correction cilium policy format (DataDog#245)

charts/datadog/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Datadog changelog
 
+## 2.15.3
+
+* Fix Cilium network policies.
+
 ## 2.15.2
 
 * OpenShift: Automatically use built-in SCCs instead of failing if create SCC option is not used

charts/datadog/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: datadog
-version: 2.15.2
+version: 2.15.3
 appVersion: "7"
 description: Datadog Agent
 keywords:

charts/datadog/templates/agent-cilium-network-policy.yaml

@@ -7,6 +7,34 @@ metadata:
   labels:
 {{ include "datadog.labels" . | indent 4 }}
 specs:
+  - description: "Egress ECS agent port 51678"
+    endpointSelector:
+      matchLabels:
+        app: {{ template "datadog.fullname" . }}
+        {{- if .Values.agents.podLabels }}
+        {{ toYaml .Values.agents.podLabels | indent 8 }}
+        {{- end }}
+    egress:
+      - toCIDR:
+          - 169.254.0.0/16
+        toPorts:
+          - ports:
+              - port: "51678"
+                protocol: TCP
+  - description: "Egress to ntp"
+    endpointSelector:
+      matchLabels:
+        app: {{ template "datadog.fullname" . }}
+        {{- if .Values.agents.podLabels }}
+        {{ toYaml .Values.agents.podLabels | indent 8 }}
+        {{- end }}
+    egress:
+      - toFQDNs:
+          - matchPattern: "*.datadog.pool.ntp.org"
+        toPorts:
+          - ports:
+              - port: "123"
+                protocol: UDP
   - description: "Egress to metadata server"
     endpointSelector:
       matchLabels:
@@ -48,10 +76,17 @@ specs:
       - toFQDNs:
           {{- if $.Values.datadog.dd_url}}
           - matchName: {{ trimPrefix "https://" $.Values.datadog.dd_url }}
+          {{- end}}
+          {{- if $.Values.datadog.site}}
+          - matchPattern: "*-app.agent.{{ $.Values.datadog.site }}"
+          - matchName: "agent-intake.logs.{{ $.Values.datadog.site }}"
+          - matchName: "process.{{ $.Values.datadog.site }}"
+          - matchName: "orchestrator.{{ $.Values.datadog.site }}"
           {{- else}}
           - matchPattern: "*-app.agent.datadoghq.com"
           - matchName: "agent-intake.logs.datadoghq.com"
           - matchName: "process.datadoghq.com"
+          - matchName: "orchestrator.datadoghq.com"
           {{- end}}
         toPorts:
           - ports:
@@ -82,11 +117,12 @@ specs:
         {{ toYaml .Values.agents.podLabels | indent 8 }}
         {{- end }}
     ingress:
-      - toEndpoints:
-          - toPorts:
-              - ports:
-                  - port: {{ $.Values.datadog.dogstatsd.port }}
-                    protocol: UDP
+      - fromEndpoints:
+          - {}
+        toPorts:
+          - ports:
+              - port: "{{ $.Values.datadog.dogstatsd.port }}"
+                protocol: UDP
 {{- end }}
 {{- if $.Values.datadog.apm.enabled }}
   - description: "Ingress for APM trace"
@@ -97,11 +133,12 @@ specs:
         {{ toYaml .Values.agents.podLabels | indent 8 }}
         {{- end }}
     ingress:
-      - toEndpoints:
-          - toPorts:
-              - ports:
-                  - port: {{ $.Values.datadog.apm.port }}
-                    protocol: TCP
+      - fromEndpoints:
+          - {}
+        toPorts:
+          - ports:
+              - port: {{ $.Values.datadog.apm.port }}
+                protocol: TCP
 {{- end }}
 # The agents are susceptible to connect to any pod
 # that would be annotated with auto-discovery annotations.

charts/datadog/templates/agent-clusterchecks-cilium-network-policy.yaml

@@ -39,6 +39,9 @@ specs:
       - toFQDNs:
           {{- if $.Values.datadog.dd_url}}
           - matchName: {{ trimPrefix "https://" $.Values.datadog.dd_url }}
+          {{- end}}
+          {{- if $.Values.datadog.site}}
+          - matchPattern: "*-app.agent.{{ $.Values.datadog.site }}"
           {{- else}}
           - matchPattern: "*-app.agent.datadoghq.com"
           {{- end}}
@@ -57,10 +60,10 @@ specs:
             {{- if .Values.clusterAgent.podLabels }}
             {{ toYaml .Values.clusterAgent.podLabels | indent 12 }}
             {{- end }}
-          toPorts:
-            - ports:
-                - port: "5005"
-                  protocol: TCP
+        toPorts:
+          - ports:
+              - port: "5005"
+                protocol: TCP
 # The cluster check runners are susceptible to connect to any service
 # that would be annotated with auto-discovery annotations.
 #

charts/datadog/templates/cluster-agent-cilium-network-policy.yaml

@@ -48,8 +48,13 @@ specs:
       - toFQDNs:
           {{- if $.Values.datadog.dd_url}}
           - matchName: {{ trimPrefix "https://" $.Values.datadog.dd_url }}
+          {{- end}}
+          {{- if $.Values.datadog.site}}
+          - matchPattern: "*-app.agent.{{  $.Values.datadog.site }}"
+          - matchName: "orchestrator.{{  $.Values.datadog.site }}"
           {{- else}}
           - matchPattern: "*-app.agent.datadoghq.com"
+          - matchName: "orchestrator.datadoghq.com"
           {{- end}}
         toPorts:
           - ports: