Skip to content

chore: make windows agent runnable by ContainerUser #1241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

chore: make windows agent runnable by ContainerUser #1241

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5655f83
chore: make windows agent runnable by ContainerUser
kondracek-nr Jun 3, 2025
462c8df
fix: unit tests
kondracek-nr Jun 3, 2025
0bd0666
chore: further refine perms & mounts
kondracek-nr Jun 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 1 addition & 13 deletions charts/newrelic-infrastructure/templates/kubelet/daemonset-windows.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ spec:
imagePullPolicy: {{ $.Values.images.agent.pullPolicy }}
securityContext:
windowsOptions:
runAsUserName: "ContainerAdministrator"
runAsUserName: "ContainerUser"
ports:
- containerPort: {{ get (fromYaml (include "nriKubernetes.kubelet.agentConfig" $)) "http_server_port" }}
env:
Expand Down Expand Up @@ -176,25 +176,13 @@ spec:
subPath: newrelic-infra.yml
- name: nri-integrations-cfg-volume
mountPath: "C:\\Program Files\\New Relic\\newrelic-infra\\integrations.d"
- name: agent-tmpfs-data
mountPath: "C:\\ProgramData\\New Relic\\newrelic-infra\\data"
- name: agent-tmpfs-user-data
mountPath: "C:\\ProgramData\\New Relic\\newrelic-infra\\user_data"
- name: agent-tmpfs-tmp
mountPath: "C:\\ProgramData\\New Relic\\newrelic-infra\\tmp"
{{- with $.Values.kubelet.extraVolumeMounts }}
{{- toYaml $ | nindent 12 }}
{{- end }}
{{- with $.Values.kubelet.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: agent-tmpfs-data
emptyDir: {}
- name: agent-tmpfs-user-data
emptyDir: {}
- name: agent-tmpfs-tmp
emptyDir: {}
- name: nri-kubernetes-config
configMap:
name: {{ include "nriKubernetes.kubelet.fullname" $ }}
Expand Down
10 changes: 5 additions & 5 deletions charts/newrelic-infrastructure/tests/securityContext_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,7 @@ tests:
path: spec.template.spec.containers[1].securityContext
value:
windowsOptions:
runAsUserName: 'ContainerAdministrator'
runAsUserName: 'ContainerUser'
documentIndex: 0
template: templates/kubelet/daemonset-windows.yaml
- equal:
Expand All @@ -228,12 +228,12 @@ tests:
path: spec.template.spec.containers[1].securityContext
value:
windowsOptions:
runAsUserName: 'ContainerAdministrator'
runAsUserName: 'ContainerUser'
documentIndex: 1
template: templates/kubelet/daemonset-windows.yaml

- it: securityContext of linux containers not overwritten by windows defaults
set:
- it: securityContext of linux containers not overwritten by windows defaults
set:
licenseKey: test
cluster: test
enableWindows: true
Expand All @@ -252,7 +252,7 @@ tests:
path: spec.template.spec.containers[1].securityContext
value:
windowsOptions:
runAsUserName: 'ContainerAdministrator'
runAsUserName: 'ContainerUser'
documentIndex: 0
template: templates/kubelet/daemonset-windows.yaml
- equal:
Expand Down
17 changes: 10 additions & 7 deletions windows/infrastructure-agent/Dockerfile.infraAgent
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPref
ARG AGENT_VERSION

# Downloaded from https://download.newrelic.com/infrastructure_agent/windows/newrelic-infra.${AGENT_VERSION}.msi in the github action workflow

COPY newrelic-infra.${AGENT_VERSION}.msi .

# this installs the infra agent
Expand All @@ -16,13 +15,17 @@ RUN Remove-Item \"C:\\newrelic-infra.$Env:AGENT_VERSION.msi\"
# Service is not started by default
RUN Set-Service -Name 'newrelic-infra' -StartupType disabled

# Grant permissions to the ContainerUser for directory access
RUN icacls 'C:\ProgramData\New Relic\newrelic-infra' /grant Users:'(OI)(CI)M' /T
RUN icacls 'C:\Program Files\New Relic\newrelic-infra\newrelic-integrations' /grant Users:'(OI)(CI)M' /T

# we use this to start the agent, and to get the output from its log file
COPY start.ps1 C:\\start.ps1
ENTRYPOINT ["powershell", "C:\\start.ps1"]

ENV NRIA_IS_CONTAINERIZED true
ENV NRIA_OVERRIDE_HOST_ROOT ""
ENV NRIA_IS_SECURE_FORWARD_ONLY true
ENV NRIA_HTTP_SERVER_ENABLED true
ENV NRIA_HTTP_SERVER_PORT 8003
ENV NRIA_LOG_FORWARD true
ENV NRIA_IS_CONTAINERIZED=true
ENV NRIA_OVERRIDE_HOST_ROOT=""
ENV NRIA_IS_SECURE_FORWARD_ONLY=true
ENV NRIA_HTTP_SERVER_ENABLED=true
ENV NRIA_HTTP_SERVER_PORT=8003
ENV NRIA_LOG_FORWARD=true
Loading