Improves ClusterRole management in Datadog chart #12705
Improves ClusterRole management in Datadog chart #12705
Conversation
Hi @clamoriniere. Thanks for your PR. I'm waiting for a helm member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think the metrics provider should matter when creating the RBAC for the Cluster Check Worker.
Out of curiosity, why not putting the SA, CRB and Auth delegator in the same file ?
Lastly, why would the cluster check worker need RBACs ? It's not interacting with the APIServer as far as I know ? Just running check against endpoints provided by the Cluster Agent.
@@ -0,0 +1,19 @@ | |||
{{- if and .Values.rbac.create .Values.clusterAgent.enabled .Values.clusterAgent.clusterChecks.enabled .Values.clusterAgent.metricsProvider.enabled .Values.clusterchecksDeployment.enabled -}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why checking Values.clusterAgent.metricsProvider.enabled
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can be removed I think
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In fact after looking again in the current RBAC file, the condition needs to check 'Values.clusterAgent.metricsProvider.enabled' to be align with the condition present in the equivalent file: https://github.com/helm/charts/blob/master/stable/datadog/templates/agent-clusterrolebinding-auth-delegator.yaml#L1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in fact it is a useless permission for the agent running clusterchecks. I will remove file this file.
the other ...auth-delegator.yaml
file is for the cluster-agent
and not the agent
Hi @CharlyF,
|
d9ff46a
to
7f1b13c
Compare
bb49b8d
to
d67e65b
Compare
d67e65b
to
e3814ef
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, I think we still need rbac for things like nonResourceURL (in case users protect some endpoints with rbac), and checks that could target specific k8s components.
/approve |
/ok-to-test |
e3814ef
to
76f6cdb
Compare
If a user choose to deploy a dedicated agent deployment for running the cluster checks, the agent RBAC is updated in order to give only ClusterRole permission to the Agent that need it. Signed-off-by: cedric lamoriniere <cedric.lamoriniere@datadoghq.com>
76f6cdb
to
94673d2
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: CharlyF, clamoriniere, hkaj The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
If a user choose to deploy a dedicated agent deployment for running the cluster checks, the agent RBAC is updated in order to give only ClusterRole permission to the Agent that need it. Signed-off-by: cedric lamoriniere <cedric.lamoriniere@datadoghq.com>
If a user choose to deploy a dedicated agent deployment for running the cluster checks, the agent RBAC is updated in order to give only ClusterRole permission to the Agent that need it. Signed-off-by: cedric lamoriniere <cedric.lamoriniere@datadoghq.com>
If a user choose to deploy a dedicated agent deployment for running the cluster checks, the agent RBAC is updated in order to give only ClusterRole permission to the Agent that need it. Signed-off-by: cedric lamoriniere <cedric.lamoriniere@datadoghq.com>
If a user choose to deploy a dedicated agent deployment for running the cluster checks, the agent RBAC is updated in order to give only ClusterRole permission to the Agent that need it. Signed-off-by: cedric lamoriniere <cedric.lamoriniere@datadoghq.com>
If a user choose to deploy a dedicated agent deployment for running the cluster checks, the agent RBAC is updated in order to give only ClusterRole permission to the Agent that need it. Signed-off-by: cedric lamoriniere <cedric.lamoriniere@datadoghq.com>
If a user choose to deploy a dedicated agent deployment for running the cluster checks, the agent RBAC is updated in order to give only ClusterRole permission to the Agent that need it. Signed-off-by: cedric lamoriniere <cedric.lamoriniere@datadoghq.com>
What this PR does / why we need it:
If a user choose to deploy a dedicated agent deployment for running
the cluster checks, the agent RBAC is updated in order to give only
ClusterRole permission to the Agent that need it.
Which issue this PR fixes
Special notes for your reviewer:
Checklist
[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]