Fix RBAC with compliance and admission controller (#151)

* Fix DCA resources creation issues * Fix ClusterRole and Role DCA creation when ExternalMetrics is not enabled * Add missing DCA permission for the AdmissionController Signed-off-by: cedric lamoriniere <cedric.lamoriniere@datadoghq.com> * Add missing DCA RBAC for orchestrator cluster ID Signed-off-by: cedric lamoriniere <cedric.lamoriniere@datadoghq.com> * Update example with admission controler and security-agent Signed-off-by: cedric lamoriniere <cedric.lamoriniere@datadoghq.com> * Sync ClusterRole and Role in Helm chart Signed-off-by: cedric lamoriniere <cedric.lamoriniere@datadoghq.com> * update after codereview comments
DataDog · Sep 16, 2020 · 1d7931b · 1d7931b
1 parent 6ff73b1
commit 1d7931b
Show file tree

Hide file tree

Showing 8 changed files with 192 additions and 127 deletions.
diff --git a/chart/datadog-operator/templates/clusterrole.yaml b/chart/datadog-operator/templates/clusterrole.yaml
@@ -6,38 +6,53 @@ metadata:
   labels:
 {{ include "datadog-operator.labels" . | indent 4 }}
 rules:
+- apiGroups:
+  - "security.openshift.io"
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
+  resourceNames:
+  - restricted
 - apiGroups:
   - rbac.authorization.k8s.io
   - roles.rbac.authorization.k8s.io
   - authorization.k8s.io
   resources:
-  - 'clusterroles'
-  - 'clusterrolebindings'
+  - clusterroles
+  - clusterrolebindings
+  verbs:
+  - "*"
+- apiGroups:
+  - datadoghq.com
+  resources:
+  - datadogagents
+  - datadogagents/status
+  - datadogagents/finalizers
   verbs:
   - '*'
 - apiGroups:
   - admissionregistration.k8s.io
-  - ''
   resources:
-  - 'mutatingwebhookconfigurations'
-  - 'secrets'
+  - mutatingwebhookconfigurations
+  - secrets
   verbs:
-  - 'get'
-  - 'list'
-  - 'watch'
-  - 'update'
+  - get
+  - list
+  - watch
+  - update
   - create
 - apiGroups:
   - apps
   - batch
   resources:
-  - 'replicasets'
-  - 'deployments'
-  - 'statefulsets'
-  - 'jobs'
-  - 'cronjobs'
+  - replicasets
+  - deployments
+  - statefulsets
+  - jobs
+  - cronjobs
   verbs:
-  - 'get'
+  - get
 - apiGroups:
   - apiregistration.k8s.io
   resources:

diff --git a/chart/datadog-operator/templates/role.yaml b/chart/datadog-operator/templates/role.yaml
@@ -25,13 +25,21 @@ rules:
   - daemonsets
   verbs:
   - '*'
+- apiGroups:
+  - apps
+  resourceNames:
+  - datadog-operator
+  resources:
+  - deployments/finalizers
+  verbs:
+  - update
 - apiGroups:
   - rbac.authorization.k8s.io
   - roles.rbac.authorization.k8s.io
   - authorization.k8s.io
   resources:
-  - 'roles'
-  - 'rolebindings'
+  - roles
+  - rolebindings
   verbs:
   - '*'
 - apiGroups:
@@ -43,10 +51,11 @@ rules:
 - apiGroups:
   - datadoghq.com
   resources:
-  - 'datadogagents'
-  - 'datadogagents/status'
-  - 'datadogagents/finalizers'
-  - 'extendeddaemonsets'
+  - datadogagents
+  - datadogagents/status
+  - datadogagents/finalizers
+  - extendeddaemonsets
+  - datadogmetrics
   verbs:
   - '*'
 {{- end -}}
diff --git a/deploy/clusterrole.yaml b/deploy/clusterrole.yaml
@@ -16,10 +16,10 @@ rules:
   - roles.rbac.authorization.k8s.io
   - authorization.k8s.io
   resources:
-  - 'clusterroles'
-  - 'clusterrolebindings'
+  - clusterroles
+  - clusterrolebindings
   verbs:
-  - '*'
+  - "*"
 - apiGroups:
   - datadoghq.com
   resources:
@@ -30,27 +30,26 @@ rules:
   - '*'
 - apiGroups:
   - admissionregistration.k8s.io
-  - ''
   resources:
-  - 'mutatingwebhookconfigurations'
-  - 'secrets'
+  - mutatingwebhookconfigurations
+  - secrets
   verbs:
-  - 'get'
-  - 'list'
-  - 'watch'
-  - 'update'
+  - get
+  - list
+  - watch
+  - update
   - create
 - apiGroups:
   - apps
   - batch
   resources:
-  - 'replicasets'
-  - 'deployments'
-  - 'statefulsets'
-  - 'jobs'
-  - 'cronjobs'
+  - replicasets
+  - deployments
+  - statefulsets
+  - jobs
+  - cronjobs
   verbs:
-  - 'get'
+  - get
 - apiGroups:
   - apiregistration.k8s.io
   resources:

diff --git a/deploy/role.yaml b/deploy/role.yaml
@@ -1,7 +1,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  creationTimestamp: null
   name: datadog-operator
 rules:
 - apiGroups:
@@ -49,10 +48,10 @@ rules:
 - apiGroups:
   - datadoghq.com
   resources:
-  - 'datadogagents'
-  - 'datadogagents/status'
-  - 'datadogagents/finalizers'
-  - 'extendeddaemonsets'
-  - 'datadogmetrics'
+  - datadogagents
+  - datadogagents/status
+  - datadogagents/finalizers
+  - extendeddaemonsets
+  - datadogmetrics
   verbs:
   - '*'
diff --git a/examples/datadog-agent-all.yaml b/examples/datadog-agent-all.yaml
@@ -18,3 +18,16 @@ spec:
     systemProbe:
       enabled: true
       bpfDebugEnabled: true
+    security:
+      compliance:
+        enabled: true
+      runtime:
+        enabled: false
+  clusterAgent:
+    image:
+      name: "datadog/cluster-agent:latest"
+    config:
+      externalMetrics:
+        enabled: true
+      admissionController:
+        enabled: true
diff --git a/pkg/apis/datadoghq/v1alpha1/const.go b/pkg/apis/datadoghq/v1alpha1/const.go
@@ -215,42 +215,46 @@ const (
 
 	// Resources
 
-	ServicesResource                 = "services"
-	EventsResource                   = "events"
-	EndpointsResource                = "endpoints"
-	PodsResource                     = "pods"
-	NodesResource                    = "nodes"
-	ComponentStatusesResource        = "componentstatuses"
-	ConfigMapsResource               = "configmaps"
-	ClusterResourceQuotasResource    = "clusterresourcequotas"
-	NodeMetricsResource              = "nodes/metrics"
-	NodeSpecResource                 = "nodes/spec"
-	NodeProxyResource                = "nodes/proxy"
-	NodeStats                        = "nodes/stats"
-	HorizontalPodAutoscalersRecource = "horizontalpodautoscalers"
-	DatadogMetricsResource           = "datadogmetrics"
-	DatadogMetricsStatusResource     = "datadogmetrics/status"
-	WpaResource                      = "watermarkpodautoscalers"
-	MutatingConfigResource           = "mutatingwebhookconfigurations"
-	SecretsResource                  = "secrets"
-	ReplicasetsResource              = "replicasets"
-	DeploymentsResource              = "deployments"
-	StatefulsetsResource             = "statefulsets"
-	JobsResource                     = "jobs"
-	CronjobsResource                 = "cronjobs"
-	ServiceAccountResource           = "serviceaccounts"
-	NamespaceResource                = "namespaces"
-	PodSecurityPolicyResource        = "podsecuritypolicies"
-	ClusterRoleBindingResource       = "clusterrolebindings"
-	RoleBindingResource              = "rolebindings"
-	NetworkPolicyResource            = "networkpolicies"
+	ServicesResource                    = "services"
+	EventsResource                      = "events"
+	EndpointsResource                   = "endpoints"
+	PodsResource                        = "pods"
+	NodesResource                       = "nodes"
+	ComponentStatusesResource           = "componentstatuses"
+	ConfigMapsResource                  = "configmaps"
+	ClusterResourceQuotasResource       = "clusterresourcequotas"
+	NodeMetricsResource                 = "nodes/metrics"
+	NodeSpecResource                    = "nodes/spec"
+	NodeProxyResource                   = "nodes/proxy"
+	NodeStats                           = "nodes/stats"
+	HorizontalPodAutoscalersRecource    = "horizontalpodautoscalers"
+	DatadogMetricsResource              = "datadogmetrics"
+	DatadogMetricsStatusResource        = "datadogmetrics/status"
+	WpaResource                         = "watermarkpodautoscalers"
+	MutatingConfigResource              = "mutatingwebhookconfigurations"
+	SecretsResource                     = "secrets"
+	ReplicasetsResource                 = "replicasets"
+	DeploymentsResource                 = "deployments"
+	StatefulsetsResource                = "statefulsets"
+	DaemonsetsResource                  = "daemonsets"
+	JobsResource                        = "jobs"
+	CronjobsResource                    = "cronjobs"
+	ExtendedDaemonSetReplicaSetResource = "extendeddaemonsetreplicasets"
+	ServiceAccountResource              = "serviceaccounts"
+	NamespaceResource                   = "namespaces"
+	PodSecurityPolicyResource           = "podsecuritypolicies"
+	ClusterRoleBindingResource          = "clusterrolebindings"
+	RoleBindingResource                 = "rolebindings"
+	NetworkPolicyResource               = "networkpolicies"
 
 	// Resource names
 
 	DatadogTokenResourceName           = "datadogtoken"
 	DatadogLeaderElectionResourceName  = "datadog-leader-election"
 	DatadogCustomMetricsResourceName   = "datadog-custom-metrics"
+	DatadogClusterIDResourceName       = "datadog-cluster-id"
 	ExtensionAPIServerAuthResourceName = "extension-apiserver-authentication"
+	KubeSystemResourceName             = "kube-system"
 
 	// Non resource URLs