search

DataDog / helm-charts

Helm charts for Datadog products
Apache License 2.0
343 stars 1.01k forks source link

feat(admission controller): add ValidatingWebhookConfigurations RBAC #1508

Open wdhif opened 1 month ago

wdhif commented 1 month ago

What this PR does / why we need it:

Adds the necessary RBACs for the Cluster Agent to modify the ValidatingWebhookConfigurations.

This is needed to support the new ValidatingAdmissionWebhook controller in the Agent's Admission Controller.

Special notes for your reviewer:

QA: For the Datadog Agent Helm Chart

➜ helm install datadog-agent -f ~/Projects/work/datadog-dev/dev-helm.yaml ~/Projects/work/helm-charts/charts/datadog
W0830 15:00:05.497863   38547 warnings.go:70] spec.template.metadata.annotations[container.apparmor.security.beta.kubernetes.io/system-probe]: deprecated since v1.30; use the "appArmorProfile" field instead
W0830 15:00:05.503343   38547 warnings.go:70] spec.template.spec.containers[0].env[44]: hides previous definition of "DD_LANGUAGE_DETECTION_ENABLED", which may be dropped when using apply
NAME: datadog-agent
LAST DEPLOYED: Fri Aug 30 15:00:04 2024
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Datadog agents are spinning up on each node in your cluster. After a few
minutes, you should see your agents starting in your event stream:
    https://app.datadoghq.com/event/explorer
You disabled creation of Secret containing API key, therefore it is expected
that you create Secret named 'datadog-secret' which includes a key called 'api-key' containing the API key.
➜ k describe validatingwebhookconfigurations.admissionregistration.k8s.io datadog-webhook
Name:         datadog-webhook
Namespace:
Labels:       <none>
Annotations:  <none>
API Version:  admissionregistration.k8s.io/v1
Kind:         ValidatingWebhookConfiguration
Metadata:
  Creation Timestamp:  2024-08-30T13:00:41Z
  Generation:          1
  Resource Version:    543
  UID:                 b5d7a660-55d2-4557-8435-7fa7539460e5
Events:                <none>

For the Datadog Operator Helm Chart:

➜ k describe clusterroles.rbac.authorization.k8s.io datadog-operator
Name:         datadog-operator
Labels:       app.kubernetes.io/instance=datadog-operator
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=datadog-operator
              app.kubernetes.io/version=1.8.0
              helm.sh/chart=datadog-operator-2.0.1
Annotations:  meta.helm.sh/release-name: datadog-operator
              meta.helm.sh/release-namespace: default
PolicyRule:
  Resources                                                     Non-Resource URLs  Resource Names  Verbs
  ---------                                                     -----------------  --------------  -----
  apiservices.apiregistration.k8s.io                            []                 []              [* list watch]
  mutatingwebhookconfigurations.admissionregistration.k8s.io    []                 []              [*]
  validatingwebhookconfigurations.admissionregistration.k8s.io  []                 []              [*]

Since the Operator that applies the validatingwebhookconfigurations.admissionregistration.k8s.io RBACs to the Cluster Agent is not yet released, the Cluster Agent will not have the correct RBACs, that is expected.

➜  k exec -it deployments/datadog-cluster-agent -- agent status
[...]
====================
Admission Controller
====================

    Webhooks info
    -------------

      ValidatingWebhookConfigurations name: datadog-webhook
      Error: validatingwebhookconfigurations.admissionregistration.k8s.io "datadog-webhook" is forbidden: User "system:serviceaccount:default:datadog-cluster-agent" cannot get resource "validatingwebhookconfigurations" in API group "admissionregistration.k8s.io" at the cluster scope

      MutatingWebhookConfigurations name: datadog-webhook
      Created at: 2024-08-30 13:07:45 +0000 UTC

Checklist

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]