Improves ClusterRole management in Datadog chart

[clamoriniere]

What this PR does / why we need it:

If a user choose to deploy a dedicated agent deployment for running
the cluster checks, the agent RBAC is updated in order to give only
ClusterRole permission to the Agent that need it.

Which issue this PR fixes

Special notes for your reviewer:

Checklist

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]

• DCO signed
• Chart Version bumped
• Variables are documented in the README.md

[k8s-ci-robot]

Hi @clamoriniere. Thanks for your PR.

I'm waiting for a helm member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[CharlyF]

I don't think the metrics provider should matter when creating the RBAC for the Cluster Check Worker.
Out of curiosity, why not putting the SA, CRB and Auth delegator in the same file ?

Lastly, why would the cluster check worker need RBACs ? It's not interacting with the APIServer as far as I know ? Just running check against endpoints provided by the Cluster Agent.

[CharlyF]

Why checking Values.clusterAgent.metricsProvider.enabled ?

[clamoriniere]

can be removed I think

[clamoriniere]

In fact after looking again in the current RBAC file, the condition needs to check 'Values.clusterAgent.metricsProvider.enabled' to be align with the condition present in the equivalent file: https://github.com/helm/charts/blob/master/stable/datadog/templates/agent-clusterrolebinding-auth-delegator.yaml#L1

[clamoriniere]

in fact it is a useless permission for the agent running clusterchecks. I will remove file this file.
the other ...auth-delegator.yaml file is for the cluster-agent and not the agent

[clamoriniere]

Hi @CharlyF,
Thanks for the review.
to answer your questions:

• I decided to put in different files since it looks like to be the current "files organisation" style in this chart. But yes we can put all relative agent-clusterchecks RBAC resources in the same file. (and can be done for the other RBAC files also)
• I will remove the metricsProvider.enabled for the condition.
• ClusterCheck need RBACs thinks some checks like "kube_controller_manager", "kube_scheduler"... need to access the Kubernetes control plane components.

[hkaj]

LGTM, I think we still need rbac for things like nonResourceURL (in case users protect some endpoints with rbac), and checks that could target specific k8s components.

[hkaj]

/approve

[hkaj]

/ok-to-test

[CharlyF]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CharlyF, clamoriniere, hkaj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• stable/datadog/OWNERS [CharlyF,hkaj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment