Only mount host package manager directories

DataDog · Dec 15, 2023 · 4034171 · 4034171
1 parent cf82ebf
commit 4034171
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 8 deletions.
diff --git a/charts/datadog/templates/_container-agent.yaml b/charts/datadog/templates/_container-agent.yaml
@@ -175,7 +175,7 @@
     - name: DD_SBOM_HOST_ENABLED
       value: "true"
     - name: HOST_ROOT
-      value: /host/root
+      value: /host
     {{- end }}
     {{- end }}
     {{- include "additional-env-entries" .Values.agents.containers.agent.env | indent 4 }}
@@ -255,8 +255,14 @@
     {{- end }}
     {{- end }}
     {{- if .Values.datadog.sbom.host.enabled }}
-    - name: hostroot
-      mountPath: /host/root
+    - name: host-apk-dir
+      mountPath: /host/var/lib/apk
+      readOnly: true
+    - name: host-dpkg-dir
+      mountPath: /host/var/lib/dpkg
+      readOnly: true
+    - name: host-rpm-dir
+      mountPath: /host/var/lib/rpm
       readOnly: true
     {{- end }}
     {{- end }}

diff --git a/charts/datadog/templates/_daemonset-volumes-linux.yaml b/charts/datadog/templates/_daemonset-volumes-linux.yaml
@@ -9,13 +9,12 @@
 - hostPath:
     path: /sys/fs/cgroup
   name: cgroups
-{{- if and (not .Values.providers.gke.autopilot) (or .Values.datadog.systemProbe.osReleasePath .Values.datadog.osReleasePath) }}
+{{- if and (not .Values.providers.gke.autopilot) (or .Values.datadog.systemProbe.osReleasePath .Values.datadog.osReleasePath .Values.datadog.sbom.host.enabled) }}
 - hostPath:
     path: {{ .Values.datadog.systemProbe.osReleasePath | default .Values.datadog.osReleasePath }}
   name: os-release-file
 {{- end }}
-{{- if eq (include "should-enable-system-probe" .) "true" }}
-{{- if .Values.datadog.systemProbe.enableDefaultOsReleasePaths }}
+{{- if or (and (eq (include "should-enable-system-probe" .) "true") .Values.datadog.systemProbe.enableDefaultOsReleasePaths) .Values.datadog.sbom.host.enabled }}
 - hostPath:
     path: /etc/redhat-release
   name: etc-redhat-release
@@ -25,7 +24,6 @@
 - hostPath:
     path: /etc/lsb-release
   name: etc-lsb-release
-{{- end }}
 {{- end -}}
 {{- if eq (include "should-enable-fips" . ) "true" }}
 {{ include "linux-container-fips-proxy-cfg-volume" . }}
@@ -141,11 +139,22 @@
     path: /etc/passwd
   name: passwd
 {{- end }}
-{{- if or (and (eq (include "should-enable-system-probe" .) "true") .Values.datadog.serviceMonitoring.enabled) (and (eq (include "should-enable-security-agent" .) "true") .Values.datadog.securityAgent.compliance.enabled) .Values.datadog.sbom.host.enabled }}
+{{- if or (and (eq (include "should-enable-system-probe" .) "true") .Values.datadog.serviceMonitoring.enabled) (and (eq (include "should-enable-security-agent" .) "true") .Values.datadog.securityAgent.compliance.enabled) }}
 - hostPath:
     path: /
   name: hostroot
 {{- end }}
+{{- if .Values.datadog.sbom.host.enabled }}
+- hostPath:
+    path: /var/lib/apk
+  name: host-apk-dir
+- hostPath:
+    path: /var/lib/dpkg
+  name: host-dpkg-dir
+- hostPath:
+    path: /var/lib/rpm
+  name: host-rpm-dir
+{{- end }}
 {{- if eq  (include "should-enable-security-agent" .) "true" }}
 {{- if .Values.datadog.securityAgent.compliance.enabled }}
 - hostPath: