Fix PV and PVC rbac for orchestrator explorer (#368)

DataDog · Aug 26, 2021 · c57c1b2 · c57c1b2
1 parent 16fbc67
commit c57c1b2
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 13 deletions.
diff --git a/controllers/datadogagent/clusteragent.go b/controllers/datadogagent/clusteragent.go
@@ -1359,17 +1359,6 @@ func buildClusterAgentClusterRole(dda *datadoghqv1alpha1.DatadogAgent, name, age
 				datadoghqv1alpha1.GetVerb,
 			},
 		})
-
-		// PV and PVC
-		rbacRules = append(rbacRules, rbacv1.PolicyRule{
-			APIGroups: []string{datadoghqv1alpha1.CoreAPIGroup},
-			Resources: []string{datadoghqv1alpha1.PersistentVolumesResource, datadoghqv1alpha1.PersistentVolumeClaimsResource},
-			Verbs: []string{
-				datadoghqv1alpha1.ListVerb,
-				datadoghqv1alpha1.WatchVerb,
-				datadoghqv1alpha1.GetVerb,
-			},
-		})
 	}
 
 	if isComplianceEnabled(&dda.Spec) {

diff --git a/controllers/datadogagent/orchestrator.go b/controllers/datadogagent/orchestrator.go
@@ -153,7 +153,11 @@ func buildOrchestratorExplorerRBAC(dda *datadoghqv1alpha1.DatadogAgent, name, ve
 			APIGroups:     []string{datadoghqv1alpha1.CoreAPIGroup},
 			Resources:     []string{datadoghqv1alpha1.ConfigMapsResource},
 			ResourceNames: []string{datadoghqv1alpha1.DatadogClusterIDResourceName},
-			Verbs:         []string{datadoghqv1alpha1.GetVerb, datadoghqv1alpha1.CreateVerb, datadoghqv1alpha1.UpdateVerb},
+			Verbs: []string{
+				datadoghqv1alpha1.GetVerb,
+				datadoghqv1alpha1.CreateVerb,
+				datadoghqv1alpha1.UpdateVerb,
+			},
 		},
 		{
 			APIGroups: []string{datadoghqv1alpha1.CoreAPIGroup},
@@ -165,7 +169,12 @@ func buildOrchestratorExplorerRBAC(dda *datadoghqv1alpha1.DatadogAgent, name, ve
 		},
 		{
 			APIGroups: []string{datadoghqv1alpha1.AppsAPIGroup},
-			Resources: []string{datadoghqv1alpha1.DeploymentsResource, datadoghqv1alpha1.ReplicasetsResource, datadoghqv1alpha1.DaemonsetsResource, datadoghqv1alpha1.StatefulsetsResource},
+			Resources: []string{
+				datadoghqv1alpha1.DeploymentsResource,
+				datadoghqv1alpha1.ReplicasetsResource,
+				datadoghqv1alpha1.DaemonsetsResource,
+				datadoghqv1alpha1.StatefulsetsResource,
+			},
 		},
 		{
 			APIGroups: []string{datadoghqv1alpha1.BatchAPIGroup},
@@ -174,6 +183,14 @@ func buildOrchestratorExplorerRBAC(dda *datadoghqv1alpha1.DatadogAgent, name, ve
 				datadoghqv1alpha1.CronjobsResource,
 			},
 		},
+
+		{
+			APIGroups: []string{datadoghqv1alpha1.CoreAPIGroup},
+			Resources: []string{
+				datadoghqv1alpha1.PersistentVolumesResource,
+				datadoghqv1alpha1.PersistentVolumeClaimsResource,
+			},
+		},
 	}
 
 	clusterRole.Rules = rbacRules

diff --git a/controllers/datadogagent/testdata/orchestrator_clusterrole.yaml b/controllers/datadogagent/testdata/orchestrator_clusterrole.yaml
@@ -52,3 +52,11 @@ rules:
     verbs:
       - list
       - watch
+  - apigroups:
+      - ""
+    resources:
+      - persistentvolumes
+      - persistentvolumeclaims
+    verbs:
+      - list
+      - watch