoghq/v2alpha1"
 	apiutils "github.com/DataDog/datadog-operator/api/utils"
+	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/common"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/feature"
 	featureutils "github.com/DataDog/datadog-operator/internal/controller/datadogagent/feature/utils"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/object"
@@ -293,6 +294,27 @@ func (f *privateActionRunnerFeature) ManageNodeAgent(managers feature.PodTemplat
 	}
 	managers.Annotation().AddAnnotation(checksumKey, checksumValue)
 
+	// procdir volume mount
+	procdirVol, procdirVolMount := volume.GetVolumes(common.ProcdirVolumeName, common.ProcdirHostPath, common.ProcdirMountPath, true)
+	managers.Volume().AddVolume(&procdirVol)
+	managers.VolumeMount().AddVolumeMountToContainer(&procdirVolMount, apicommon.PrivateActionRunnerContainerName)
+
+	// os-release volume mount
+	osReleaseVol, osReleaseVolMount := volume.GetVolumes(common.SystemProbeOSReleaseDirVolumeName, common.SystemProbeOSReleaseDirVolumePath, common.SystemProbeOSReleaseDirMountPath, true)
+	managers.Volume().AddVolume(&osReleaseVol)
+	managers.VolumeMount().AddVolumeMountToContainer(&osReleaseVolMount, apicommon.PrivateActionRunnerContainerName)
+
+	// host var log volume mount
+	varLogVol, varLogVolMount := volume.GetVolumes(hostVarLogVolumeName, hostVarLogHostPath, hostVarLogMountPath, true)
+	managers.Volume().AddVolume(&varLogVol)
+	managers.VolumeMount().AddVolumeMountToContainer(&varLogVolMount, apicommon.PrivateActionRunnerContainerName)
+
+	// Add NET_RAW capability for network operations
+	managers.SecurityContext().AddCapabilitiesToContainer(
+		[]corev1.Capability{"NET_RAW"},
+		apicommon.PrivateActionRunnerContainerName,
+	)
+
 	return nil
 }
 
diff --git a/internal/controller/datadogagent/feature/privateactionrunner/feature_test.go b/internal/controller/datadogagent/feature/privateactionrunner/feature_test.go
@@ -16,6 +16,7 @@ import (
 
 	apicommon "github.com/DataDog/datadog-operator/api/datadoghq/common"
 	"github.com/DataDog/datadog-operator/api/datadoghq/v2alpha1"
+	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/common"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/feature"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/feature/fake"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/object"
@@ -105,23 +106,49 @@ func Test_privateActionRunnerFeature_ManageNodeAgent(t *testing.T) {
 	err := f.ManageNodeAgent(managers, "")
 	assert.NoError(t, err)
 
-	// Verify volume is mounted
+	// Verify volumes (1 configmap + 3 host volumes)
 	volumes := managers.VolumeMgr.Volumes
-	assert.Len(t, volumes, 1, "Should have exactly one volume")
-	vol := volumes[0]
-	assert.Equal(t, "test-dda-privateactionrunner-config", vol.Name, "Volume name should match")
-	assert.NotNil(t, vol.VolumeSource.ConfigMap, "Volume should be a ConfigMap volume")
-	assert.Equal(t, "test-dda-privateactionrunner", vol.VolumeSource.ConfigMap.Name, "ConfigMap name should match")
+	assert.Len(t, volumes, 4)
+	assert.Equal(t, "test-dda-privateactionrunner-config", volumes[0].Name, "Volume name should match")
+	assert.NotNil(t, volumes[0].VolumeSource.ConfigMap, "Volume should be a ConfigMap volume")
+	assert.Equal(t, "test-dda-privateactionrunner", volumes[0].VolumeSource.ConfigMap.Name, "ConfigMap name should match")
+
+	volumeNames := make(map[string]bool)
+	for _, v := range volumes {
+		volumeNames[v.Name] = true
+	}
+	assert.True(t, volumeNames[common.ProcdirVolumeName])
+	assert.True(t, volumeNames[common.SystemProbeOSReleaseDirVolumeName])
+	assert.True(t, volumeNames[hostVarLogVolumeName])
 
-	// Verify volume mount
+	// Verify volume mounts (1 configmap + 3 host mounts)
 	volumeMounts := managers.VolumeMountMgr.VolumeMountsByC[apicommon.PrivateActionRunnerContainerName]
-	assert.Len(t, volumeMounts, 1, "Should have exactly one volume mount")
+	assert.Len(t, volumeMounts, 4)
 	mount := volumeMounts[0]
 	assert.Equal(t, "test-dda-privateactionrunner-config", mount.Name, "Mount name should match")
 	assert.Equal(t, "/etc/datadog-agent/privateactionrunner.yaml", mount.MountPath, "Mount path should be the hardcoded path")
 	assert.Equal(t, "privateactionrunner.yaml", mount.SubPath, "SubPath should mount the file directly")
 	assert.True(t, mount.ReadOnly, "Mount should be read-only")
 
+	mountNames := make(map[string]bool)
+	for _, m := range volumeMounts {
+		mountNames[m.Name] = true
+	}
+	assert.True(t, mountNames[common.ProcdirVolumeName])
+	assert.True(t, mountNames[common.SystemProbeOSReleaseDirVolumeName])
+	assert.True(t, mountNames[hostVarLogVolumeName])
+
+	// Verify host mounts are read-only
+	for _, m := range volumeMounts {
+		if m.Name == common.ProcdirVolumeName || m.Name == common.SystemProbeOSReleaseDirVolumeName || m.Name == hostVarLogVolumeName {
+			assert.True(t, m.ReadOnly, "mount %s should be read-only", m.Name)
+		}
+	}
+
+	// Verify NET_RAW capability
+	capabilities := managers.SecurityContextMgr.CapabilitiesByC[apicommon.PrivateActionRunnerContainerName]
+	assert.Contains(t, capabilities, corev1.Capability("NET_RAW"))
+
 	// Verify hash
 	assert.NotEmpty(t, managers.AnnotationMgr.Annotations)
 	assert.NotEmpty(t, managers.AnnotationMgr.Annotations["checksum/private_action_runner-custom-config"])

Original file line number	Diff line number	Diff line change
`@@ -11,4 +11,8 @@ const (`
`11`	`11`	`privateActionRunnerVolumeNameSuffix = "privateactionrunner-config"`
`12`	`12`	`privateActionRunnerFileName = "privateactionrunner.yaml"`
`13`	`13`	`privateActionRunnerSuffix = "private-action-runner"`
	`14`	`+`
	`15`	`+ hostVarLogVolumeName = "host-varlog"`
	`16`	`+ hostVarLogHostPath = "/var/log"`
	`17`	`+ hostVarLogMountPath = "/host/var/log"`
`14`	`18`	`)`