Datadog blacklist fs

petermein · Oct 27, 2022 · 07f439c · 07f439c
1 parent 3570417
commit 07f439c
Showing 1 changed file with 60 additions and 48 deletions.
diff --git a/system/datadog/values.yaml b/system/datadog/values.yaml
@@ -4,10 +4,10 @@ datadog:
   ## https://docs.datadoghq.com/agent/kubernetes/helm/
 
   # nameOverride -- Override name of app
-  nameOverride:  # ""
+  nameOverride: # ""
 
   # fullnameOverride -- Override the full qualified app name
-  fullnameOverride:  # ""
+  fullnameOverride: # ""
 
   # targetSystem -- Target OS for this deployment (possible values: linux, windows)
   targetSystem: "linux"
@@ -26,12 +26,12 @@ datadog:
 
     # datadog.apiKeyExistingSecret -- Use existing Secret which stores API key instead of creating a new one. The value should be set with the `api-key` key inside the secret.
     ## If set, this parameter takes precedence over "apiKey".
-    apiKeyExistingSecret: "datadog-secret"  # <DATADOG_API_KEY_SECRET>
+    apiKeyExistingSecret: "datadog-secret" # <DATADOG_API_KEY_SECRET>
 
     # datadog.appKey -- Datadog APP key required to use metricsProvider
     ## If you are using clusterAgent.metricsProvider.enabled = true, you must set
     ## a Datadog application key for read access to your metrics.
-    appKey:  # <DATADOG_APP_KEY>
+    appKey: # <DATADOG_APP_KEY>
 
     # datadog.appKeyExistingSecret -- Use existing Secret which stores APP key instead of creating a new one. The value should be set with the `app-key` key inside the secret.
     ## If set, this parameter takes precedence over "appKey".
@@ -43,13 +43,13 @@ datadog:
       # datadog.secretBackend.command -- Configure the secret backend command, path to the secret backend binary.
       ## Note: If the command value is "/readsecret_multiple_providers.sh" the agents will have permissions to get secret objects.
       ## Read more about "/readsecret_multiple_providers.sh": https://docs.datadoghq.com/agent/guide/secrets-management/#script-for-reading-from-multiple-secret-providers-readsecret_multiple_providerssh
-      command:  # "/readsecret.sh" or "/readsecret_multiple_providers.sh" or any custom binary path
+      command: # "/readsecret.sh" or "/readsecret_multiple_providers.sh" or any custom binary path
 
       # datadog.secretBackend.arguments -- Configure the secret backend command arguments (space-separated strings).
-      arguments:  # "/etc/secret-volume" or any other custom arguments
+      arguments: # "/etc/secret-volume" or any other custom arguments
 
       # datadog.secretBackend.timeout -- Configure the secret backend command timeout in seconds.
-      timeout:  # 30
+      timeout: # 30
 
     # datadog.securityContext -- Allows you to overwrite the default PodSecurityContext on the Daemonset or Deployment
     securityContext:
@@ -72,15 +72,15 @@ datadog:
     ## * Overall length should not be higher than 80 characters.
     ## Compared to the rules of GKE, dots are allowed whereas they are not allowed on GKE:
     ## https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#Cluster.FIELDS.name
-    clusterName: "jupiter.mein.nl"  # <CLUSTER_NAME>
+    clusterName: "jupiter.mein.nl" # <CLUSTER_NAME>
 
     # datadog.site -- The site of the Datadog intake to send Agent data to
     ## Set to 'datadoghq.eu' to send data to the EU site.
-    site: datadoghq.eu  # datadoghq.com
+    site: datadoghq.eu # datadoghq.com
 
     # datadog.dd_url -- The host of the Datadog intake server to send Agent data to, only set this option if you need the Agent to send data to a custom URL
     ## Overrides the site setting defined in "site".
-    dd_url:  # https://app.datadoghq.com
+    dd_url: # https://app.datadoghq.com
 
