Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(datadog-operator): add ValidatingWebhookConfigurations RBAC #1547

Closed
wants to merge 2 commits into from
Closed

feat(datadog-operator): add ValidatingWebhookConfigurations RBAC #1547

wants to merge 2 commits into from
+8 −4

Conversation

wdhif
Copy link
Member

@wdhif wdhif commented Oct 7, 2024

What this PR does / why we need it:

Adds the necessary RBACs for the Cluster Agent to modify the ValidatingWebhookConfigurations.

This is needed to support the new ValidatingAdmissionWebhook controller in the Agent's Admission Controller.

Special notes for your reviewer:

QA:
For the Datadog Operator Helm Chart:

➜ k describe clusterroles.rbac.authorization.k8s.io datadog-operator
Name:         datadog-operator
Labels:       app.kubernetes.io/instance=datadog-operator
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=datadog-operator
              app.kubernetes.io/version=1.8.0
              helm.sh/chart=datadog-operator-2.0.1
Annotations:  meta.helm.sh/release-name: datadog-operator
              meta.helm.sh/release-namespace: default
PolicyRule:
  Resources                                                     Non-Resource URLs  Resource Names  Verbs
  ---------                                                     -----------------  --------------  -----
  apiservices.apiregistration.k8s.io                            []                 []              [* list watch]
  mutatingwebhookconfigurations.admissionregistration.k8s.io    []                 []              [*]
  validatingwebhookconfigurations.admissionregistration.k8s.io  []                 []              [*]

Since the Operator that applies the validatingwebhookconfigurations.admissionregistration.k8s.io RBACs to the Cluster Agent is not yet released, the Cluster Agent will not have the correct RBACs, that is expected.

➜  k exec -it deployments/datadog-cluster-agent -- agent status
[...]
====================
Admission Controller
====================

    Webhooks info
    -------------

      ValidatingWebhookConfigurations name: datadog-webhook
      Error: validatingwebhookconfigurations.admissionregistration.k8s.io "datadog-webhook" is forbidden: User "system:serviceaccount:default:datadog-cluster-agent" cannot get resource "validatingwebhookconfigurations" in API group "admissionregistration.k8s.io" at the cluster scope


      MutatingWebhookConfigurations name: datadog-webhook
      Created at: 2024-08-30 13:07:45 +0000 UTC

Checklist

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]

  • Chart Version bumped
  • Documentation has been updated with helm-docs (run: .github/helm-docs.sh)
  • CHANGELOG.md has been updated
  • Variables are documented in the README.md
  • For Datadog Operator chart or value changes update the test baselines (run: make update-test-baselines)

@wdhif wdhif added the chart/datadog-operator This issue or pull request is related to the datadog-operator chart label Oct 7, 2024
@wdhif wdhif force-pushed the CONTP-378/wassim.dhif/implement-validating-admission-webhook-operator branch from e72a590 to a752922 Compare October 7, 2024 15:55
@wdhif
feat(datadog-operator): add ValidatingWebhookConfigurations RBAC
1add2c2 
Signed-off-by: Wassim DHIF <wassim.dhif@datadoghq.com>
@wdhif wdhif force-pushed the CONTP-378/wassim.dhif/implement-validating-admission-webhook-operator branch from a752922 to 1add2c2 Compare October 7, 2024 15:56
@wdhif wdhif marked this pull request as ready for review October 7, 2024 16:21
@wdhif wdhif requested review from a team as code owners October 7, 2024 16:21
@wdhif
Copy link
Member Author

wdhif commented Oct 11, 2024

Needed RBACs are implemented in #1555. Closing this PR.

@wdhif wdhif closed this Oct 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
chart/datadog-operator This issue or pull request is related to the datadog-operator chart
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@wdhif