Update RBACs for storageclass and limitrange collection (#1159) (#1161)

(cherry picked from commit cc16328) Co-authored-by: Xavier Lucas <xavier.lucas@datadoghq.com>
DataDog · Apr 30, 2024 · abcb587 · abcb587
1 parent f113d7a
commit abcb587
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 0 deletions.
diff --git a/controllers/datadogagent/orchestrator.go b/controllers/datadogagent/orchestrator.go
@@ -174,6 +174,7 @@ func buildOrchestratorExplorerRBAC(dda *datadoghqv1alpha1.DatadogAgent, name, ve
 				rbac.PodsResource,
 				rbac.ServicesResource,
 				rbac.NodesResource,
+				rbac.LimitRangesResource,
 			},
 		},
 		{
@@ -227,6 +228,14 @@ func buildOrchestratorExplorerRBAC(dda *datadoghqv1alpha1.DatadogAgent, name, ve
 				rbac.WatchVerb,
 			},
 		},
+		{
+			APIGroups: []string{rbac.StorageAPIGroup},
+			Resources: []string{rbac.StorageClassesResource},
+			Verbs: []string{
+				rbac.ListVerb,
+				rbac.WatchVerb,
+			},
+		},
 	}
 
 	clusterRole.Rules = rbacRules

diff --git a/controllers/datadogagent/testdata/orchestrator_clusterrole.yaml b/controllers/datadogagent/testdata/orchestrator_clusterrole.yaml
@@ -31,6 +31,7 @@ rules:
       - pods
       - services
       - nodes
+      - limitranges
     verbs:
       - list
       - watch
@@ -91,3 +92,10 @@ rules:
     verbs:
       - list
       - watch
+  - apigroups:
+      - "storage.k8s.io"
+    resources:
+      - storageclasses
+    verbs:
+      - list
+      - watch
diff --git a/controllers/datadogagent_controller.go b/controllers/datadogagent_controller.go
@@ -125,6 +125,7 @@ type DatadogAgentReconciler struct {
 // +kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=deployments,verbs=get;list;watch
+// +kubebuilder:rbac:groups="",resources=limitranges,verbs=list;watch
 // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch
 // +kubebuilder:rbac:groups=apps,resources=replicasets,verbs=get;list;watch
 // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch
@@ -140,6 +141,7 @@ type DatadogAgentReconciler struct {
 // +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=list;watch
 // +kubebuilder:rbac:groups="networking.k8s.io",resources=ingresses,verbs=list;watch
 // +kubebuilder:rbac:groups=autoscaling.k8s.io,resources=verticalpodautoscalers,verbs=list;watch
+// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=list;watch
 
 // Kubernetes_state_core
 // +kubebuilder:rbac:groups="",resources=configmaps,verbs=list;watch