     # datadog.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, off
     logLevel: INFO
@@ -169,7 +169,7 @@ datadog:
 
     # datadog.checksCardinality -- Sets the tag cardinality for the checks run by the Agent.
     ## https://docs.datadoghq.com/getting_started/tagging/assigning_tags/?tab=containerizedenvironments#environment-variables
-    checksCardinality:  # low, orchestrator or high (not set by default to avoid overriding existing DD_CHECKS_TAG_CARDINALITY configurations, the default value in the Agent is low)
+    checksCardinality: # low, orchestrator or high (not set by default to avoid overriding existing DD_CHECKS_TAG_CARDINALITY configurations, the default value in the Agent is low)
 
     # kubelet configuration
     kubelet:
@@ -180,7 +180,7 @@ datadog:
             fieldPath: status.hostIP
       # datadog.kubelet.tlsVerify -- Toggle kubelet TLS verification
       # @default -- true
-      tlsVerify:  # false
+      tlsVerify: # false
       # datadog.kubelet.hostCAPath -- Path (on host) where the Kubelet CA certificate is stored
       # @default -- None (no mount from host)
       hostCAPath:
@@ -248,7 +248,7 @@ datadog:
     leaderElection: true
 
     # datadog.leaderLeaseDuration -- Set the lease time for leader election in second
-    leaderLeaseDuration:  # 60
+    leaderLeaseDuration: # 60
 
     ## Enable logs agent and provide custom configs
     logs:
@@ -318,18 +318,17 @@ datadog:
     ## Each key becomes a file in /conf.d
     ## ref: https://github.com/DataDog/datadog-agent/tree/main/Dockerfiles/agent#optional-volumes
     ## ref: https://docs.datadoghq.com/agent/autodiscovery/
-    confd: {}
-    #   redisdb.yaml: |-
-    #     init_config:
-    #     instances:
-    #       - host: "name"
-    #         port: "6379"
-    #   kubernetes_state.yaml: |-
-    #     ad_identifiers:
-    #       - kube-state-metrics
-    #     init_config:
-    #     instances:
-    #       - kube_state_url: http://%%host%%:8080/metrics
+    confd:
+      disk.yaml: |-
+        init_config:
+
+        instances:
+          - use_mount: false
+            file_system_blacklist:
+              - autofs$
+            mount_point_blacklist:
+              - /proc/sys/fs/binfmt_misc
+              - /host/proc/sys/fs/binfmt_misc
 
     # datadog.checksd -- Provide additional custom checks as python code
     ## Each key becomes a file in /checks.d
@@ -338,10 +337,10 @@ datadog:
     #   service.py: |-
 
     # datadog.dockerSocketPath -- Path to the docker socket
-    dockerSocketPath:  # /var/run/docker.sock
+    dockerSocketPath: # /var/run/docker.sock
 
     # datadog.criSocketPath -- Path to the container runtime socket (if different from Docker)
-    criSocketPath:  # /var/run/containerd/containerd.sock
+    criSocketPath: # /var/run/containerd/containerd.sock
 
     # Configure how the agent interact with the host's container runtime
     containerRuntimeSupport:
@@ -369,7 +368,6 @@ datadog:
 
     ## Enable systemProbe agent and provide custom configs
     systemProbe:
-
       # datadog.systemProbe.debugPort -- Specify the port to expose pprof and expvar for system-probe agent
       debugPort: 0
 
@@ -421,7 +419,7 @@ datadog:
       maxTrackedConnections: 131072
 
       # datadog.systemProbe.conntrackMaxStateSize -- the maximum size of the userspace conntrack cache
-      conntrackMaxStateSize: 131072  # 2 * maxTrackedConnections by default, per  https://github.com/DataDog/datadog-agent/blob/d1c5de31e1bba72dfac459aed5ff9562c3fdcc20/pkg/process/config/config.go#L229
+      conntrackMaxStateSize: 131072 # 2 * maxTrackedConnections by default, per  https://github.com/DataDog/datadog-agent/blob/d1c5de31e1bba72dfac459aed5ff9562c3fdcc20/pkg/process/config/config.go#L229
 
