Add global.vsock with full/system-probe modes (system-probe <=> micro VM VSock)

[lebauce]

What

Introduces a real global.vsock configuration section so that scoping VSock to the system-probe ⇄ micro VM channel is opt-in, while keeping the legacy "everything over VSock" behavior available and backward compatible.

Configuration

global:
  vsock:
    enabled: true        # turns VSock on
    mode: SystemProbe    # "Full" (default) or "SystemProbe"

• full (default) — all Agent components communicate over VSock. Reproduces the legacy useVSock behavior: DD_VSOCK_ADDR=host, DD_REMOTE_AGENT_REGISTRY_ENABLED=false, the host auth volume on the node agent, and the CWS runtime-security channel over VSock (DD_RUNTIME_SECURITY_CONFIG_SOCKET=vsock:5020, DD_RUNTIME_SECURITY_CONFIG_EVENT_GRPC_SERVER=security-agent) on all CWS containers.

• system-probe — VSock is scoped to the host system-probe only. It hosts a remote runtime-security event server over VSock so the system-probe inside a micro VM can forward events to it:

  • system-probe container: DD_RUNTIME_SECURITY_CONFIG_EVENT_GRPC_SERVER=system-probe, DD_RUNTIME_SECURITY_CONFIG_SOCKET=vsock:5020
  • core agent / security agent: keep the regular unix socket (/var/run/sysprobe/runtime-security.sock)

  This matches the agent's own event_grpc_server="system-probe" branch in pkg/security/module/cws.go, documented as the remote event server "for remote system-probes (e.g., in micro VMs via vsock)". event_grpc_server is a process-role selector; the vsock: address belongs on socket.

Backward compatibility

• global.useVSock is kept, marked deprecated, and maps to vsock.enabled with the Full mode.
• When the global.vsock section is set, useVSock is ignored.
• Resolution is centralized in GlobalConfig.GetVSockConfig(), consumed by both the global node-agent code and the CWS feature.

Changes

• API (datadogagent_types.go): added VSock *VSockConfig to GlobalConfig, the VSockConfig struct (Enabled, Mode), and the VSockMode enum (Full / SystemProbe); deprecated UseVSock.
• vsock.go: GlobalConfig.GetVSockConfig() resolver with the back-compat precedence.
• global/agent.go: full-mode VSock env vars / auth volume gated on enabled && mode == Full.
• cws/feature.go: CWS runtime-security env vars branch on the VSock mode, with the address on socket and the role on event_grpc_server.
• Regenerated deepcopy, CRDs, and docs.
• Tests: global test covers deprecated useVSock, vsock.enabled (Full default), and SystemProbe mode; CWS test covers Full (deprecated useVSock) and SystemProbe modes.

🤖 Generated with Claude Code

[datadog-datadog-prod-us1-2]

 

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 2 Pipeline jobs failed

pull request linter | Check Milestone     

pull request linter | build     

ℹ️ Info

🎯 Code Coverage (details)
• Patch Coverage: 94.12%
• Overall Coverage: 44.97% (+0.32%)

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 616fc8b | Docs | Datadog PR Page | Give us feedback!}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 77087447f9

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Keep event gRPC server as a process selector

When global.useVSock is enabled for CWS, this writes DD_RUNTIME_SECURITY_CONFIG_EVENT_GRPC_SERVER=vsock:5020. That Agent setting selects which Agent process sends runtime-security events and activity dumps (for example security-agent or system-probe); the vsock:5020 address is not a valid process selector. In micro-VM CWS deployments this leaves the host system-probe configured with an invalid event sender, so events forwarded from the guest can fail to be delivered as intended.

Useful? React with 👍 / 👎.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 94.33962% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 44.14%. Comparing base (92788bf) to head (616fc8b).
⚠️ Report is 9 commits behind head on main.

Files with missing lines	Patch %	Lines
api/datadoghq/v2alpha1/datadogagent_validation.go	72.72%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3186      +/-   ##
==========================================
+ Coverage   44.03%   44.14%   +0.10%     
==========================================
  Files         377      378       +1     
  Lines       30713    30758      +45     
==========================================
+ Hits        13525    13578      +53     
+ Misses      16300    16294       -6     
+ Partials      888      886       -2     

Flag	Coverage Δ
unittests	44.14% <94.33%> (+0.10%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
api/datadoghq/v2alpha1/datadogagent_types.go	100.00% <ø> (+100.00%)	⬆️
api/datadoghq/v2alpha1/vsock.go	100.00% <100.00%> (ø)
...nal/controller/datadogagent/feature/cws/feature.go	81.53% <100.00%> (+5.90%)	⬆️
internal/controller/datadogagent/global/agent.go	85.56% <100.00%> (ø)
api/datadoghq/v2alpha1/datadogagent_validation.go	60.00% <72.72%> (+60.00%)	⬆️

---

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 92788bf...616fc8b. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.