diff --git a/charts/datadog-operator/CHANGELOG.md b/charts/datadog-operator/CHANGELOG.md index 773a75e11..56c51c465 100644 --- a/charts/datadog-operator/CHANGELOG.md +++ b/charts/datadog-operator/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## 2.4.0 + +* Add configuration to grand to the operator the necessary RBAC for the CWS Instrumentation admission controller feature in the Cluster-Agent to work. + ## 2.3.0 * Update Datadog Operator version to 1.10.0. diff --git a/charts/datadog-operator/Chart.yaml b/charts/datadog-operator/Chart.yaml index c9e85b586..1c88e1898 100644 --- a/charts/datadog-operator/Chart.yaml +++ b/charts/datadog-operator/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: datadog-operator -version: 2.3.0 +version: 2.4.0 appVersion: 1.10.0 description: Datadog Operator keywords: diff --git a/charts/datadog-operator/README.md b/charts/datadog-operator/README.md index 532eb73ce..5ffb81f8c 100644 --- a/charts/datadog-operator/README.md +++ b/charts/datadog-operator/README.md @@ -1,11 +1,12 @@ # Datadog Operator -![Version: 2.3.0](https://img.shields.io/badge/Version-2.3.0-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square) +![Version: 2.4.0](https://img.shields.io/badge/Version-2.4.0-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square) ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| +| addCWSInstrumentationRBAC | bool | `false` | Defines if the operator should be deployed with the RBAC required for the cluster-agent CWSInstrumentation feature. | | affinity | object | `{}` | Allows to specify affinity for Datadog Operator PODs | | apiKey | string | `nil` | Your Datadog API key | | apiKeyExistingSecret | string | `nil` | Use existing Secret which stores API key instead of creating a new one | diff --git a/charts/datadog-operator/templates/clusterrole.yaml b/charts/datadog-operator/templates/clusterrole.yaml index 1032e2aba..1084a045b 100644 --- a/charts/datadog-operator/templates/clusterrole.yaml +++ b/charts/datadog-operator/templates/clusterrole.yaml @@ -803,4 +803,9 @@ rules: - list - watch {{- end }} +{{- if .Values.addCWSInstrumentationRBAC }} +- apiGroups: [""] + resources: ["pods/exec"] + verbs: ["create"] {{- end }} +{{- end -}} diff --git a/charts/datadog-operator/values.yaml b/charts/datadog-operator/values.yaml index 3558679f4..54ff4c694 100644 --- a/charts/datadog-operator/values.yaml +++ b/charts/datadog-operator/values.yaml @@ -196,3 +196,7 @@ clusterRole: # allowReadAllResources is required to allow the operator to view all custom resources. # If collecting CRDs in the Kubernetes Explorer this is required allowReadAllResources: false + +# addCWSInstrumentationRBAC -- Defines if the operator should be deployed with the RBAC required for the cluster-agent +# CWSInstrumentation feature. +addCWSInstrumentationRBAC: false diff --git a/charts/datadog/CHANGELOG.md b/charts/datadog/CHANGELOG.md index d9817331a..bb0e709f3 100644 --- a/charts/datadog/CHANGELOG.md +++ b/charts/datadog/CHANGELOG.md @@ -1,5 +1,9 @@ # Datadog changelog +## 3.82.0 + +* Add `pods/exec` RBAC to the `Cluster-Agent` when needed and inject the service account name of the `Cluster-Agent` as environment variable. + ## 3.81.0 * Add a new option to disable hostPorts for the trace-agent with `datadog.apm.useLocalService`. This option enables K8s clusters with hostPort and hostPath volumes restrictions to use the K8s local service to send traces. diff --git a/charts/datadog/Chart.yaml b/charts/datadog/Chart.yaml index a7f218f42..4243de025 100644 --- a/charts/datadog/Chart.yaml +++ b/charts/datadog/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: datadog -version: 3.81.0 +version: 3.82.0 appVersion: "7" description: Datadog Agent keywords: diff --git a/charts/datadog/README.md b/charts/datadog/README.md index 5ef7b7343..a6921b52f 100644 --- a/charts/datadog/README.md +++ b/charts/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.81.0](https://img.shields.io/badge/Version-3.81.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.82.0](https://img.shields.io/badge/Version-3.82.