       # datadog.systemProbe.conntrackInitTimeout -- the time to wait for conntrack to initialize before failing
       conntrackInitTimeout: 10s
@@ -510,7 +508,8 @@ datadog:
       # datadog.prometheusScrape.serviceEndpoints -- Enable generating dedicated checks for service endpoints.
       serviceEndpoints: false
       # datadog.prometheusScrape.additionalConfigs -- Allows adding advanced openmetrics check configurations with custom discovery rules. (Requires Agent version 7.27+)
-      additionalConfigs: []
+      additionalConfigs:
+        []
         # -
         #   autodiscovery:
         #     kubernetes_annotations:
@@ -533,7 +532,7 @@ datadog:
     # datadog.containerExclude -- Exclude containers from the Agent
     # Autodiscovery, as a space-sepatered list
     ## ref: https://docs.datadoghq.com/agent/guide/autodiscovery-management/?tab=containerizedagent#exclude-containers
-    containerExclude:  # "image:datadog/agent"
+    containerExclude: # "image:datadog/agent"
 
     # datadog.containerInclude -- Include containers in the Agent Autodiscovery,
     # as a space-separated list.  If a container matches an include rule, it’s
@@ -660,7 +659,7 @@ datadog:
         port: 8443
 
       # clusterAgent.metricsProvider.endpoint -- Override the external metrics provider endpoint. If not set, the cluster-agent defaults to `datadog.site`
-      endpoint:  # https://api.datadoghq.com
+      endpoint: # https://api.datadoghq.com
 
     # clusterAgent.env -- Set environment variables specific to Cluster Agent
     ## The Cluster-Agent supports many additional environment variables
@@ -723,7 +722,7 @@ datadog:
     #   memory: 256Mi
 
     # clusterAgent.priorityClassName -- Name of the priorityClass to apply to the Cluster Agent
-    priorityClassName:  # system-cluster-critical
+    priorityClassName: # system-cluster-critical
 
     # clusterAgent.nodeSelector -- Allow the Cluster Agent Deployment to be scheduled on selected nodes
     ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
@@ -817,7 +816,8 @@ datadog:
       create: false
 
     # clusterAgent.additionalLabels -- Adds labels to the Cluster Agent deployment and pods
-    additionalLabels: {}
+    additionalLabels:
+      {}
       # key: "value"
 
   ## This section lets you configure the agents deployed by this chart to connect to a Cluster Agent
@@ -828,10 +828,10 @@ datadog:
     join: false
 
     # existingClusterAgent.tokenSecretName -- Existing secret name to use for external Cluster Agent token
-    tokenSecretName:  # <EXISTING_DCA_SECRET_NAME>
+    tokenSecretName: # <EXISTING_DCA_SECRET_NAME>
 
     # existingClusterAgent.serviceName -- Existing service name to use for reaching the external Cluster Agent
-    serviceName:  # <EXISTING_DCA_SERVICE_NAME>
+    serviceName: # <EXISTING_DCA_SERVICE_NAME>
 
     # existingClusterAgent.clusterchecksEnabled -- set this to false if you don’t want the agents to run the cluster checks of the joined external cluster agent
     clusterchecksEnabled: true
@@ -873,7 +873,7 @@ datadog:
       ## This boolean permits to completely skip this check.
       ## This is useful, for example, for custom tags that are not
       ## respecting semantic versioning
-      doNotCheckTag:  # false
+      doNotCheckTag: # false
 
       # agents.image.pullPolicy -- Datadog Agent image pull policy
       pullPolicy: IfNotPresent
@@ -974,7 +974,7 @@ datadog:
 
         # agents.containers.agent.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off
         ## If not set, fall back to the value of datadog.logLevel.
-        logLevel:  # INFO
+        logLevel: # INFO
 
         # agents.containers.agent.resources -- Resource requests and limits for the agent container.
         resources: {}
@@ -1025,7 +1025,7 @@ datadog:
 
