From c27e3624c669c7c7ae777747fed4f8b2c484f2bc Mon Sep 17 00:00:00 2001 From: Eugene Kirillov Date: Thu, 6 Feb 2025 19:10:42 -0800 Subject: [PATCH] OTAGENT-254 Add support for enhanced RBAC permissions for otel-agent --- charts/datadog/CHANGELOG.md | 5 ++ charts/datadog/Chart.yaml | 2 +- charts/datadog/README.md | 4 +- ...llector-with-rbac-custom-rules-values.yaml | 47 +++++++++++++++++++ ...agent-otel-collector-with-rbac-values.yaml | 41 ++++++++++++++++ charts/datadog/templates/_helpers.tpl | 16 +++++++ charts/datadog/templates/otel-agent-rbac.yaml | 40 ++++++++++++++++ charts/datadog/values.yaml | 11 +++++ 8 files changed, 164 insertions(+), 2 deletions(-) create mode 100644 charts/datadog/ci/agent-otel-collector-with-rbac-custom-rules-values.yaml create mode 100644 charts/datadog/ci/agent-otel-collector-with-rbac-values.yaml create mode 100644 charts/datadog/templates/otel-agent-rbac.yaml diff --git a/charts/datadog/CHANGELOG.md b/charts/datadog/CHANGELOG.md index 0f2ba4896..527ad6dca 100644 --- a/charts/datadog/CHANGELOG.md +++ b/charts/datadog/CHANGELOG.md @@ -1,5 +1,10 @@ # Datadog changelog +## 3.91.0 + +* Add `datadog.otelCollector.rbac.create` to control creation additional ClusterRole for `otel-agent` required by Kubernetes Attributes processor. +* Add `datadog.otelCollector.rbac.rules` to support additional RBAC permissions required by OTel components that are not included by default with `otel-agent`. + ## 3.90.5 * Update `fips.image.tag` to `1.1.7` updating openSSL version to 3.0.16 diff --git a/charts/datadog/Chart.yaml b/charts/datadog/Chart.yaml index ffcc41bfa..48bd90e86 100644 --- a/charts/datadog/Chart.yaml +++ b/charts/datadog/Chart.yaml @@ -1,7 +1,7 @@ --- apiVersion: v1 name: datadog -version: 3.90.5 +version: 3.91.0 appVersion: "7" description: Datadog Agent keywords: diff --git a/charts/datadog/README.md b/charts/datadog/README.md index b7be655be..20596aec2 100644 --- a/charts/datadog/README.md +++ b/charts/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.90.5](https://img.shields.io/badge/Version-3.90.5-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.91.0](https://img.shields.io/badge/Version-3.91.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). @@ -803,6 +803,8 @@ helm install \ | datadog.otelCollector.config | string | `nil` | OTel collector configuration | | datadog.otelCollector.enabled | bool | `false` | Enable the OTel Collector | | datadog.otelCollector.ports | list | `[{"containerPort":"4317","name":"otel-grpc"},{"containerPort":"4318","name":"otel-http"}]` | Ports that OTel Collector is listening | +| datadog.otelCollector.rbac.create | bool | `true` | If true, check OTel Collector config for k8sattributes processor and create required ClusterRole to access Kubernetes API | +| datadog.otelCollector.rbac.rules | list | `[]` | A set of additional RBAC rules to apply to OTel Collector's ClusterRole | | datadog.otlp.logs.enabled | bool | `false` | Enable logs support in the OTLP ingest endpoint | | datadog.otlp.receiver.protocols.grpc.enabled | bool | `false` | Enable the OTLP/gRPC endpoint | | datadog.otlp.receiver.protocols.grpc.endpoint | string | `"0.0.0.0:4317"` | OTLP/gRPC endpoint | diff --git a/charts/datadog/ci/agent-otel-collector-with-rbac-custom-rules-values.yaml b/charts/datadog/ci/agent-otel-collector-with-rbac-custom-rules-values.yaml new file mode 100644 index 000000000..c89789c1b --- /dev/null +++ b/charts/datadog/ci/agent-otel-collector-with-rbac-custom-rules-values.yaml @@ -0,0 +1,47 @@ +targetSystem: "linux" +agents: + image: + repository: datadog/agent-dev + tag: nightly-ot-beta-main + doNotCheckTag: true + containers: + agent: + env: + - name: DD_HOSTNAME + value: "datadog" +datadog: + apiKey: "00000000000000000000000000000000" + appKey: "0000000000000000000000000000000000000000" + otelCollector: + enabled: true + rbac: + create: true + rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "watch", "list"] + config: | + processors: + k8sattributes/passthrough: + passthrough: true + k8sattributes: + receivers: + otlp: + exporters: + datadog: + api: + key: "00000000000000000000000000000000" + service: + pipelines: + traces: + receivers: [otlp] + processors: [k8sattributes] + exporters: [datadog] + metrics: + receivers: [otlp] + processors: [k8sattributes] + exporters: [datadog] + logs: + receivers: [otlp] + processors: [k8sattributes] + exporters: [datadog] diff --git a/charts/datadog/ci/agent-otel-collector-with-rbac-values.yaml b/charts/datadog/ci/agent-otel-collector-with-rbac-values.yaml new file mode 100644 index 000000000..d5596eb02 --- /dev/null +++ b/charts/datadog/ci/agent-otel-collector-with-rbac-values.yaml @@ -0,0 +1,41 @@ +targetSystem: "linux" +agents: + image: + repository: datadog/agent-dev + tag: nightly-ot-beta-main + doNotCheckTag: true + containers: + agent: + env: + - name: DD_HOSTNAME + value: "datadog" +datadog: + apiKey: "00000000000000000000000000000000" + appKey: "0000000000000000000000000000000000000000" + otelCollector: + enabled: true + config: | + processors: + k8sattributes: + k8sattributes/passthrough: + passthrough: true + receivers: + otlp: + exporters: + datadog: + api: + key: "00000000000000000000000000000000" + service: + pipelines: + traces: + receivers: [otlp] + processors: [k8sattributes] + exporters: [datadog] + metrics: + receivers: [otlp] + processors: [k8sattributes] + exporters: [datadog] + logs: + receivers: [otlp] + processors: [k8sattributes] + exporters: [datadog] diff --git a/charts/datadog/templates/_helpers.tpl b/charts/datadog/templates/_helpers.tpl index 7d07df3cd..736005409 100644 --- a/charts/datadog/templates/_helpers.tpl +++ b/charts/datadog/templates/_helpers.tpl @@ -117,6 +117,22 @@ false {{- end -}} {{- end -}} +{{/* +Return true if k8sattributes RBAC rules should be added to the OTel Agent ClusterRole +*/}} +{{- define "should-add-otel-agent-k8sattributes-rules" -}} +{{- $return := false }} +{{- $config := .Values.datadog.otelCollector.config | default "" | fromYaml }} +{{- range $key, $val := $config.processors }} + {{- if hasPrefix "k8sattributes" $key }} + {{- if or (empty $val) (empty $val.passthrough) }} + {{- $return = true }} + {{- end }} + {{- end }} +{{- end }} +{{- $return }} +{{- end -}} + {{/* Return secret name to be used based on provided values. */}} diff --git a/charts/datadog/templates/otel-agent-rbac.yaml b/charts/datadog/templates/otel-agent-rbac.yaml new file mode 100644 index 000000000..f245fe5e0 --- /dev/null +++ b/charts/datadog/templates/otel-agent-rbac.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.agents.rbac.create (eq (include "should-enable-otel-agent" .) "true") .Values.datadog.otelCollector.rbac.create -}} +{{- if or (eq (include "should-add-otel-agent-k8sattributes-rules" .) "true") .Values.datadog.otelCollector.rbac.rules -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRole +metadata: + name: {{ template "datadog.fullname" . }}-otel-agent + labels: +{{ include "datadog.labels" . | indent 4 }} +rules: +{{- if eq (include "should-add-otel-agent-k8sattributes-rules" .) "true" }} + - apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] +{{- end -}} +{{- if .Values.datadog.otelCollector.rbac.rules -}} +{{ toYaml .Values.datadog.otelCollector.rbac.rules | nindent 2 -}} +{{- end }} +--- +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + name: {{ template "datadog.fullname" . }}-otel-agent + labels: +{{ include "datadog.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "datadog.fullname" . }}-otel-agent +subjects: + - kind: ServiceAccount + name: {{ include "agents.serviceAccountName" . }}-otel-agent + namespace: {{ .Release.Namespace }} +{{- end -}} +{{- end -}} diff --git a/charts/datadog/values.yaml b/charts/datadog/values.yaml index 858702591..8037b6c2b 100644 --- a/charts/datadog/values.yaml +++ b/charts/datadog/values.yaml @@ -600,6 +600,17 @@ datadog: # datadog.otelCollector.config -- OTel collector configuration config: null + ## Provide OTel Collector RBAC configuration + rbac: + # datadog.otelCollector.rbac.create -- If true, check OTel Collector config for k8sattributes processor + # and create required ClusterRole to access Kubernetes API + create: true + # datadog.otelCollector.rbac.rules -- A set of additional RBAC rules to apply to OTel Collector's ClusterRole + rules: [] + # - apiGroups: [""] + # resources: ["pods", "nodes"] + # verbs: ["get", "list", "watch"] + ## Continuous Profiler configuration ## ## Continuous Profiler is disabled by default and can be enabled by setting the `enabled` field to