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). @@ -571,6 +571,8 @@ helm install \ | clusterAgent.admissionController.agentSidecarInjection.selectors | list | `[]` | Defines the pod selector for sidecar injection, currently only one rule is supported. | | clusterAgent.admissionController.configMode | string | `nil` | The kind of configuration to be injected, it can be "hostip", "service", or "socket". | | clusterAgent.admissionController.containerRegistry | string | `nil` | Override the default registry for the admission controller. | +| clusterAgent.admissionController.cwsInstrumentation.enabled | bool | `false` | Enable the CWS Instrumentation admission controller endpoint. | +| clusterAgent.admissionController.cwsInstrumentation.mode | string | `"remote_copy"` | Mode defines how the CWS Instrumentation should behave. Options are "remote_copy" or "init_container" | | clusterAgent.admissionController.enabled | bool | `true` | Enable the admissionController to be able to inject APM/Dogstatsd config and standard tags (env, service, version) automatically into your pods | | clusterAgent.admissionController.failurePolicy | string | `"Ignore"` | Set the failure policy for dynamic admission control.' | | clusterAgent.admissionController.mutateUnlabelled | bool | `false` | Enable injecting config without having the pod label 'admission.datadoghq.com/enabled="true"' | diff --git a/charts/datadog/templates/cluster-agent-deployment.yaml b/charts/datadog/templates/cluster-agent-deployment.yaml index ba6b9119a..1eb9c4fbb 100644 --- a/charts/datadog/templates/cluster-agent-deployment.yaml +++ b/charts/datadog/templates/cluster-agent-deployment.yaml @@ -160,6 +160,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + - name: DD_CLUSTER_AGENT_SERVICE_ACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName - name: DD_HEALTH_PORT {{- $healthPort := .Values.clusterAgent.healthPort }} value: {{ $healthPort | quote }} @@ -248,6 +252,12 @@ spec: {{- else }} value: {{ include "registry" .Values | quote }} {{- end }} + {{- if .Values.clusterAgent.admissionController.cwsInstrumentation.enabled }} + - name: DD_ADMISSION_CONTROLLER_CWS_INSTRUMENTATION_ENABLED + value: "true" + - name: DD_ADMISSION_CONTROLLER_CWS_INSTRUMENTATION_MODE + value: {{ .Values.clusterAgent.admissionController.cwsInstrumentation.mode | quote }} + {{- end }} {{ include "ac-agent-sidecar-env" . | nindent 10 }} - name: DD_REMOTE_CONFIGURATION_ENABLED value: {{ include "clusterAgent-remoteConfiguration-enabled" . | quote }} diff --git a/charts/datadog/templates/cluster-agent-rbac.yaml b/charts/datadog/templates/cluster-agent-rbac.yaml index e02be2434..2da18ea9b 100644 --- a/charts/datadog/templates/cluster-agent-rbac.yaml +++ b/charts/datadog/templates/cluster-agent-rbac.yaml @@ -262,6 +262,11 @@ rules: - apiGroups: ["apps"] resources: ["statefulsets", "replicasets", "deployments", "daemonsets"] verbs: ["get"] +{{- if and .Values.clusterAgent.admissionController.cwsInstrumentation.enabled (eq .Values.clusterAgent.admissionController.cwsInstrumentation.mode "remote_copy") }} +- apiGroups: [""] + resources: ["pods/exec"] + verbs: ["create"] +{{- end }} {{- end }} {{- if eq (include "should-enable-security-agent" .) "true" }} {{- if .Values.datadog.securityAgent.compliance.enabled }} diff --git a/charts/datadog/values.yaml b/charts/datadog/values.yaml index 9a0efb3bf..91ba174dc 100644 --- a/charts/datadog/values.yaml +++ b/charts/datadog/values.yaml @@ -1201,6 +1201,14 @@ clusterAgent: # clusterAgent.admissionController.port -- Set port of cluster-agent admission controller service port: 8000 + cwsInstrumentation: + # clusterAgent.admissionController.cwsInstrumentation.enabled -- Enable the CWS Instrumentation admission controller endpoint. + enabled: false + + # clusterAgent.admissionController.cwsInstrumentation.mode -- Mode defines how the CWS Instrumentation should behave. + # Options are "remote_copy" or "init_container" + mode: remote_copy + agentSidecarInjection: # clusterAgent.admissionController.agentSidecarInjection.enabled -- Enables Datadog Agent sidecar injection.