         # agents.containers.processAgent.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off
         ## If not set, fall back to the value of datadog.logLevel.
-        logLevel:  # INFO
+        logLevel: # INFO
 
         # agents.containers.processAgent.resources -- Resource requests and limits for the process-agent container
         resources: {}
@@ -1054,7 +1054,7 @@ datadog:
         #       name: <SECRET_NAME>
 
         # agents.containers.traceAgent.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off
-        logLevel:  # INFO
+        logLevel: # INFO
 
         # agents.containers.traceAgent.resources -- Resource requests and limits for the trace-agent container
         resources: {}
@@ -1091,7 +1091,7 @@ datadog:
 
         # agents.containers.systemProbe.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off.
         ## If not set, fall back to the value of datadog.logLevel.
-        logLevel:  # INFO
+        logLevel: # INFO
 
         # agents.containers.systemProbe.resources -- Resource requests and limits for the system-probe container
         resources: {}
@@ -1107,7 +1107,17 @@ datadog:
         securityContext:
           privileged: false
           capabilities:
-            add: ["SYS_ADMIN", "SYS_RESOURCE", "SYS_PTRACE", "NET_ADMIN", "NET_BROADCAST", "NET_RAW", "IPC_LOCK", "CHOWN"]
+            add:
+              [
+                "SYS_ADMIN",
+                "SYS_RESOURCE",
+                "SYS_PTRACE",
+                "NET_ADMIN",
+                "NET_BROADCAST",
+                "NET_RAW",
+                "IPC_LOCK",
+                "CHOWN",
+              ]
 
         # agents.containers.systemProbe.ports -- Allows to specify extra ports (hostPorts for instance) for this container
         ports: []
@@ -1125,7 +1135,7 @@ datadog:
 
         # agents.containers.securityAgent.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off
         ## If not set, fall back to the value of datadog.logLevel.
-        logLevel:  # INFO
+        logLevel: # INFO
 
         # agents.containers.securityAgent.resources -- Resource requests and limits for the security-agent container
         resources: {}
@@ -1218,11 +1228,12 @@ datadog:
     podLabels: {}
 
     # agents.additionalLabels -- Adds labels to the Agent daemonset and pods
-    additionalLabels: {}
+    additionalLabels:
+      {}
       # key: "value"
 
     # agents.useConfigMap -- Configures a configmap to provide the agent configuration. Use this in combination with the `agents.customAgentConfig` parameter.
-    useConfigMap:  # false
+    useConfigMap: # false
 
     # agents.customAgentConfig -- Specify custom contents for the datadog agent config (datadog.yaml)
     ## ref: https://docs.datadoghq.com/agent/guide/agent-configuration-files/?tab=agentv6
@@ -1344,7 +1355,7 @@ datadog:
     #    value: "1"
 
     # clusterChecksRunner.priorityClassName -- Name of the priorityClass to apply to the Cluster checks runners
-    priorityClassName:  # system-cluster-critical
+    priorityClassName: # system-cluster-critical
 
     # clusterChecksRunner.nodeSelector -- Allow the ClusterChecks Deployment to schedule on selected nodes
     ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
@@ -1432,7 +1443,8 @@ datadog:
       create: false
 
     # clusterChecksRunner.additionalLabels -- Adds labels to the cluster checks runner deployment and pods
-    additionalLabels: {}
+    additionalLabels:
+      {}
       # key: "value"
 
     # clusterChecksRunner.securityContext -- Allows you to overwrite the default PodSecurityContext on the clusterchecks pods.
@@ -1492,4 +1504,4 @@ datadog:
         ## When deploying to EC2-backed EKS infrastructure, there are situations where the
         ## IMDS metadata endpoint is not accesible to containers. This flag mounts the host's
         ## `/var/lib/cloud/data/instance-id` and uses that for Agent's hostname instead.
-        useHostnameFromFile: false
+        useHostnameFromFile: false