From 3579c3068dcc6cb93d4ff4e354392a2c68bac834 Mon Sep 17 00:00:00 2001 From: Sylvain Baubeau Date: Thu, 26 Mar 2026 14:36:43 +0100 Subject: [PATCH 1/2] Only add the AppArmor annotation if the container actually exists in the pod spec --- .../datadogagent/override/container.go | 27 ++++++++++++++----- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/internal/controller/datadogagent/override/container.go b/internal/controller/datadogagent/override/container.go index 714ac604d..5b8c8bed0 100644 --- a/internal/controller/datadogagent/override/container.go +++ b/internal/controller/datadogagent/override/container.go @@ -44,9 +44,6 @@ func Container(containerName apicommon.AgentContainerName, manager feature.PodTe addEnvsToInitContainer(containerName, manager, override.Env) addVolMountsToInitContainer(containerName, manager, override.VolumeMounts) - overrideSeccompProfile(containerName, manager, override) - overrideAppArmorProfile(containerName, manager, override) - for i, container := range manager.PodTemplateSpec().Spec.Containers { if container.Name == string(containerName) { overrideContainer(&manager.PodTemplateSpec().Spec.Containers[i], override) @@ -58,6 +55,9 @@ func Container(containerName apicommon.AgentContainerName, manager feature.PodTe overrideInitContainer(&manager.PodTemplateSpec().Spec.InitContainers[i], override) } } + + overrideSeccompProfile(containerName, manager, override) + overrideAppArmorProfile(containerName, manager, override) } func overrideLogLevel(containerName apicommon.AgentContainerName, manager feature.PodTemplateManagers, logLevel string) { @@ -234,13 +234,26 @@ func overrideSeccompProfile(containerName apicommon.AgentContainerName, manager func overrideAppArmorProfile(containerName apicommon.AgentContainerName, manager feature.PodTemplateManagers, override *v2alpha1.DatadogAgentGenericContainer) { if override.AppArmorProfileName != nil { - var annotation string + effectiveName := string(containerName) if override.Name != nil { - annotation = fmt.Sprintf("%s/%s", common.AppArmorAnnotationKey, *override.Name) - } else { - annotation = fmt.Sprintf("%s/%s", common.AppArmorAnnotationKey, containerName) + effectiveName = *override.Name + } + + // Only add the AppArmor annotation if the container actually exists in the pod spec. + // This avoids invalid DaemonSet configurations when a container is not present + // (e.g. security-agent is absent when directSendFromSystemProbe is enabled). + containerExists := false + for _, c := range manager.PodTemplateSpec().Spec.Containers { + if c.Name == effectiveName { + containerExists = true + break + } + } + if !containerExists { + return } + annotation := fmt.Sprintf("%s/%s", common.AppArmorAnnotationKey, effectiveName) manager.Annotation().AddAnnotation(annotation, *override.AppArmorProfileName) } } From e07beeb93d36e6d94550205f6d6cb253db5487ec Mon Sep 17 00:00:00 2001 From: Sylvain Baubeau Date: Thu, 26 Mar 2026 15:25:38 +0100 Subject: [PATCH 2/2] Add unit test --- .../datadogagent/override/container_test.go | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/internal/controller/datadogagent/override/container_test.go b/internal/controller/datadogagent/override/container_test.go index eec67a24f..0ef618616 100644 --- a/internal/controller/datadogagent/override/container_test.go +++ b/internal/controller/datadogagent/override/container_test.go @@ -1132,6 +1132,26 @@ func TestContainer(t *testing.T) { }) }, }, + { + name: "override app armor profile for non-existing container does not add annotation", + containerName: apicommon.SecurityAgentContainerName, + existingManager: func() *fake.PodTemplateManagers { + // Pod spec does not contain the security-agent container + return fake.NewPodTemplateManagers(t, corev1.PodTemplateSpec{ + Spec: corev1.PodSpec{ + Containers: []corev1.Container{*agentContainer}, + }, + }) + }, + override: v2alpha1.DatadogAgentGenericContainer{ + AppArmorProfileName: apiutils.NewStringPointer("my-app-armor-profile"), + }, + validateManager: func(t *testing.T, manager *fake.PodTemplateManagers, containerName string) { + annotation := fmt.Sprintf("%s/%s", common.AppArmorAnnotationKey, apicommon.SecurityAgentContainerName) + _, found := manager.AnnotationMgr.Annotations[annotation] + assert.False(t, found, "AppArmor annotation should not be added when container does not exist in pod spec") + }, + }, { name: "seccomp inline ConfigData adds checksum annotation", containerName: apicommon.SystemProbeContainerName,